When recently asked about data storage, IT decision makers ranked high privacy and security standards as some of the top priorities for the businesses they worked for*. However, while high data protection is clearly front-of-mind for many, there seems to be a clear knowledge gap in the industry when it comes to understanding and adhering to data legislation.
To delve into this issue deeper, the IONOS team commissioned a survey of 1,500 IT DMs across key locations in the EU – the United Kingdom, France and Germany – to gain insight into legislation awareness and knowledge, and to analyse similarities and differences across these markets.
Understanding the knowledge gap
Data compliance is an ongoing and essential focus for all businesses – affecting every level and department of a company, not just the IT division but through administration, customer services, legal and many more. But when it comes to responsibility, IT professionals are clearly under immense pressure to keep up with the constantly evolving data security landscape.
Over recent years, adhering to GDPR has taken dominance when it comes to data legislation, but positively, the research found that 92 per cent of UK, 92 per cent of France and 94 per cent of German respondents claim now have a comprehensive understanding of the EU regulation. However, when we look across the pond to the key legislation in the US, we see a different story.
The US CLOUD Act has been a controversial topic since it was passed by US congress in 2018, and even more so since the US and UK signed the CLOUD Act agreement almost six months ago. One key element of the legislation gives US law enforcement authorities the power to request data stored by most major cloud providers.
When it comes to the legislation, all three markets had a significant knowledge gap, with 44 per cent of UK respondents not having a comprehensive understanding. Germany decision makers were close behind with 41 per cent, and more positively, only one third of France professionals didn’t fully understand the legislation.
The research also showed that many decision markers weren’t actually aware that US cloud hosting providers may be required to disclose customers’ data under the legislation, stored inside or outside of the US, irrespective of GDPR rules (47 per cent in the UK, 34 per cent in Germany and 23 per cent in France).
The cause for concern here is that if there’s a lack of US CLOUD Act understanding, can businesses truly ensure their data is protected from unwanted access?
When it comes to the US CLOUD Act there’s a simple fact – choosing an EU supplier with EU datacentres is the safest option for EU businesses, as these cloud providers only have to adhere to GDPR.
Interestingly, the research actually highlighted a clear willingness from businesses to store data closer to home – perhaps explaining why IT professionals weren’t investing as much time to understand the US CLOUD Act. When asked about preferred storage location, the majority of respondents chose their own country, with the highest preference from Germans (88 per cent), followed by the UK (84 per cent) and France (79 per cent).
The research also found that the US is the country where respondents would least like to have their data stored, with German respondents the most wary of US storage (44 per cent choosing it as their least preferred), followed by France (28 per cent) and the UK (27 per cent). The key reason for this was that over half of those asked feel the country itself has low privacy standards (57 per cent).
In addition, despite ranking data privacy and security highly on the priority list, a surprising percentage of IT professionals are willing to store sensitive data in the cloud such as personal customer and employee data (54 per cent), payment information (53 per cent) and payroll and accounting data (51 per cent).
While the findings demonstrate trust in cloud services it’s important businesses fully understand which data is stored where, and be cautious when storing any business-critical information to ensure it is as protected as possible. To achieve this it’s vital businesses encrypt data where possible, and set-up security measures, like multi-factor authentication to ensure the highest security standards possible and stay vigilant against cyberattacks.
Learning about legislation
Staying up-to-date with legislation doesn’t have to be as daunting as it first might sound. Before considering the impact of any data legislation, businesses should assess what they have stored and where. Conduct a thorough audit of what data is on file and how much of this is sensitive, for example personal employee data, other HR details and financial figures.
Regulatory bodies, like the Information Commissioners Office (ICO) are a great point of reference for any IT professional, as they provide guidelines on what legislation could impact a business, share regular updates to new legislation introduced and breakdown the regulation to a practical level. Signing up to newsletters is a quick and easy way to keep up-to-date and they host webinars too.
It’s also helpful to make sure you have a dedicated individual or team within your business responsible for keeping on top of legislation changes and how they could be affecting your company. They could join local IT groups to gain insight from across the industry or simply just start with setting up Google alerts on key terms to keep on top of any significant changes.
Need for communication and collaboration
What’s clear from the findings is that there’s an inconsistency between businesses wanting to prioritise data privacy and security, and the actual reality of the situation. However, the research showed that legislation understanding improves over time, highlighted by the greater GDPR knowledge from all three countries surveyed.
As an industry, collaboration and communication is essential, and there’s a vital need for education around storage best-practice, and ongoing knowledge-sharing around how changing legislation could impact data storage for UK businesses.
With that in mind, it’s vital that businesses ensure data legislation and compliance is an ongoing topic of discussion, and that all employees are educated and aware of the consequences of not following the rules – including huge reputational damage and significant fines.
Sab Knight, head of UK sales, IONOS