I was onboarding a new customer today, a b2c company in Nottingham and I mentioned that their website and email was hosted and stored in the USA, and since their customers create accounts on their website it may be an idea to consider hosting that data within the UK. The customer had no idea this was the case, or indeed the implications. They had been sold a "make it yourself" website from a well known provider who threw in email for a dollar a decade, but never considered where the actual data was being stored, or from where the website was being served. In principle, there's no problem hosting data in the USA, that's fine but for B2C businesses within the UK (and Europe) the General Data Protection Regulation imposes certain requirements on those businesses to protect customer data.
Since the incorporation of GDPR, end users have a right to expect their personal information is stored and protected within the framework of the legislation. That is, reasonable steps have been taken to protect it from undue exposure, and rights of access, review and removal are granted. The regulator (ICO) has the power to compel companies based in the European Union to comply with this legislation or face severe penalties. A company outside of the UK/EU has no such requirements nor can it be compelled to do anything by the regulator.
This is where it all gets very muddy indeed. As a consumer within the UK you have rights under GDPR, but only for companies operating within the UK. That is, if you purchase something from Fluffy Chicken Limited, they will receive and process your personal data such as name, address, phone number, card numbers and so on, and you would rightfully expect that the processing of your data is covered by GDPR. However, Fluffy Chicken Limited's online shop is hosted in the USA, your data is stored in the USA, and the order is fulfilled by an American company, and in fact Fluffy Chicken Limited does not process your data at all, effectively removing any protection you may think you have under GDPR. Even if Fluffy Chicken Limited did process your data, they would have received it from an American company, not from you.
When we leave the European Union in a couple of months time, data hosted in Europe may not be in scope for GDPR. In all probability GDPR will only apply to companies within the UK and data stored within the UK.
The thin line between storage, processing and regulation
I think everyone's aware that a company within the UK that services consumers has to comply with GDPR, makes total sense, but where do the obligation end?
Assume a UK company pays for an online shop service provided by an American company, customers visit that companies website, place order, and those orders are then transmitted to the UK company. Is the American company under any inference for GDPR? No. In fact the UK company is only responsible for ensuring GDPR for the information received from the American company containing personal information. Should the American company also provider order fulfillment (such as the case with Amazon) then the UK company would have no responsibility for data protection under GDPR.
In our experience, customers are on the fence on this one. Some of our customers have deliberately migrated data and fulfillement offshore, whereas others have chosen a blended solution.
We've been involved in several large scale migrations from UK to somewhere in the EU ahead of the brexit deadline. Companies who operate throughout the EU have to decide if being based in the UK is the right choice and for many it's not. There could be arbitrary tariffs imposed or customs regulation, or restrictions.
For our supply line with heavy dependence on Hewlett Packard, we're going to experience stock shortages and shipping issues since most of our spare parts come from the EU.
For anyone with a .eu domain name, unless you have offices in the EU then you will loose it at the end of this year.