70 Clifton Street , London
+44 (7074) 707080
Unseen Business Risks Can Cripple Data Centres And Their Owners
This was one of the major surprise findings when 70 C-level executives - between them responsible for tens of thousands of data centres around the globe - met together with legal and tax specialists to pool expertise on the risks that face multinational companies from the design, location and operation of these business-critical systems.
Nicola Hayes, managing director of research analysts DCD Intelligence - which planned the event based on their recent research findings - said, "Data centres now operate just about everything we do - from running our offices factories and businesses, online shopping and email, Facebook, Twitter, to banking and airline bookings.
"Historically, data centres have been built by technologists to minimise the risk of technical failure. But now that the datacentre is such an integral part of most businesses - it transpires that there are massive potential risks at the commercial and legislative levels that are being largely ignored - with potentially business-crippling consequences."
Hayes said, "Two of our expert speakers explained just how damaging two rarely-considered types of risk can be to a business: The tax regime and the data privacy laws in the jurisdiction where the data centre is to be built.
"It was fascinating to find out from the very senior attendees present just how few of them were even aware of these risk factors prior to this seminar with many saying they would add these to their risk analyses immediately."
Risk of triple taxation
According to Joe Bollard, Ernst and Young’s partner, international tax services; “tax laws around the world have not caught up with online age. In many ways they are still in the age of the horse and cart.
“Governments are fearful that they are losing tax revenues as business and e-commerce is processed and transacted in data centres which might be the other side of the world from the customer and the supplier. As a result they are scrabbling to grab their fair share (or, in the eyes of some taxpayers, more than their fair share) of tax on these £billions of online business operations.”
Bollard went on to explain that failure to consider the location of a data centre from a tax perspective can lead both the owner and the users of that data centre to face tax bills 20% to 40% higher than the business had expected. Unwitting companies can even find themselves subject to double or triple taxation being levied by multiple countries through failing to perform due diligence on the tax implications of that data centre’s location.
“A business could find itself at a significant competitive disadvantage or yielding net losses if it only finds out that it has let itself in for these levels of taxation after building and opening a multi-million pound new data centre. My message to all CIOs is - work with your CFO or tax advisor at the earliest planning stage to make sure that you don’t fall into this potential minefield.” Bollard concluded.
Falling foul of data privacy legislation
A second major risk, rarely considered until it’s too late, was identified by Ruth Boardman partner for international privacy and data protection with Bird and Bird. She explained, to summit attendees, some of the very complex legislation that applies around the world in different jurisdictions to the storage and transfer of private data.
“In some jurisdictions, private data can be anything as simple as the information on a business card,” she explained. “In fact anything where the information can be directly or indirectly linked to an individual human. So it can cover the majority of data.”
“If a company fails to do due diligence on data privacy legislation in the countries in which it is considering building its new data centre(s) it may find – as some companies already have – that it is illegal to transfer personal data to that datacentre or indeed back from the datacentre to the head office – because that foreign government does not permit it.”
Boardman further explained that most countries have or are implementing data privacy legislation - but the details differ significantly from country to country and even between states within countries. “This,” she explained, “can often lead to the laws of the businesses operating country and the datacentre country being mutually exclusive.”
Boardman cited the example where EU law demands protection for personal data whilst, should the data centre be operated by an organisation with USA presence, legislation linked to the US Patriot Act can allow US agencies access to data – including data not kept in the USA. Clearly it may be impossible for a company to comply with both laws.
“The penalties in some countries are draconian.” Boardman warned. “In extremis individuals rather than corporations can be held liable.” To demonstrate this she recalled the case in 2011 of three Google executives who were personally prosecuted and convicted for a corporate breach of Italy’s data privacy laws – thankfully, the convictions were overturned on appeal, but it highlights the risks involved.
CIOs must take business responsibility
Summing up, DCD Intelligence’s Nicola Hayes said, “data centres are no longer just big lumps of technology, they are a key enabler of every business – equivalent to factories – and companies need to do the same due diligence they would when considering building a new factory to understand and mitigate risks. Failure to do so can leave the entire business at risk from massive tax bills through to criminal prosecutions.
“No longer can the planning of data centre strategy be left to the technologists. Today’s CIO and the board must be fully involved in data centre planning.”
The next in this series of C-Level seminars on ‘Leveraging International Data Center Portfolios for Strategic Advantage’ will be held in New York later this year. To register your interest please email email@example.com
The use of information published here for personal information and editorial processing is generally free of charge. Please clarify any copyright issues with the stated publisher before further use. In the event of publication, please send a specimen copy to firstname.lastname@example.org.