If Scotland becomes independent, what does that mean for UK data sovereignty?

Lubor Ptacek

September 18, 2014: Scotland goes to the polls on Thursday to vote on independence from the Union. If a yes vote is passed, it throws into question the impact on data sovereignty.

It’s a curious notion, one that both Whitehall and Holyrood have not publically answered. If we consider the consequences from a data protection perspective, they are incredibly complex. Especially as the EU Data Protection Directive mandates that data cannot be transferred outside of the 28-member states territory. This means that organisations need to prove where their data is at all times. Scotland is presently an EU member as part of the UK. But this could change as only last night the Telegraph reported that Spain’s European Foreign Affairs Minister said that a separate Scotland would need to wait five years for EU membership and join the single currency.

The next wave of EU Data Protection Reforms will introduce further enforcements around data crossing borders. Despite the fact that the majority of business communications is digital by nature – such as email and productivity tools like Microsoft Word and Excel – and is effectively borderless, these will carry a new burden for data sovereignty compliance. When these reforms were first suggested last year, the Direct Marketing Association said it was ‘strict and unworkable’ and claimed that it would cost UK businesses an eye watering £47 billion in lost sales and regulatory costs.

Today, your data may be based in the UK, but tomorrow…is it England or Scotland? The key is allowing companies from either country to pick where they want their data to live and guarantee that it resides there.

A yes vote will mean that the data will have to be migrated. But to where, at this stage, can only be speculated. What we do know is that for companies that want to move their data from Scotland to England, capacity and power availability within the Greater London M25 belt will be under extreme pressure. If Scottish data needs to head north, then perhaps the challenge isn’t quite so unwieldy. Scotland’s climate is well suited for cooling power-hungry server farms. It boasts a thriving data centre economy; with substantial investment into the hundreds of millions across the country with some areas building new locally generated renewable energy-based data centres expected to go online next year. Scotland’s digital and ICT sector is worth around £3 billion to the economy and boasts over 73,000 jobs. For a population of just over five million, it’s a healthy industry.

The nationalist campaigners suggest they could switch Scotland’s data from Whitehall systems by 2018. But this is likely to entail considerable disruption to public services, not to mention commercial implications for organisations that own or host from data centres based there. Over time, these issues will have to be remedied. The result will be that data sovereignty will become a board issue and part of future business and legal operations as principle.

But this is not necessarily a bad thing. The recent spotlight on data sovereignty originates from the much-reported WikiLeaks and Snowden affair, and the USA’s National Security Agency spying allegations. These stories have created such a wake that, according to ResearchNow, a quarter of UK companies are expected to pull their data out of USA data centres in light of the controversy. Protecting the integrity of data is definitely at the top of the corporate agenda and it requires sovereignty and security embedded by design.

If Scotland does separate and takes a while to decide how it wants to pursue its membership with the EU, it will mean that data housed in Scotland from another country’s origin, would need to move inside the EU. An alternative is that a provision is made for its own data protection regulation but this would need to be written and ratified – a pretty costly and complicated exercise never mind the migrating of its data.

Given that both, England and Scotland, speak the same language means that the data doesn’t need to be translated but that fact makes it more difficult to separate Scottish data from English.  The challenge will be organising and sorting through Petabytes of data and establishing whether it is English or Scottish in origin. There are clues such as place names and cultural references that will help with labeling, but in reality, this particular job is for humans who unfortunately are inherently unreliable when it comes to organising information.

Auto-classification tools, on the other hand, typically deliver 80 – 90 per cent accuracy of data as opposed to human classification that on average results in 60 per cent of information properly classified.

For the whole of the United Kingdom adhering to data protection laws and dealing with the sovereignty of data requires a strategic view when it comes to managing enterprise information. As far as Scottish, Welsh and English borders are concerned, the task of migrating so much data will be a tremendous undertaking. Let’s hope, they don’t have to do it.

Lubor Ptacek is VP (Strategy) at OpenText