Whether you’re for it or against it, the reality for many businesses wishing to trade within Europe in a post-Brexit world is that a mainland European outpost might be needed. Many large financial services organisations have already relocated staff away from the City of London to Amsterdam, Paris and Frankfurt. However, and as Scott Gordon explains in detail, moving people is only half the challenge for organisations with UK-based IT infrastructure.
Although there’s still uncertainty over the ‘when’ and the ‘how’ in relation to the UK leaving the European Union (EU), there has been a stated aim that the UK will still have close ties to the EU including alignment of regulation and standards. However, this is far from certain. If Brexit happens, there are several possible levels of departure, from soft to hard, that will have a significant impact on business contingency planning.
At the softer end of the equation, the UK joins the European Free Trade Association and becomes part of the European Economic Area (EEA) like Norway, Iceland and Liechtenstein which results in minimal impact to business. EEA members have access to the EU Single Market and must maintain most EU laws, but retain independence from common agricultural policies and elements of the judicial process.
However, EEA members must adhere to the four basic freedoms of the movement of goods, services, people and capital. In this scenario, most cross-border business and data flows would remain largely untouched. The need to maintain a formal EU branch office or Data Centre would be minimal. The service industries, and especially legal and financing concerns, could remain within the UK and operate pretty much as before across the EU.
Unfortunately, adoption of this position seems unlikely due in large part to the unpopularity of the “free movement of people” aspect of EEA membership.
There’s an exotic mix of possible mid-level Brexit options of which the Canada-style Brexit has gained some popularity. Although only running on a trial basis, Canada and the EU have agreed on a Comprehensive Economic and Trade Agreement that eliminates most tariff barriers, aligns most standards on the quality and safety of goods and includes a recognition of professional qualifications. There’s no free movement of people which negates many of the most ardent Brexiter fears. However, services such as financial and legal do not receive automatic ‘passporting’ rights which, in turn, further complicates the flow and retention of digital data.
At the hard end of Brexit is an abrupt departure from the EU with the UK relationship based on rules set out by the World Trade Organisation (WTO) and the General Agreement on Tariffs and Trade. A WTO Brexit is a complex process as it requires the UK to align its trade policy with the WTO which means more tariffs and red tape for importers and exporters.
The biggest issue, though, surrounds digital data transfers which under the General Data Protection Regulation (GDPR), means that personal data normally cannot be transferred out of the EEA unless there are assurances that the data will continue to be “adequately protected” after it leaves the EEA.
“Adequately protected”is the key phrase as this means the UK must fully align with the GDPR and all future digital privacy laws, and that the EU agrees that it’s compliant. This is further complicated by onward transfer rules where there’s a risk that a UK business can process personal European citizen data and then send it on to a business in a country that the EU deems to have inadequate protections in place.
The WTO-style Brexit is one of the reasons that many businesses are setting up independent subsidiaries within the EU that can take advantage of the simplicity of the current EU membership. Early movers that have branched out to the EU ahead of any possible Brexit outcome includes the gambling sector which must, by law, have operation and Data Centres within the EU to handle transactions of EU citizens. Financial services are another big mover with accounting firm Ernst & Young reporting that, since the EU Referendum, UK financial services firms have disclosed £1.3 billion of relocation costs, legal advice, contingency provisions and an additional £2.6 billion for capital injections to scale new non-UK headquarters. The bulk of these firms are very large enterprises with thousands of employees that will already have some mainland European offices and subsidiaries.
The impact for SMEs is potentially more difficult to assess. According to the UK Government’s Department for Business, Energy and Industrial Strategy, there are 5.66 million businesses in the UK. 98% of these businesses are small, local businesses that often indirectly trade with the EU through two-tier distribution and are unlikely to need a mainland European presence.
However, there are 35,000 UK businesses with between 50 and 249 employees that are more likely to have direct European contact, plus a further 8,000 larger businesses with over 250 employees that will almost certainly have some form of European B2B and B2C relationships.
The Institute of Directors, which represents around 30,000 businesses that are predominantly within these two catchments, recently stated that 29% of firms in a survey of 1,200 members had either moved part of their businesses abroad already or were otherwise planning to do so.
Data and secure access
The calculation of whether to branch out to Europe is a formula that includes variables such as how severe a Brexit position the UK takes along with the type of business activity, data collection and transaction processing the business needs to take place within the EU in order to meet regulatory requirements and to overcome red tape.
Based on this decision-making process, a post-Brexit UK business that has decided to set up an EU office will need to start planning the IT ramifications as soon as possible. The biggest issue is understanding how data from European citizens and financial transactions are collected, stored and processed and, most importantly, protected.
In the worse case hard Brexit scenario followed by regulatory divergence, UK business may need to create EU subsidies that run IT infrastructure from separate Data Centre capacity along with EU-compliant data and transaction processing structures. This process is potentially easier for organisations with virtualised production systems that are either in private or public clouds as these can be moved virtually intact into a clone environment based in the EU.
However, there needs to be a careful audit and potential application re-development project to ensure that personal data remains within the EU and isn’t transferred or retained in the UK (if adequacy of protection isn’t granted to the UK). This includes assuring access to data, whether on a network or remote, is by authorised personnel and on authorised and secure devices with full accountability.
At a practical level, setting up a smaller branch office in the EU that’s remotely connected to a headquarters and Data Centre in the UK may require a bit of a rethink in terms of cyber security. In some cases, workers will be working from home using either corporate provisions or their own PCs and mobile devices.
Using some form of Virtual Private Network technology will be essential for assuring a secure connection to applications and resources that are on a corporate network and/or in the cloud. Data protection measures must also account for storing and retaining potentially confidential data on customers and staff that must also meet EU employment law and citizen rights that differs from the UK.
As the UK has so far endeavoured to align as much of its data protection laws with the EU as possible, this issue should be relatively minor on Day One of Brexit, but may well evolve over time.
Shifting trust and protection mechanisms
In a scenario where a UK business needs to set up multiple European offices, then ensuring seamless and secure access across on-premise and in the cloud will require an integrated approach including more granular controls. Although not a Brexit-specific requirement, enterprises will need to be able to prove that consistent access policies were enforced across different users, such as employees, administrators and service technicians as well as device types (from desktop to mobile). This ‘zero trust’-style approach means enterprises secure access to specified applications and data with an “authenticate first, then connect” approach so that only authorised users and their authorised devices can access specific resources.
Zero trust takes access assurance to a higher level by aligning granular resource and application access policies to user role and necessary identity and device authentication and security posture assessment. For example, this might mean certain cloud applications may only be available to a member of administrator-level staff connecting from within the EU on a corporate issued device. While a UK employee can only login to a comparable application, with data residing in the UK that’s only relevant for the UK and/or certain other parts of the world. This technical control helps overcome the issue that organisations might accidentally transfer sensitive or personal data that must legally stay within the UK or EU into a country that’s not deemed as having adequate data protection laws in place.
Security ‘spider’s web’
There are a whole host of additional IT and security considerations that must be assessed. Policies and controls must be able to lockdown systems to ensure that end users’ data protection mechanisms cannot be by-passed and remain active. In some cases, these controls may need to segregate personal from corporate applications and data depending on device ownership and data access.
In addition, back-up data from EU branch offices and EU staff devices may need to stay in the EU.
There are lots of other questions. Are Big Data projects that use transactional data from EU citizens appropriately anonymised to meet the GDPR? What about the new EU NIS regulation that applies to operators of essential services that may have UK and European facilities, staff and customers? In many cases, secure access controls that support a zero trust model can help address these added challenges.
What to do now? IT Departments with the assistance of business, legal and HR teams need to start creating a detailed audit of access requirements for staff, applications and data that’s mapped against geographic location. In addition, the audit must include detail around where application data is processed. How is it retained? What data protection mechanisms are needed to support internal, industry and legal compliance? All must be included.
This audit will allow organisations to establish secure access policies that can then be applied to technical controls to enable the requisite safeguards. This will also require a re-examination of what secure access technologies exist and how can they be orchestrated to enable requisite safeguards.
Many of these types of audits that took place in the run-in to GDPR compliance may need to be resurrected and re-examined through the lens of different types of Brexit outcomes. Organisations that have yet to start the process need to move quickly or the next deadline for leaving may be real and not just a false start.
Scott Gordon is Chief Marketing Officer at Pulse Secure