kamasigns - Fotolia

Brexit: Cloud community mulls over implications for data protection regulation reform

TechUK fears Brexit could see the UK lose its power to influence cloud regulations, while others say it could free the market from having to toe the EU line so closely

Leaving the European Union (EU) may diminish the UK IT industry’s ability to influence how the global cloud market should be regulated, while potentially paving the way for local legislation that is more sympathetic to the plight of local providers.

Speaking at The Policy-UK Forum’s Developing the UK’s Cloud Sector event in London, Sue Daley, head of cloud, big data and mobile at TechUK, said Brexit will make it harder for the IT industry to have its say on what must be done to support the future growth of the cloud industry.

“The issue we have now is that the UK has less influence in the discussions that will affect the cloud computing market,” she said.

“We don’t know what that will mean, [but] we had a very positive voice in Europe on the importance of cloud and driving the market forward, and now we have potentially lost that voice.”

This “voice” previously enabled the UK to play an active role in discussions on how to regulate the cloud market in way that will support and encourage its growth, rather than stifle it, she said.

“Cloud computing is vital to the UK’s digital future. It is the foundation, the infrastructure and the capability [we will use] to power our smart cities, and ensure we can make the most of the big data analytics revolution,” she said.

“Cloud will continue to be vital, and maybe not having a voice will diminish our influence slightly, but it’s vital we continue to work with policy makers to highlight the importance of the cloud market to the UK and the world’s digital economy.”

Polling providers

Nicky Stewart, commercial director of public sector-focused cloud provider Skyscape Cloud Services, used her speaking slot to outline why regulators must ensure the needs of a wide range of providers and users are catered for when drawing up their guidance.

“We’re in a very dynamic industry where the technology is changing all the time. Five years ago, we were talking about IaaS, SaaS and PaaS, and now we’re talking about containers and datacentres under the sea,” she said.

“Things have changed very quickly, and this doesn’t fit easily into the regulatory environment or with global standards.”

She then went on to share examples of how unexpected regulatory changes – such as the government’s decision to replace the Impact-Level-based (IL) data classification system – can have costly repercussions for small to medium-sized enterprises (SMEs).

“The cost of compliance is very high. One of the things we did was secure IL-3 accreditation for our services to show our services were capable of processing restricted data,” she said.

“Two years later, the government changed their mind about security standards and accreditations, and that cost us millions to achieve that standard and that recognition.”

Read more about Brexit

While it may be easier for larger providers to accommodate such changes from a cost perspective, the time, money and effort involved for smaller providers could have a negative impact on their ability to grow and innovate.

“You have SME cloud providers all over Britain and Europe that are addressing many of the issues that are perceived to be there in the cloud,” said Stewart.

“Regulators must think very carefully about how they work so they don’t have the unintended consequence of stifling all the SMEs and clearing a path for the US giants to get round all this stuff.”

Along these lines, she also cautioned cloud providers against thinking that Brexit will mean they can choose to ignore what the EU has to say about how the market should be regulated.

“When we look at what’s coming out of Brussels, it is still going to be important for any cloud provider. We cannot afford to turn our backs on it or ignore it,” she added.

Brexit and GDPR

The prospect of Brexit has sparked a lot of debate about what bearing – if any – the EU’s revamped General Data Protection Regulations (GDPR) will have on the way UK cloud providers operate.

The overall aim of the GDPR – which is set for introduction in May 2018 – is to provide a single set of data protection rules for all 28 EU member states to follow when processing citizen’s personal data.

While the cloud community has been broadly supportive of its intentions, some parts of the proposed legislation have not proved so popular.

For instance, the GDPR will put providers on an equal footing with data controllers when it comes to assuming liability for data breaches and rule violations. It will also require cloud firms to rewrite their contracts to cater for the changes it will bring.

“There will be a requirement for anyone who is processing personal data to hire [data protection experts], and these are not going to be admin people – they are going to need to be legal experts,” said Stewart.

“As we look at our existing contracts, we don’t think we’re just going to be able to dust off some model clauses and drop them in, as there will need to be renegotiations. It’s going to be a big overhead for us and hugely costly.”

Opportunity for more sympathetic data legislation

The Information Commissioner’s Office (ICO) has already moved to confirm that any company – cloud or otherwise – that wishes to do business in the EU will need to have an equivalent piece of legislation in place, post-Brexit, to cover themselves.

This point was picked up on at the event by Sam De Silva, a partner at law firm Nabarro, who said this could present the UK with an opportunity to create a more sympathetic piece of data protection legislation that meets the EU’s adequacy threshold.

“Brexit is obviously a challenging time and could provide an opportunity for the UK to get data protection legislation that is practical, commercial and pragmatic,” he said.

“There are some areas [of GDPR] that don’t work and will be difficult to implement in practice, but we could revisit those to make them a bit more practical and commercial.

“The challenge will be to see if Brussels consider it to provide an adequate level of protection. That’s the key thing, because – if it doesn’t – it all falls apart,” he added.

Speaking to Computer Weekly, Andy Lawrence, vice-president of datacentre technologies and eco-efficient IT at market watcher 451 Research, said – once the UK gets the process of extricating itself from the EU underway – there may be an influx of legal experts on hand who can help with this.

“It is pretty clear the UK will take a position either identical to the EU on data protection or one that is slightly more business-friendly than the EU,” he said.

“We really don’t know what’s going to happen, but presumably there will be a lot of EU officials working in Brussels who will be repatriated to the UK who will perform a similar function, and the likelihood is they will replicate what they know.”

Read more on Infrastructure-as-a-Service (IaaS)