The combination of the implementation of the General Data Protection Regulation (GDPR) next year and the UK’s decision to leave the European Union has created a unique and complex environment for cloud companies. Foretelling the exact outcome of the negotiations and determining what regulations will eventually prevail requires a crystal ball that none of us has. This is a significant challenge for an industry which is growing exponentially and is characterised by fast-paced deployment and the seizing of market opportunities. Here is my assessment of the current state of play and the likely effects on cloud companies as both Brexit and the GDPR loom closer.
Signposts begin to appear
There are still a lot of unknowns, but the introduction of the UK Data Protection Bill in September is beginning to offer organisations some idea of where the UK might deviate from the terms of the GDPR. It is encouraging that the UK’s Information Commissioner recommended that the Data Protection Bill is read in conjunction with the GDPR to give a full insight into the framework that will exist, at least initially. The Commissioner also stated that she hopes the introduction of the bill “will send an important signal about the UK’s commitment to a high standard of data protection post-Brexit. This in turn will play a role in ensuring uninterrupted data flows between the UK and the EU.” This could be seen to indicate that the UK is going to aim for an adequacy agreement with the EU Commission, meaning that the provisions in place in the UK for data protection will be sufficiently comparable to those of the GDPR to ensure that data can flow uninterrupted between the UK and the EU. This would be the preferable situation. A UK framework that does not meet the standards of the GDPR would cause serious challenges for companies doing business in both regions.
Data has no borders
The GDPR impacts everyone who wishes to offer goods and services to EU citizens. The inability to trade with EU citizens would be a catastrophic blow for UK businesses. Currently, the level of EU vs Non-EU trade with the UK is at parity, so loss of ability to trade with the EU is obviously something to be avoided. Therefore, compliance with GDPR is a must for cloud providers in order to protect their customers; it doesn’t matter whether the UK is in the EU or not – data has no borders. The difficulty lies in the uncertainty hanging over the approach that the UK will take to its data protection regime. Any requirements adopted by the UK that stipulate augmentation above the provisions of the GDPR will not increase the risk of non-compliance with the GDPR, although they increase complexity. However, any exceptions to the GDPR granted by the UK work conversely; they may reduce complexity for operations in the UK but they do increase the risk to cloud companies. Organisations operating only under the Data Protection Bill rather than the GDPR guidelines may risk falling foul of the EU Directive. Companies need to ensure that their cloud provider is conforming to the highest data protection standard (in the initial case, the GDPR) and also incorporating any regional variations without compromising that higher regulation. If the two approaches to data privacy should drift to the point where they are incompatible, then cloud providers will need to ensure that they have an operation in the EU that can comply with the GDPR.
Establishing a geographical presence in the EU
The uncertainty surrounding GDPR and Brexit has already prompted those companies that have the resources to future-proof their operations by setting up locations in EU territories. This strategy goes beyond simply what a cloud provider thinks is in its best interests, however. It’s a matter of remaining competitive in the new environment. Customers, as the data Controllers, will drive the cloud industry, as data Processors, to adopt GDPR-compatible levels of safeguards. If incompatibilities exist due to differing standards between the UK and the EU, UK cloud providers risk losing customers to EU-based competitors that can conform to Controller requirements.
Market disruption is unavoidable
An industry as dynamic as the cloud sector naturally undergoes rationalisation from time to time in response to changing markets and, as in this case, regulatory environments. I believe that smaller, regional based cloud providers that are not able to keep up will begin to exit the market after May 2018. The regulatory overhead and staffing issues will force a pruning within the industry, both from within and outside of the EU. Large organisations and those cloud providers, like iland, who are well-prepared will fare well regardless, as they have the resources to ensure that they can deliver compliance and geographic data sovereignty, whatever the regulatory environment throws at them. They can cherry-pick the best talent from a pool which is currently quite limited, and in this way may squeeze smaller players out of the market.
Here at iland, we will be keeping a very close eye on pronouncements coming from the UK government, UK Information Commissioner and the EU Commission in an attempt to counter some of the uncertainty and make good business decisions. There’s no doubt that GDPR and Brexit together will be a major disruptor of what the landscape looks like today – and careful preparation is key to ensure uninterrupted service and protect customers’ data after May, 2018.
Written by Frank Krieger, Vice-President, Governance, Risk and Compliance, iland
Image Credit: RikoBest / Shutterstock