Niall Andrews, chief information officer of Parseq, explores why he believes 2016 will be the year a definitive answer is provided to the question frequently posed by businesses globally – where are the strongest data management credentials, Europe or Offshore?
Data security has always been a hot topic, but never more so than in recent years. The issue has been catapulted into the media spotlight and hit the headlines not through success, but because of high profile hacks, total security failures and protocol breaches.
It’s now clearer than ever before what the repercussions, from a financial and PR perceptive, are of failing to protect data for businesses and their customers. Take for example TalkTalk’s security attack in October. It’s understood to have left thousands of customer details exposed and unencrypted and is expected to cost upwards of £35m to sort out.
But what hasn’t been clear until now is the best way to ensure data safety.
When it comes to the issue of business process outsourcing organisations can find themselves facing, what they believe, is a difficult decision to make. Do they form partnerships with UK providers or suppliers working offshore? Although the market here in the UK has developed to be more competitive, the lure of offshore cost efficiencies have proved tempting for many.
There was once a belief that the services provided in the UK could be found like-for-like offshore, but at a fraction of the price due to lower employment, operational and living costs. But there was, more often than not, a catch with a price tag attached.
The cost efficiency drum has been banged continuously by offshore providers ever since their emergence into the market. But, in my experience cost savings made in the short term can be spent in the long term because a number of different contracts are required to meet the regulatory requirements around safeguarding data.
In the UK there isn’t this issue and 2016 will see even more steps taken to ensure Europe is the safest in the world. Next year General Data Protection Regulation (GDPR) will becoming become law across EU member states and in turn, will transform how businesses protect their valuable data assets.
The GDPR will extend the remit of the data that needs to be protected under a large umbrella rule to include ‘any data that could be used to identify someone’. All data collected must be gathered with explicit, rather than assumed consent, and the right for data subjects to withdraw their consent needs to be explained as part of its lifecycle. In the future it will not be possible simply to accumulate and hold data because there is no policy for disposing of it.
The regulation will also factor in the ruling by the European Court of Justice, which was made in May 2014 and granted the ‘right to be forgotten’. Although the GDPR will define this as more of a right to be erased it will put into place rules to ensure requests for digital data removal are acted upon swiftly giving data handlers just days to respond before financial penalties may be imposed. Although welcomed, this area of the regulation does raise a number of questions over enforcement which it is believed will be answered when the GDPR comes into force next year.
Should a breach happen the GDPR will dictate that a full disclosure needs to happen within 72 hours, a ruling which is expected to be cut to 24 hours in the future. Failure to do so will result in a hefty fine of five per cent of global turnover or 1 million Euros – whichever is higher.
The GDPR will raise the bar for compliance and the pay-off for multinational businesses in particular is that its introduction reduces 28 sets of different data protection laws into one single regulation, reducing compliance costs, complexity, risk and uncertainty over reporting. Areas, in my view that offshore services will not be able to compete with and, what’s more, it is showing little signs of addressing.
And the benefits the GDPR offer also apply to firms based outside of the EU that operate within its markets. By improving the rights of citizens to control their personal data, the hope is, it will make the EU a safe haven for personal data and directly influence data governance regimes in other parts of the world.
Although the regulation isn’t yet law, there are early adopters, such as Parseq, are already signalling this is a real game changer in terms of data security. Take for example computing giant, Microsoft. The US-based business is understood to be building data centres in Germany with a view to, once completed, ‘hand the keys over to a local data trustee’ as it aims to keep its German data safe and prevent it from leaving the country, even if requested by the US Government. It is part of the firms estimated £1.3 billion investment in localised data control, a move which has sparked interest in this level of regionalised management, despite the technology being made readily available which enables data to be managed anywhere in the world.
Microsoft’s approach helps provide a solution to the dilemma faced by many US companies when they are ordered to hand over data located overseas, particularly in the EU. If they don’t comply they will break US laws and if they do, they will break EU laws. Because of this it’s likely that many other American businesses will imitate this data safeguarding model.
And the US security issue raised by the now invalid Safe Harbor agreement can be felt in the UK too. The Financial Conduct Authority has warned the sector of the high risks associated with offshoring and highlighted the need for specific controls to be put in place.
Early adopters are also recruiting the GDPR requested compliance officers for organisations of 250 or more employees. Failure to take these steps will result again in large fines.
New research has revealed that globally more than 85 per cent of corporations have been hacked.[i] Our data has never been so valuable, but it’s also never been so at risk.
The GDPR makes Europe’s approach the benchmark against which offshore providers will be measured against and, in my view, will fall dangerously short of.
The phrase ‘knowledge is power’ is something the hackers have thrived off, but it is also something businesses should be considering – by knowing more about regulation, safety and compliance they will be able to see for, perhaps the first time, just how effective their data safeguarding is, or where improvements need to be made.
Parseq has UK bases in Rotherham, Glasgow, Sunderland, Brighton and London. The firm acts on behalf of the top 10 international banks, a third of the UK’s utility sector, the charity sector and has a significant presence within the UK insurance sector.
 Global Business Outlook survey: June 2015