Two major “unseen” risks threaten businesses that use data centers — the “data factories” that power “the Cloud,” the government and every major business. A peer group of senior data center professionals last week discovered that these major risk factors are often not considered until after a data centre has been built — in a sub-optimal country, with very serious adverse implications.
This was one of the major surprise findings when 70 C-level executives — between them responsible for tens of thousands of data centers around the globe — met together with legal and tax specialists to pool expertise on the risks that face multinational companies from the design, location and operation of these business-critical systems.
Nicola Hayes, managing director of research analysts DCD Intelligence — which planned the event based on their recent research findings — said, data centers now operate just about everything we do — from running our offices factories and businesses, online shopping and email, Facebook, Twitter, to banking and airline bookings.
“Historically, data centers have been built by technologists to minimize the risk of technical failure,” Hayes added. ” But now that the data center is such an integral part of most businesses — it transpires that there are massive potential risks at the commercial and legislative levels that are being largely ignored — with potentially business-crippling consequences.”
He added that “two of our expert speakers explained just how damaging two rarely-considered types of risk can be to a business: the tax regime and the data privacy laws in the jurisdiction where the data centre is to be built.”
According to Joe Bollard, Ernst and Young’s partner, international tax services; tax laws around the world have not caught up with online age. In many ways they are still in the age of the horse and cart.
“Governments are fearful that they are losing tax revenues as business and e-commerce is processed and transacted in data centers which might be the other side of the world from the customer and the supplier,” he says. “As a result they are scrabbling to grab their fair share (or, in the eyes of some taxpayers, more than their fair share) of tax on these billions of online business operations.”
Bollard went on to explain that failure to consider the location of a data centre from a tax perspective can lead both the owner and the users of that data center to face tax bills 20% to 40% higher than the business had expected. Unwitting companies can even find themselves subject to double or triple taxation being levied by multiple countries through failing to perform due diligence on the tax implications of that data centre’s location.
“A business could find itself at a significant competitive disadvantage or yielding net losses if it only finds out that it has let itself in for these levels of taxation after building and opening a multi-million pound new data centre,” says Bollard. “My message to all CIOs is: work with your CFO or tax advisor at the earliest planning stage to make sure that you don’t fall into this potential minefield.”
A second major risk, rarely considered until it’s too late, was identified by Ruth Boardman, partner for international privacy and data protection with Bird and Bird. In some jurisdictions, private data can be anything as simple as the information on a business card, she explained. She added that, in fact, anything where the information can be directly or indirectly linked to an individual human, so it can cover the majority of data.”
“If a company fails to do due diligence on data privacy legislation in the countries in which it is considering building its new data center(s) it may find — as some companies already have — that it is illegal to transfer personal data to that datacentre or indeed back from the data center to the head office — because that foreign government does not permit it,” Boardman says. She further explained that most countries have or are implementing data privacy legislation — but the details differ significantly from country to country and even between states within countries.
“This can often lead to the laws of the businesses operating country and the data center country being mutually exclusive,” she adds.
Boardman cited the example where EU law demands protection for personal data whilst, should the data centre be operated by an organization with USA presence, legislation linked to the US Patriot Act can allow US agencies access to data – including data not kept in the USA. Clearly it may be impossible for a company to comply with both laws.
“The penalties in some countries are draconian.” Boardman warned. “In extremis individuals rather than corporations can be held liable.”
To demonstrate this she recalled the case in 2011 of three Google executives who were personally prosecuted and convicted for a corporate breach of Italy’s data privacy laws. The convictions were overturned on appeal, but it highlights the risks involved.
Summing up, DCD Intelligence’s Nicola Hayes said, data centers are no longer just big lumps of technology, they are a key enabler of every business– equivalent to factories — and companies need to do the same due diligence they would when considering building a new factory to understand and mitigate risks. Failure to do so can leave the entire business at risk from massive tax bills through to criminal prosecutions.
“No longer can the planning of data centre strategy be left to the technologists,” Hayes adds. “Today’s CIO and the board must be fully involved in data centre planning.”
The next in this series of C-Level seminars on “Leveraging International Data Center Portfolios for Strategic Advantage” will be held in New York later this year. To register your interest email info@dcd-intelligence.com .