Organisations around the world face a minefield of data rules and regulations, which are becoming more complex. The upcoming EU General Data Protection Regulation (GDPR – set for 2018) in the UK, means that any business managing data across locations and devices, will need to know where that data is stored at all times. At the same time, there is uncertainty around what the potential UK exit from the EU will have on data rules and regulations.
In September 2015, VMware UK led market research across 250 IT decision makers (ITDMs) to see how prepared they are for these market changes. The report, which you can see here, highlights some of the issues that UK organisations are facing in light of the changing data landscape; more than a third (34%) of UK business data is stored outside the UK; 63% or ITDMs said they couldn’t say with confidence where their data is stored; and only 10% were ready to move theirs to UK soil if needed.
With this in mind, Roy Illsley, Principal Analyst, Infrastructure Solutions at analyst house Ovum, reviews the current data landscape for UK organisations and how the IT market is adapting to these changing regulations:
The role and purpose of IT in an organisation is changing, driven by the need for businesses to become more agile yet have greater control over costs. This transformation of IT involves many different aspects, which are not all technology related. However, the one thing they all have in common is changing the way IT operates to meet the current and future demands of business.
Do we know how to manage our data assets?
The emergence of software-defined technologies, mobile, containers, cloud, and application and desktop virtualization has created a new challenge for IT departments. The issues of management are greater when data center managers become responsible for the entire delivery of services from desktops to mainframes across geographic and organisational boundaries. Traditionally these teams have been separate and not just because the devices were not co-located, but also because the skills, working practices, and technologies employed are operated at different levels of management maturity and come under different levels of end-user scrutiny and pressure. The software-defined movement is challenging this division of roles and responsibilities, and creating the conditions where IT transformation can be started. One of the biggest areas that is being transformed is the responsibility for the corporate data and specifically ensuring compliance to the many different rules and regulations.
Ovum considers that one of the main roles of IT management is to mitigate the risks involved with using new technologies, while protecting the corporate assets. We believe this responsibility extends now beyond just the confines of the data center and covers a supply chain that involves cloud, co-location, SaaS, and outsourcing that can be located anywhere in the world. While management alone cannot solve the problem that new technologies introduce, we believe that by addressing the concerns of the entire IT infrastructure, and treating it as a single entity, organisations can reduce the incompatibility issues to which new technologies are susceptible.
However, it is the challenges with data protection, and where the data is located that is now becoming more significant, although these aspects of data sovereignty are nothing new. In fact over the years businesses have had to adhere to many different rules on data, and it was only in the computing era that it became possible to easily store this data anywhere in the world in a digital format. Therefore, making the EU rules tighter, and the possible impact of an UK exit from the EU on UK regulations, will drive organisations to seek on-shore repositories for the data identified under any new regulations. This will have two main impacts.
Firstly, do organisations know what data they have and where it is currently stored, including backup and Disaster Recovery? More importantly though; is this data categorised so that it can easily be identified in terms of which data assets need to be stored on-shore, and those that falls outside the regulatory control.
Secondly, do the facilities exist within country to support all this data, or will this create a short term market that will see prices increase due to a lack of availability. More significantly will these regulation changes generate new growth in the co-location and hosting businesses within country?
The cynic may consider these regulation changes have nothing to do with security. Encrypting all data is probably as secure as storing locally, as long as only the owner of the data has the key. Ovum believes that data protection regulation is more to do with countries using rules as a way to generate growth in the IT sector within its own country.
The take-away from all this regulatory change is that CIOs must have a better understanding of what data they have, what data is covered under what regulation, and what the regulations stipulate for this data. Those cloud vendors that built giant regional hubs to attract business are discovering that data protection regulations are making the cloud market more fragmented so that customers will use these hubs for some services, but need more local cloud offerings to meet other regulatory demands. The question remains; will regulation always consider location as a primary factor in terms of security, or will we see other factors as more important? Experiences with trying to regulate new approaches like Bitcoin seem to indicate that this location-based approach will not change soon.
For the cloud vendors this change to be more localised in terms of data sovereignty will support those that have used a platform approach which enables third-parties to build local cloud services within region. However, it will require a new approach for those vendors that built a few large regional data centers globally hoping to pull in regional customers. Ovum believes that many customers will need a services-led approach to solving this problem, identifying data and moving it to be compliant, and then performing ongoing audits.
View our whitepaper for a six point plan on coping with data uncertainty in a changing European landscape.