Data residency symbol blue

Should UK Businesses worry about where their data resides?

With the recent disclosure of data being collected by the US government via their PRISM systems and access to this data being given to the UK’s GCHQ, do UK citizens need to worry about where their data resides?

Firstly, what has surprised the most is that its taken over five years for people to start really paying attention to some of the laws that have been put in place, not so much by our government (yet!) but more around others, such as the US government’s Section 702 of the FISA 2008 which gave the US government the legal right (under their laws anyway) to collect data on, and from, anyone who isn’t a US citizen. All the fuss from US citizens has centred on the fact that it’s highly likely they have collected data from US citizens, even though they aren’t supposed to, as it’s a breach of their Constitution.

That said, all that PRISM has really done is put a name to something that has been happening for over many years. Secondly, what surprised me further was the outcry from US citizens, when actually it’s everyone else who should be kicking up a fuss! At least US citizens have some recourse and protection under their constitution.

Whether the UK government has access to this data for me is also a moot point because the US government does. That means they are potentially looking at personal communications from us without cause and without legal address; which in anyone’s book isn’t acceptable in a modern and what is supposed to be a free society. You will hear many people say that if you have nothing to hide then it shouldn’t matter and, to a point, that’s valid but technology is advanced enough now not to need a general fishing trip technique to collect data on groups and individuals that are looking to course harm and destruction. We should all worry about what this could lead to; George Orwell’s 1984 novel springs to mind!

With cloud now all but the de facto place for storing personal data, and rapidly becoming the same for businesses, is it time for individuals and businesses to start looking at data privacy as part of any normal due diligence process? And should jurisdictions that have the ability to offer more secure places, both technical but also through tighter laws on data protection – places I like to call Data Safe Zones – be a serious consideration? These jurisdictions would offer to protect data from fishing trips by governments or organised crime whilst it’s resident in that zone.

Let’s be clear though, these zones won’t be a place to hide as they will be highly regulated and well respected jurisdictions, where personal; privacy is upheld unless due cause is found, then access is given to the appropriate authorities. Data protection and privacy has become a big issue and, as we become ever more digitised as a society, the focus on it will grow even further.

Data Safe Zones are likely to be in some of the most regulated places in the world to do business, and will be popular with financial companies. They will now be extended to cover not only the financial information of a business but personal data of individuals as well.

Along with a great reputation, they will have strong data protection laws that are internationally recognised as being well thought-out and align to many other respected jurisdictions, for example, the EU’s data protection laws. But they are likely to be independent too and able to react quicker to change.

Why is this important? For any jurisdiction to establish itself as the location of choice around data focused services requires a strong regulatory reputation backed by a strong regulator and a strong, but fair, legal framework. Data safe zones are already being sought after by corporations that want places to transact business in knowing their and their clients’ data isn’t potentially being copied or breached.

Taking into account the above, and the fact that the true value of data is now being recognised as tangible, not just in terms of content but as intellectual property, that has huge value; you can start to see why this isn’t just a moral issue but one of national and personal interest too.

Data is being collected from nearly everything these days; from what we buy online and in shops, how much fuel our cars use, what we like and don’t like, to medical conditions, our lives are connected to so many things and are immersed in what I’ve been calling the “new digital age”. With all this data comes opportunity, from using that data to improve our lives medically to improving the efficiency of cars, through to targeted marketing so we only see what we are interested in. Data has the power to change so many things, but this power needs to be controlled and delivered in a properly regulated manner and this is why Data Safe Zones will become so important.

The answer to my question “Should the UK worry about where their data resides?” is a resounding YES, people and businesses should worry. When you take into account both personal protection of data and the protection of business sensitive data there is, in my view, a place for well regulated Data Safe Zones and for those jurisdictions that have the foresight to embrace this concept the potential of hundreds of millions of pounds per year in new income is something hard to ignore. The ability to extract value from data and the information held within data sets is rapidly making data a global currency, which needs protecting.

By Julian Box, Posted 15th September 2013.