Sign up for our newsletter
Technology / Cloud

Techxit Brexit – People, investment, regulation, data sovereignty, location, privacy, cybersecurity – how the UK tech sector must adjust to living at the edge of the network

The outpouring of comment from the UK tech sector is interesting in its own right. Within the views expressed there is some barely disguised anger. There is a good deal of annoyance. There is some calmness. There is uncertainty.

As the UK tech sector was overwhelmingly in favour of Remain, opinions shared privately after the initial shock were mostly of the ‘the crops will fail, the children will starve and a great darkness will befall us all’ variety.

The first reactions from the large tech and telecom companies and industry bodies contacted by CBR on the day of the result were considered and calm as one would expect from a mature sector (See Accenture’s comment below as a example).

However none could be said to be embracing the referendum result and the tone was generally one of accepting the challenge.

White papers from our partners

Accenture said: "It is very difficult for any of us to know the detail of what happens next given today’s decision but we are confident that we will be able to navigate all scenarios. We are closely monitoring next steps and will adapt accordingly when things are clearer but in the meantime our focus will be on helping our clients plan and adjust for the changes that are about to happen."

The full list of initial reactions is available here.

Now CBR has spread the net a bit wider and gathered comment from the SME, start-up, legal and investment community, the ISV sector and the tech market watchers.

We’ve selected the comments below which we think reflect the general mood.

And again the general mood in the wider tech sector supply side is rational, uncomplaining and accepting of the challenge.

Firstly what can we know so far from the fallout

Within Government along with all of the political troubles within both main parties a key interest was around the UK Digital Economy Bill.

The official comment from the Department of Culture, Media and Sport, the department headed by Ed Vaizey, MP, Minister for the Digital Economy is that there is no change to the date for publication which hadn’t been finalised before the poll and it remains that as yet no date had been set. However one unconfirmed report quoted sources saying the date for publication has been pushed back and the contents of the paper itself will need to be changed. (See comment from Kable Analysis below)

The turmoil in the financial markets has been in line with what was expected. The UK AIM market, the destination for the majority of UK tech start-ups and ambitious scale ups was a sea of red on Friday June 24th and while it has stabilised it has yet to recover.

This sell off and capital flight has pushed share prices down. There are reports that IPOs have been delayed or postponed. The market could be at risk of a double impact as capital which was expected to flow onto AIM is redirected. Some reports of VC and private money slowdowns are causing uncertainty on and around Silicon Roundabout and in other tech centres around the country such as Cambridge, Manchester and Glasgow.

The FTSE250 has yet to recover to pre poll levels.

As ever in a crisis which results in plummeting value of the pound, we’re told that a weak pound is good for exports and bad for imports. Of course, currency exchange issues in the digital economy are real. Could this crisis accelerate the adoption of Bitcoin as the currency for paying for digital goods and services?

CBR’s view: There are basic questions to be addressed quickly around data location, data sovereignty, data privacy and cybersecurity.

Let’s take each of those in turn.

Data Location.
It was notable that in our initial questioning of the industry for reactions to Brexit that not one of the Web Scale companies offered any comment. Google, Apple, Facebook and Amazon all declined to comment.

These Cloud scale companies, known as GAFA, are all US headquartered, and are in a difficult position because their business relies on free movement of data.

That’s why they call it a Cloud. But to use the cliché, the cloud lives in a data centre, somewhere.

Their business also relies on making large capital deployment bets on very, very big physical infrastructure projects – aka data centres. For example the cumulative total that Microsoft, Google, Amazon and Facebook have thus far planned and spent in Ireland runs to billions of euros.

Garry Connelly, chairman at GconnTec & President of Host in Ireland said: "For the projects announced including Apple the amount of planned investment in Ireland is E2.4bn to E3.0bn subject to planning and business reviews post Brexit."

Pre the Brexit poll both Amazon and Microsoft have committed to establishing a physical presence in the UK though investment details are yet to emerge.

Google currently lists no owner operated data centres in the UK.

Facebook announced a major construction project in Ireland in January 2016 to match its famous Swedish data centre in Lulea near the Artic circle. At the time in a blog post, Tom Furlong, VP infrastructure wrote: "The Clonee data center will be our first in Ireland and follows Luleå, in Sweden, as our second in Europe. Ireland has been our international headquarters since 2009, and our new Clonee data center will continue Facebook’s significant investment in the country and in Europe."

Apple is also a big investor in Ireland with plans for its E850m European data centre already announced to be built in Galway in the West of the country.

That is not to say the UK has no large data centre campus projects.

Rackspace is taking occupancy of a huge data centre campus south of London in Crawley which is built and operated by Digital Realty and is heavily invested in the UK.

London remains by far the biggest single city commercial data centre market. Slough in Berkshire has attracted huge investment from NTT Communications, Equnix, Infinity, IO, and others. London Docklands Telehouse is a major site. All have invested heavily to date.

data centres in Slough

Data centres in Slough

All web scale companies quietly say that they use third party commercial data centres from local indigenous multi-site and boutique providers and from the domiciled international players such as Equinix, NTT Comms, Interxion and Telehouse.

But they never say what they use them for.

One possible negative outcome is that large cloud companies don’t invest in big data centre projects in the UK and that the commercial players slow investment. The actuality is that in the short term this battle may have already been lost as countries like Ireland worked hard to attract inward investment with low corporate tax levels and attractive incentives.

One possible positive outcome could be an improved investment environment for the commercial data centre sector. As well as attracting interest from the web scale players, among enterprise companies the move is to divest of data centres and many banks, insurance companies and retailers who are following the trend to colcation or hosting on various types of cloud may feel they need ‘servers on the ground’ in the UK to best serve local markets. This could be an opportunity for commercial data centre firms and telecoms providers.

Data Sovereignty
Data sovereignty refers data being held in a country in adherence to the laws of that state. Fine if you have a single location. Difficult if you have diverse locations and lots of different laws with which to comply. For UK and international companies moving data in and out of Europe this could become a legal minefield.

It is very much related to the data location. But data sovereignty issues extend far beyond the web scale cloud players.

Think of an enterprise company that serves international companies that doesn’t operate a cloud. Here’s a selection of those that do. IBM, BT, Hitachi, Fujitsu, HPE, SAP, SAS, Oracle, Netsuite, Salesforce, CA Technologies. The list goes on. Anyone who operates at an enterprise level also operates a cloud.

The number of mid-tier suppliers and therefore potentially their customers who will be impacted by disparate data sovereignty laws between the UK and the EU is vast.

Brexit - data

UK Royal Courts of Justice

CIOs already express privately that cloud continues to throw up many questions about data sovereignty for critical corporate information. Brexit can only exacerbate the issue.

Many refer to asking the basic question: If I move my workload to your cloud, where will be my data be stored and to what sovereign laws will it be subject?

As with data location, data sovereignty issues could impact the part of the tech sector which develops apps for specific cloud platforms but which could now be based outside the country of origin. SAAS and PAAS development is an area where the UK is particularly strong.

The EU is working on the Digital Single Market. The UK has already had significant influence on the desired form of the DSM.

Whether or not the UK sits outside the Digital Single Market will be subject to negotiation.

Data privacy: GDPR – General Data Protection Regulation
A wide ranging EU law. Data held within the EU will be subject to this law by May 2018. It is very likely that any data moving between the UK and EU will be subject to this law as well as to the UK data protection laws. (see detailed legal comments below).

Cybersecurity – the big one.
Will the UK have the same cybersecurity laws as the rest of the EU? Seems unlikely. Is there a very real risk that data stored in the UK may be considered more vulnerable than that stored in the EU. Some commentators have expressed that fear and said they expect the uncertainty to attract a greater number of attacks, certainly in the short term.

In the opaque world of cyber security another level of uncertainty has been added. (See detailed comments below.)

Techxit Brexit, UK at the edge of the network: Industry reactions

Government digital and data strategies
Rob Anderson, principal analyst, Kable
"The vacuum in leadership in both major political parties post-referendum is not helping deliver clarity. What is apparent is that compared to the Autumn Statement, which only took place seven months ago, the political, policy and digital landscape couldn’t be more different. The government has yesterday set up a Whitehall EU unit, headed by Oliver Letwin, which will involve all departments and functions in government and examine the preferred model for the UK outside the EU. It is clear departmental policies that, four days ago were based on a pro-EU ‘Remain’ stance, will now have to be re-cast, rewritten and, politically-speaking, voted on.
The likelihood of government digital and data strategies emerging anytime soon is highly unlikely and they will probably not emerge until after the Conservative leadership election in the autumn. There may well, in time, be more opportunities for small and medium-sized enterprises. But again, like larger IT businesses, they too are likely to be waiting for policy and strategy to emerge."

Data Privacy – surveillance
Kevin Bocek, VP of Security Strategy at Venafi
"We are almost certain to see greater government powers and surveillance. UK laws have often been challenged under EU Rights. Most recently the Data Regulation and Investigatory Powers Act 2014 (DRIPA) has been challenged in the European Court of Justice and the decision is outstanding. A Britain freed of EU constraints would almost certainly would be free to proceed increase powers with legislation such as the Snoopers Charter and strengthen existing laws such as the Regulation of Investigatory Powers Act (RIPA.
And already under the existing RIPA law, businesses operating in Britain will need to meet their fiduciary and legal responsibility to know where all their keys and certificates are being used. If Brexit does indeed go through, then the threats to privacy and encryption are very likely to get worse.

The ICO will likely continue its role in shepherding data privacy and play a special role in bridging gaps between the UK and EU, and managing implementation of the negotiated exit but, for its part, the EU is sure to attempt enforcement of strong data protection rules during the exit negotiation. In part, this will be aimed at making an example of UK and increasing the pain threshold for other countries who are also looking at leaving. If UK still participates in a common market-like environment, expect to see the EU enforce the GDPR and its biting fines of up to 5% turnover."

Business impact of political games
Sean Hoban, Kimble Applications
The tech industry in the UK has enjoyed real momentum over the last few years. It is hard to guess how Brexit will play out over the coming weeks, months , years, but undoubtedly it will have a significant impact. Business leaders will now have to focus on mitigation strategies, rather than being able to continue a controlled growth path. A real shame, and even more frustrating that politicians don’t appreciate the impact their game playing has on businesses and individuals.

Digital Economy – Position as a tech hub/start-ups
Tom Marsden, CEO of Saberr
"We run the risk of losing our competitive edge as a nation with one of the best start-up ecosystems in the world."

Silicon Roundabout

Silicon Roundabout

Digital Economy – tech hub
Ajay Sule, Practice Director EIA, and Adrian Drodz, Research Director, Digital Transformation, Frost & Sullivan
"Not being a part of the Digital Single Market could result in further isolation and deprive the UK of the benefits of cross border online trade / e-commerce."

Digital Economy – Startups
John-Paul Savant, CEO of ATG Media
"Brexit now poses a challenge for British web-based companies, particularly start-ups, who may have their horizons limited by regulatory walls."

Cybersecurity – uncertainty
William Long, partner and Data Protection specialist at Sidley Austin.
"The UK’s decision to leave the European Union creates uncertainty in relation to the way that data protection laws will be developed in the future. However, companies can take comfort from the fact that the UK’s Data Protection Act was adopted to be consistent with the current EU Data Protection Directive, meaning that EU-type data privacy principles will certainly continue to apply even beyond the initial two year period of UK withdrawal from the EU.

"There could well be support in both the US and UK for a US-UK framework for data flows that is less onerous than the highly rigorous Privacy Shield. However, the UK is likely to have an incentive to demonstrate to the EU that the data flows it receives from EU Member States will not then be transferred to the US under less stringent terms. This could well be an important part of any "adequacy" determination from the EU under the new General Data Protection Regime, that the UK has signed up to.

"We are looking at a period of confusion as we work through the unwinding and rewinding of UK data transfers to and from the EU and European Economic Area (EEA) countries."

Skills, Talent acquisition, the right to work
Alan Duric, CTO and founder of Wire
The freedom to manage data across the EU, unrestricted access to a huge pool of skilled employees and a mass of varied expertise and knowledge, irrespective of country borders, accelerated growth in the ‘digital single market’ immeasurably and it is certainly damaging for the UK to no longer have access to this.

digital single market

Digital Single Market

Simon Crosby, CTO and co-founder, Bromium
Tech talent will move abroad, further afield than Europe. Loss of research funding from the EU will reduce universities’ ability to produce skilled tech workers. The incredible technical talent in the UK just became a lot cheaper for foreign countries to hire. Ultimately, I expect many of them to leave the UK permanently for countries that will pay what they are worth, such as the USA.

Data protection
Jason Howells, EMEA Director, MSP Solutions at Barracuda
GDPR is going to affect businesses offering any type of service to the EU market, regardless of whether that business stores or processes data on EU soil.

Data privacy
Simon Moffatt, EMEA Director, Advanced Customer Engineering at ForgeRock
Businesses should continue to prepare for the GDPR, not just to enable the movement of and access to EU citizen’s data, but also to ensure that the people they serve have the same right to privacy.

Data protection
Spokesperson for the Information Commissioner’s Office
Updates to data legislation are needed in the aftermath of Brexit vote.

Data location
Peter Godden, VP of EMEA, Zerto
Now that Brexit is a reality, companies may find themselves needing to move their data into or out of Britain to align with new compliance regulations, which will truly shine a light on the importance of BC/DR software as many will struggle to manage mission critical data across disparate systems without experiencing downtime.

Data location
Nigel Tozer, Solutions Marketing Director, EMEA, Commvault
There is still time to prepare for the possible need of moving data between borders.

Data Centre investment
Andy Lawrence, Research Vice President at 451 Research

If some reassurance can be given, it is that one reasonably probable outcome is that, after a period of disruption lasting several years, the UK will settle into a new role, nominally outside the EU but participating in most areas.
We believe some of those looking to increase or buy capacity are pausing for thought. However it plays out, it is likely that the UK and EU will ultimately continue to have similar and interoperable regulatory regimes. Tax and tariff issues may complicate the picture.

Data protection and transit
Michael Frisby, MD at Vuzion
A UK exit could spell stricter, independent data laws that businesses have to adhere to – including an effective requirement to keep UK data on UK soil. In such an instance, businesses would have to conduct an audit of their data to understand exactly where everything sits. The IT hosting industry also needs to recognise these changes.

Protection of personal data law
Nicola Fulford, Data Protection lawyer at Kemp Little
It is unlikely that, either in the short, medium or long term, Brexit will result in a material departure of UK law and practice from EU law in relation to the use and protection of personal data.

Increasing number of cyberattacks
Aftab Afzal, SVP & GM EMEA at NSFOCUS IB
With the vote being so close, the unrest will translate into some increased cyber attacks and organisations at the forefront should take extra caution. As many cyber security vendors report dollar revenues, currency market volatility could see some prices increased.

Data protection/location
Andy Green, technical specialist at Varonis
Large UK-based multinationals will still have to deal directly with the GDPR, and local UK companies will be under a GDPR-like local data law.

Talent and data loaction
Charles Phillips, CEO of Infor which has approximately 40% of employees spread throughout Europe, with just over 1000 in UK.
"I’m concerned about the quality of talent. Infor hires many engineers from Eastern Europe. If they are no longer available, that could become an issue. I’m not sure the EU will want data in the UK"

Addtional reporting: Eleanor Burns, Alex Sword, Joao Lima
This article is from the CBROnline archive: some formatting and images may not be present.

sam

.