Firms overlook commercial and legislative risks to datacentres

As datacentres become an integral part of a business, serious commercial and legislative risks are being ignored

Datacentre facilities are built by technologists who consider risks of technical failure. But as datacentres become an integral part of a business, massive potential risks at the commercial and legislative levels are being ignored, according to datacentre research provider DCD Intelligence.

Risk of hefty tax bills

One commercial risk is the failure to consider the location of a datacentre from a tax perspective. This can land the owner and users of that datacentre with tax bills 20% to 40% higher than the business had expected, said Joe Bollard, Ernst & Young’s partner, international tax services, at a DCD Intelligence seminar in London.

“Companies can even find themselves subject to double or triple taxation, levied by multiple countries, through failing to perform due diligence on the tax implications of a datacentre’s location,” he said.

This is because governments are fearful that they are losing tax revenues as business and e-commerce is processed and transacted in datacentres which might be in a different part of the world from the customer and the supplier.

“As a result, the governments are scrabbling to grab their share of tax on these billions of online business operations,” said Bollard.

“Datacentres now operate just about everything we do – running our businesses, online shopping and email, Facebook and Twitter, banking and airline bookings,” said Nicola Hayes, managing director of DCD Intelligence.

Datacentres are a key enabler of every business and companies need to do the same due diligence they would when building a new factory

Nicola Hayes, DCD Intelligence

But the risk factors are often not considered until after a datacentre has been built in a sub-optimal country, with very serious adverse implications, she said.

A business could find itself at a significant competitive disadvantage if it only finds out that it has let itself in for these levels of taxation after building and opening a multi-million pound new datacentre, the experts warned.

“My message to all CIOs is to work with your CFO or tax advisor at the earliest datacentre planning stage to make sure that you don’t fall into this potential minefield,” said Bollard.

Navigating complex privacy laws

A second major datacentre risk the experts identified was falling foul of data privacy legislation because of the complexity in laws that apply to the storage and transfer of private data in different jurisdictions.

“In some jurisdictions, private data can be anything as simple as the information on a business card,” said Ruth Boardman, partner for international privacy and data protection at Bird and Bird. “In fact, anything where the information can be directly or indirectly linked to an individual is considered private, so it can cover the majority of data.”

If a company fails to do due diligence on data privacy legislation in the countries in which it is considering building its new datacentre, it may find that it is illegal to transfer personal data to that datacentre or indeed back from the datacentre to the head office, because that foreign government does not permit it, she said.

Boardman explained that most countries have, or are implementing, data privacy legislation, but the details differ significantly from country to country, and even between states within countries. 

“This can often lead to the laws of the business's operating country and the datacentre country being mutually exclusive,” she said.

Boardman cited an example where EU law demands protection for personal data, yet should the datacentre be operated by an organisation with a US presence, legislation linked to the US Patriot Act can allow US agencies access to data – including data not kept in the US. It may be impossible for a company to comply with both laws, she said.

More on international privacy laws

“The penalties in some countries are draconian,” said Boardman. “In some cases, individuals rather than corporations can be held liable.” To demonstrate this, she recalled the case, in 2011, of three Google executives who were personally prosecuted and convicted for a corporate breach of Italy’s data privacy laws. “The convictions were overturned on appeal, but it highlights the risks involved.”

No longer can the planning of datacentre strategy be left to the technologists. Today’s CIO and the board must be fully involved in datacentre planning, experts advised.

“Datacentres are no longer just big lumps of technology; they are a key enabler of every business, and companies need to do the same due diligence they would when considering building a new factory to mitigate risks. Failure to do so can expose the entire business to massive tax bills or criminal prosecutions,” warned Hayes.

Image: Thinkstock

Read more on Datacentre disaster recovery and security