May 2018 and March 2019 loom large in the calendar for rather different reasons. However, if you are involved in the collection, processing, storing and/or deleting of data (yes, it is permitted to delete data, even if everyone seems too scared to do so!), I suspect that both the introduction of the General Data Protection Regulation (GDPR) and the UK’s departure from the European Union are already the cause of many a sleepless night. While I can’t claim to have read all 200 pages or so of the GDPR, nor have any special knowledge as to the terms of the UK’s Brexit as it applies to the specifics of data logistics, I can say with some degree of certainty that, no matter what you might have read or heard, neither situation is quite as depressing as you might think or, I suspect, have been led to believe.
Indeed, I would go so far as to say that if, right now, you are dealing diligently with the data that your company generates, processes, stores, retrieves and archives and/or erases, there’s a fair chance that you’ll be complying with many, if not all, of the requirements of the GDPR. Unless I’ve been reading about the wrong piece of legislation (and there are times when I’ve dropped off reading through the endless EU website pages devoted to the GDPR), then much of the content details the requirements for creating a credible, comprehensive audit trail. Where/when/how was the data created? What can it be used for (ie what did the customer permit)? Who, if anyone, can it be shared with? To whom does it have to be disclosed (there are security-related exemptions, for example)? Where and how can the data be stored, and for how long? When and how can the data be destroyed?
Conversations with one or two legal contacts confirm that, for example, the commonly held myth about data not being allowed to leave a country or region, are simply not true. Yes, there must be an audit trail/justification as to why the data is going to be moved/stored somewhere else, but the movement of data across national boundaries is not forbidden by the GDPR.
Moving on to Brexit, as no one knows what will be the terms of the UK’s Brexit, speculating about what may or may not happen as a result, in terms of where companies will want/need to be based and where they want/are required to keep data, seems fairly pointless.
However, there’s no doubt that the twin ‘threats’ of GDPR and Brexit are causing a great deal of consternation amongst IT professionals and, especially, data centre owners, operators and users.
There’s the general assumption that folks will decide to use data centres in their own country – hence some of the big managed services providers are busy opening up data centres right across Europe. But how likely is this? Bear in mind that the true promise of Big Data and, to a lesser extent edge computing, means that large data sets need to be moved around. Imagine an international business that has to keep all of its different, national data sets in their countries of origin, and is unable to bring them all together for one big number crunching exercise…clearly, that’s not going to happen.
So, we have the myth of GDPR and Brexit and the reality. And the reality is that, with the right people and processes in place, not much is going to change when it comes to ‘freedom of data movement’.
However, there are two other factors to consider: public perception and individual industry governance requirements.
Taking the latter first, it’s more than possible that certain highly regulated industries will impose, or already do impose, data logistics requirements over and above those found in the GDPR. But, once again, the potential benefits of allowing freedom of movement of data – for example, coordinating pan-European data sets to do with medical research – far outweigh any attempts to restrict it.
No, in the climate of GDPR fear and Brexit scaremongering, the single biggest issue that needs to be understood by all those in the IT and data centre industry chain – from the owners and operators through to their customers – is the potential media frenzy that could surround any data breach where it is discovered that, say, important citizen data held by Government A was being stored in Country B when the data breach occurred. If Government A happened to be the UK, and Country B one of the EU’s most stalwart members, one can only imagine the headlines!
If you are an end user wrestling with the dilemmas posed by the GDPR and fearing what Brexit might bring, take some time out to read and understand the forthcoming legislation – so that you can understand the reality and not the propaganda being pushed out by various organisations with various ulterior motives. Consult with the legal profession to clarify any uncertainties. Above all, understand that any individual or organisation that tries to convince you that allowing your data out of country is the road to fines and prison, is being somewhat disingenuous.
Still not convinced? Well, right now, many organisations backup/mirror their data in a secondary data centre that is in a different country from their primary data centre. Do you seriously think that this practice is to be banned?!
By all means, consider where is the best place for your data to reside, and where best to have the backup(s) located. And do understand the implications of any data breach, including possible adverse publicity. Most important of all, find a colo/managed services partner who can work with you as you seek to understand and comply with the requirements of the GDPR, and who can provide you with the transparency required so that you are confident that their data centre(s) will not be the cause of any problems surrounding the legislation.
As for Brexit, well freedom of trade and freedom of movement of people between the UK and the EU might well be under threat, but it’s difficult to imagine freedom of movement of data across the English Channel being banned. I guess there’s going to be some data centre fall out if UK-based businesses decide that they must relocate some or all of their operations to mainland Europe, and, therefore, find a data centre near their new home. However, as mentioned in a previous blog, London’s status as one of the world’s megacities is not under any major threat, so data centre space in the capital and its surrounds will always be in demand.
Plus ca change, plus c’est la meme chose!