If the UK and the EU fail to secure a Brexit deal, GDPR rules mean businesses could face loss of access to their data stored in cloud facilities hosted by EEA countries. With other jurisdictions tightening their rules too, one data expert explores the options.
Brexit has caused so much uncertainty over the last three years but one thing’s for sure, says Henry Umney of ClusterSeven, “businesses are going to have to become even more nimble once we loosen the apron strings or cast them off forever”.
Umney cites Grant Kirkwood, writing in SC Magazine, who has said that “without an agreement in place, a no-deal exit will make the UK a ‘third country’ no longer falling under GDPR jurisdiction. This could potentially leave citizens and businesses without access to data stored on cloud servers hosted by the European Economic Area (EEA).”
If that happens, says Umney, businesses may have to rely on locally supported systems with data stored in spreadsheets and other end-user systems on local servers. “These will need to be tested thoroughly to ensure their integrity well before they become mission critical.”
With Gartner indicating a global legislative trend towards data privacy legislation, SC’s Kirkwood suggests Brexit and GDPR “probably won’t be the only instances when businesses will face a tight schedule to comply with new data storage expectations”.
Data privacy, post-Brexit
“While we don’t expect the government to rip up the EU GDPR, there’s a good chance it may wish to add a British flavour to it,” argues Umney. If SC’s Kirkwood is correct in his interpretation, the expectation would be that the UK government will present businesses with tough new data storage controls.
“Doubtless, they will also want to peer behind the veil to verify our data quality management systems: which fields have we flagged as confidential, for example, and how confident we are that unauthorised personnel could not change the settings.”
If a UK business is suddenly forced to jump ship from an EEA-based cloud to its own solution, it may have to join a long queue for advice on how best to deal with this challenge. “It may be time to take expert advice now on how to simplify our systems,” suggests Umney.
Lack of preparation
Despite the pressing need for action, Harvard Business Review’s observation is that too few businesses are prepared for Brexit, no matter what happens next. It is worried that if the UK becomes a third party entity, too few have the business processes in place to enable trade with the European Union.
The as-yet unanswered question as to how goods can be fast-tracked through potentially overcrowded customs posts before customers lose patience and migrate elsewhere, is a concern for many. This situation will be exacerbated if business systems and data stored on EEA-based clouds are no longer available.
With current Brexit uncertainty, the global trend towards stricter data protection legislation, and the potential for outages caused by climate-related incidents or even human error (the Amazon Web Services 2017 outage was reported by the Wall Street Journal as a programming typo at a data centre that cost S&P 500 companies $150m), having a ‘Plan B’ is essential, says Umney.
It is essential that companies find out now from their current provider what would happen if they lost access, and whether they could still retrieve their data if the worst happened. “Proprietary software may mean they get the information back in spreadsheet form,” he notes. “If this happens, you can’t simply upload the data in that format to another cloud. It may also take up to 12 hours to get your hands on what’s available if the site is busy and you are in a queue.”
“If companies do have to fall back onto using spreadsheets for a while to retrieve and manage their data” comments Umney “they will certainly have to review permissions if they can no longer rely on a cloud to gatekeep them.”
A robust spreadsheet policy is essential in order to protect the data that underlies business processes, warns Umney. “If businesses fail to control this information properly, they risk undetected errors, mistakes and omissions creeping in that can directly affect revenue.”
To help avoid this, he says it is essential to:
Understand how spreadsheets work and how to mitigate errors creeping in.
Maintain a company-wide register under the control of an accountable person.
Know when the data changes to meet compliance and audit standards.
Umney argues that the top process management priority for 2019/2020 should perhaps be “assuring our data against sundry disasters”.