Andy Tait, Head of Public Sector Strategy, VMware
In today’s connected world we create – and now rely on – more data than ever before. It’s become one of the currencies of the modern age, and is fast becoming one of the most valuable assets for UK organisations. This couldn’t be truer than in the public sector, where the public’s personal information is collected and used to draw insights which inform healthcare, education, welfare and transport other government departments.
Given we’re about to experience sizeable changes to data regulations and the UK is considering its position in Europe, there’s going to be an onus on organisations to know exactly where all of their data is, should the scenario arise that they need to move it. The General Data Protection Regulation (GDPR) will form a significant part of this change. By 2017, it will enforce the greater protection for personal data cross Europe, giving individuals more control over their data and ensuring that rules surrounding data protection are consistent across European countries. Moreover, the regulation will incorporate the ‘right to be forgotten’ for all individuals (unless their data is on a permanent record, such as passport details or criminal records), and allow them access to their own data at all times to give them ‘data portability’.
Clearly then, eyes will be on the way public sector organisations handle the changes for two reasons. Firstly, as the data handled by government departments is often so sensitive, the public will want reassurance it’s compliant. After all, they don’t want to see their personal information at risk of being leaked. Secondly, if the data isn’t moved to a location where it fully complies with all the new rules, then any subsequent fines will be coming out of the taxpayer’s pocket. This is particularly relevant for local authorities on modest budgets, many of whom felt comfortable with providers who won’t guarantee data is inside the UK; if they don’t act now, they’re going to face renewed financial pressures in the form of fines. All of this means the public sector needs to start thinking about the possible impact immediately.
So what is the current state of public sector data residency?
We recently questioned 29 IT decision makers within government and other public sector organisations to find out just how data aware they are about the new legislations, and worryingly, 40% of those in the public sector couldn’t say confidently where their data is stored. A large portion of this 40% is driven by the systems integrator (SI) outsourcing; many SIs take on organisations’ IT without specifying where each application is hosted. This is something that public sector clients should demand clarity on, as otherwise they can’t be certain whether their operations remain within UK borders.
Furthermore, only 3% of those surveyed in the public sector considered themselves fully prepared for what the changing EU landscape means for their data. Given the GDPR will stipulate organisations must be able to locate where their data is stored at any given moment, it’s critical that IT departments take the initiative to find out where all their data is stored – particularly given more than 15% of public sector data resides outside the UK at any given time according to our research. After all, if they don’t know this, then how can they know if they need to move it? It could also reflect poorly on the government’s approach to data sovereignty, given the general public is paying more attention to their own data footprint than ever before; a recent survey found that 72 percent of UK consumers are worried about the amount of protection afforded to the personal information they share with brands and organisations online. As the ultimate authority in the UK, most believe that the government should consequently be taking the lead in providing the most robust and reliable data protection procedures available, and be completely transparent in where citizens’ data is stored.
What else does the changing landscape mean for UK public sector organisations?
In our survey, 97% of respondents agreed that upcoming changes to EU regulation were relevant to their sector. This is largely attributable to their obligation to adhere to EU law and the possibility of exposure in the press in the event of non-compliance, which could turn public opinion against them. Overall, the changes clearly carry huge implications for the public sector – most notably the potential obligation for public sector organisations to store all of their customer data in the UK. This customer data comprises not just official application data, but also any shadow IT, whether that be an SaaS application hosted from an unknown location or a simple spreadsheet an employee holds in Office 365, so this would represent a huge transfer of data. The potential implications certainly register with the UK public sector, with 73% of those surveyed concerned that they will need to move their data to a different location or provider in the event of a UK departure from the EU. It’s fair to assume therefore that many have data placed overseas, as this would contribute significantly to such a result.
This concern also extends to the financial implications of transferring data. At a time when many public sector organisations need to be making significant budget cuts, they could be facing substantial costs to ensure their data is compliant and consistent with EU data regulations when new rules on location and regulation come into force. According to our research, the estimated cost to each public sector organisation of moving their data back to the UK was £1.4m, rising to £2m for those in government. This is a sizeable amount, which for the large part will have to be paid for by UK taxpayers and would include the cost to undertake a full research programme to determine the location of all their data, develop an appropriate migration plan and then perform the actual migration. It therefore makes sense to prepare for changes now, rather than waiting for 2017 to find out how much more it could cost.
Do organisations understand what they need to do?
We’ve found that there’s a perceived lack of clarity as to how organisations, especially those in the public sector, should be responding to the current regulation changes on data. The uncertainty presented by changes to EU data and privacy laws have left a large percentage of IT departments unclear whether or not they are meeting requirements around data. This is exacerbated by a lack of understanding of the regulations, as more than a third (34%) didn’t know what industry regulations or compliance standards their sector had to meet around data. This lack of understanding is possibly the side-effect of having to grapple with a vast array of governance, compliance and standards, but nonetheless it demonstrates that the public sector is not alone in not being clear on how to respond to this challenge.
Overall, no matter what the new EU data regulation brings about, there will be at least some changes that need to be made – and getting it wrong will have the most consequences for the public sector who should not only need to be leading the charge as the role model for other organisations to follow, but could also lead to a concerned and out-of-pocket public if they don’t get it right.
About the research
The research was undertaken in September 2015, with 29 IT decision makers across public sector and government questioned as part of a wider survey of 250 IT decision makers within UK enterprises. It was conducted by Vanson Bourne.