At the end of December 2020, the EU-UK Trade and Cooperation Agreement (TCA) was finally signed. It was a historic moment, with the House of Commons voting 521 to 73 to approve its passing. Whatever your Brexit principles, there became a sudden need to check the small print; larger data-driven organisations are on the hunt for guidance regarding the EU-UK data flows that underpin their business.
The concept of sovereignty sits at the heart of this issue. While the UK has sought to reclaim its sovereignty through the Brexit process, institutions will find themselves dealing with another kind of sovereignty – data sovereignty.
Data sovereignty and why it’s important
Data sovereignty is the concept that digitally converted and stored information is subject to the laws of the country in which it is located. Data sovereignty is not to be confused with data residency; It specifies both the location of data AND that it is subject to the legal protections and punishments of the country in which it is being physically held. This sounds fair enough in theory, but it becomes difficult when a company manages data in multitude of geographies and uses different storage solutions. Globalisation and the wide-spread adoption of cloud have blurred lines that traditionally constituted national borders.
Many countries have introduced regulations and stiff compliance requirements so data is kept within the country where the customer resides. Enforcement of these privacy protections is a source of increasing concern for organisations around the world. If you haven’t yet thought about how it affects IT infrastructure and data storage, then it’s time to do so. In short, companies need to be crystal clear on the following questions:
- What data do we have?
- Where is it?
- Where did it come from?
- Who is it going to?
- What are we doing with it?
- What legal cover do we have for all of this?
Any organisation without clear answers to all of these questions puts itself in the path of significant and repeated data compliance risks (and that could include substantial fines).
Where the UK stands in 2021 post-Brexit
The agreement reached at the end of last year provides an interim period of up to six months from 1 January 2021, where a "transmission" of personal data from the EU to the UK will not be considered as a transfer to a third country under EU law, as long as the UK does not change its domestic privacy legislation in that period.
During the temporary data bridge, the UK hopes that the European Commission will issue an adequacy decision in relation to the UK, thus allowing the free flow of personal data to continue beyond the six months. The Information Commissioner’s Office (ICO) welcomes an extension to this situation so that businesses and public bodies will be able to continue to share data freely, without having to make changes to their data protection practices.
However, this is not guaranteed and there are recommendations that, before and during the six-month period, UK businesses work with EU organisations that transfer personal data to them, to put in place alternative transfer mechanisms. These could be standard contractual clauses or binding corporate rules which act as a sensible precaution to safeguard against any potential interruptions to the free flow of personal data from the EU to the UK.
Some may be tempted to wait this period out and hope for the best. However, complacency is a risky approach - it could come back to bite later in the year, and it fails to use the precious data to create efficiencies and business intelligence. It’s a simple choice between building a competitive edge and paying potential fines for data mismanagement.
Global companies, local data.
The general idea behind today's data privacy laws is that companies need to collect the smallest amount of data they require about their customers, track where it is located, protect it, and be ready to delete it on demand. ‘Privacy by default’ as a design strategy, mandated by GDPR, is something all IT directors will be aware of and should be actively following.
A typical multi-cloud architecture usually consists of two or more public clouds and potentially additional private clouds. But multi-cloud architecture can be particularly at risk of violation of multiple nations’ data sovereignty regulations and verifying data that exists only at allowed locations can be difficult. It therefore requires transparency from cloud providers as to where their servers are hosted and strict adherence to service level agreements (SLAs).
While a few details about EU-UK data transmission may be unclear, it is still possible to make plans to navigate both the infrastructure demands required to manage data, as well as the associated legal and regulatory requirements.
The elegant data solution
Adopting a Hybrid IT approach is a blend of cloud architecture and localised data centre solutions. It means unlocking the benefits of cloud flexibility, scalability, and cost, whilst using local data centres to comply with the separate, local legal requirements for each country and therefore manage concerns around data sovereignty. In effect, organisations can use data centre facilities to keep their local data secure, whilst also leveraging native cloud on ramp services in that region to conduct data analysis and processing. Colocation data centre facilities in particular can also offer additional business benefits such as diversification, security and encryption solutions.
With Interxion: A Digital Realty Company, businesses are able to access all the major cloud platforms including Microsoft Azure, AWS, Google, Oracle & IBM , providing choice and flexibility when considering both data storage and high-performance compute needs.
For those looking to move or rearchitect their hybrid IT approach in light of new data management situations, we offer a range of integrated solutions with all the added the benefits of working with a single supplier, both locally and globally.