The Danger with Data in a Changing European Landscape

The recent overhaul of EU data protection laws has highlighted the importance of companies getting a handle on their data.

You’d be forgiven for missing it, but in 2015 one of the most important laws in the UK celebrated its twentieth birthday—the UK Data Protection Act of 1995. In light of the huge advances in technology which have been made since then, the EU Council finally reached an agreement on a new set of data protection rules in March of this year which will enforce stronger data protection across Europe. This EU General Data Protection Regulation (GDPR) commences in early 2017, and promises to ‘put citizens back in control’ of their own details.

Moreover, it will stipulate that any business which manages data across numerous locations and devices will need to know where their data is stored. In addition, the scope of the EU Referendum is hanging heavy around the neck of British businesses, and could potentially result in them being obliged to store their customer data in the UK.

Given this upheaval and the topics of data sovereignty and portability (where UK business data will need to be stored and how easy it will be to move it), the principal concerns going forward should be the following.

How are UK businesses responding?

Right now, evidence indicates that they’re taking little if any action to prepare. In light of the impending changes, we commissioned an independent survey of 250 IT decision makers from across the public and private sector in order to explore the issue further. The research revealed that for the large part, organisations aren’t adequately prepared for the changing EU landscape and its potential impact: over 60% said they couldn’t say with confidence where their data is stored, and just 10% were prepared to move theirs to UK soil if needed.

Given that almost seven in ten businesses (69%) are concerned they may need to move critical information in accordance with regulatory, compliance or customer requirements, and more than a third have data which is currently stored outside the UK, these findings reveal a fairly lax approach to data sovereignty from UK businesses.

What’s more, it shows a clear lack of portability within their existing data policies, particularly given the ability to move data and applications with speed which is presented by the hybrid cloud today.

What does this mean financially?

The tangible lack of consideration for the potential impact of the changing landscape could have extensive financial repercussions for organisations in both the private and the public sector. According to our research, UK organisations estimate that it will cost them an average of £1.6m each to move their data so it is all hosted in the UK—and this is generally a conservative figure.

When you consider: the cost of recruiting skilled staff to manage the transfer; the cost implications of breaking a cloud supplier lock-in; the repercussions of downtime; and the temporary loss of productivity incurred; the process is clearly more costly than predicted. If businesses don’t have an iron-clad grip on their data moving forward, they are likely to face an uphill struggle in light of the revised Safe Harbour framework and the new, stricter European data landscape waiting around the corner.

What can UK organisations do to prepare for this shifting cloud landscape?

Clearly, knowing where your data resides is going to be incredibly important—especially that of customers, which is by and large the most important asset of modern organisations, yet has been subject to significant security threats in recent times. Visibility and control of its location is going to be vital going forward, and with that in mind, we suggest six steps to make sure you’re prepared for what lies ahead:

Establishing where your data resides - It’s crucial that you know where your data is at all times. Remember, you are responsible for this—not your cloud provider—so demand transparency in terms of the actual data centre from whichever one you use.

Organise your data - By categorising according to its value to the organisation, you can group similar sets of data together—for example in terms of risk or what controls it should be subject to. In general, all data is critical, but some is more critical than others. For example, could you guarantee that a UK consumer’s credit card details are stored on UK soil?

Appoint a data protection officer - The latest updates to EU data protection law may require companies to appoint a data protection officer. Our view has always been that this is highly necessary, as it signals the importance the business places on its data by clearly tasking someone in the organisation with overall responsibility for it. It also marks you out to both compliance officers and potential customers as being a trustworthy organisation.

Be vigilant in the long term - Keeping on top of data is an ongoing exercise, so it’s advisable to run regular reviews of compliancy requirements, which ensures the business has updated snapshots at all times. This encourages those with responsibility for critical information to regularly check in on its location and status within the data centre.

Develop a contingency plan based on a worst-case scenario - By producing detailed plans and costs which can be consulted in the event of a negative scenario, businesses can be prepared for any eventuality. This is essential in industries such as retail and insurance, where the unavailability of data for any length of time—due to the need to scale it up from a different location, for example—can lose organisations huge amounts of money. For most, downtime simply isn’t an option.

Take a hybrid approach - A hybrid cloud environment lets a business take advantage of the cloud, while knowing where their data is. This makes things easier to manage and allows them to enjoy the benefits of the public cloud alongside the heightened compliance and security available from the private cloud. Moreover, having a provider which hosts all your data on UK soil—or another location of your choice—means you are already prepared in the event of any changes in the future.

The critical value of data to any organisation in the 21st century can’t be overstated, whether public or private sector. While no-one can predict with 100% conviction what’s in store in the years ahead, it’s vital that businesses are prepared and ready ahead of time, keeping them safe regardless of what the future may hold.

What’s Hot on Infosecurity Magazine?