Late in March, the Irish hosting industry moved to raise awareness of the opportunity that could result there from the combination of the EU General Data Protection Regulation (GDPR), which comes into force in 2018, and the uncertain position of UK-based hosting providers, post-Brexit, the following year.
All organizations processing or holding private data on EU citizens will be subject to more demanding legislative provisions after the GDPR comes into force, in May 2018. The effects will be more keenly felt within IT supply chains than ever before, with hosting being an example where the practice of sub-contracting elements of IT service will have to be underpinned by multifaceted GDPR compliance to meet many customers' needs. The legislation has specific, and quite complex, stipulations on the transfer of data beyond EU borders, which will apply directly to UK hosting locations after Brexit (likely to be in March 2019).
Arrangements governing data transfers under the pre-GDPR legislation were disrupted in 2015 when the European Court of Justice ruled that the Safe Harbor agreement (which had until then allowed US businesses to transfer EU-related personal data with minimal regulatory burden) could be overridden by national data protection authorities (DPAs) in EU countries. The Privacy Shield deal, which was quickly struck to take the place of the defunct Safe Harbor, is seen as more burdensome and is subject to annual reviews – therefore, it could be seen as a potentially interim arrangement, at a time when the legislative context is changing rapidly and substantially.
As far as can be predicted, locations in the UK will need to coverage via similar legal provisions to Privacy Shield, in order to continue processing EU citizens' personal data without being out of compliance with the GDPR, post-Brexit. The time and resources needed to finalize such an agreement might be in short supply, and will be in contention with similar circumstances in many other industries, at a time of broader uncertainty and colossal change in the UK's legal system. Unfortunately, for organizations affected, this all coincides with troubled times around the UK government's Investigatory Powers legislation, which could bring the UK to be seen as an unsafe destination for personal data coming from the EU, and which may cause difficulties for attempts to negotiate an equivalent to Privacy Shield for UK-based operations.
Host in Ireland, the industry body behind the March campaign launch, has stated it will initially foster greater understanding of the demands of the GDPR but, once its approach to the GDPR is addressed (from the position of the country's continuing EU membership), the industry there can depict a predictable and stable future for hosting in the Republic. This position is only a short distance geographically, but perhaps an ocean apart in terms of market outlook, from the uncertainty facing hosting providers in the UK.
The EU's General Data Protection Regulation,TE0007-001037 (August 2016)
EU's General Data Protection Regulation (GDPR) to have Greater Impacts on Enterprises,IT0018-001525 (April 2017)
Data Privacy Legislation Impact on Enterprises,IT0018-001493 (April 2016)
The Outlook for Enterprise Cloud Services in 2017,TE0005-000893 (February 2017)
"Regulatory changes are among the many Brexit-related headaches to come," IT0018-001499 (June 2016)
Alan Rodger, Senior Analyst, Infrastructure Solutions
Europe, Middle East & Africa team - +44 (0) 207 017 7700
Asia-Pacific team - +61 (0)3 960 16700
US team - +1 646 957 8878
Already an Ovum client? Login to the Knowledge Center now