5-9-07.ppt
TRANSCRIPT
Denver Software ClubRob McNeill Philip Haleen John Enstone
May 9, 2007
2
3
Market Entry into the UK
Rob McNeillVice Consul (Trade & Investment)British Consulate-General Chicago
4
Overview
UK Software Market
UK Market Opportunities
IT Hotspots in the UK
Methods of Entry into the UK
5
UK Software Market
UK Enterprise Products & Services market is largest in the EU– IT professional services – around $33Bpa, growing at +$1.75Bpa– Computer hardware & Office equipment – around $23Bpa, growing
by + $550Mpa– Support software products – over $12Bpa, growing + $950Mpa – IT support services – around $12Bpa, growing at +$550Mpa– Application software products – over $9.5Bpa, growing at +
$680Mpa– 120,000 firms employing over 500,000 staff
All the world’s major software firms are in UK– Accenture, EDS, Google, IBM, Infosys, Microsoft, Oracle, Tata– UK firms include: Asidua, Autonomy, Capita, Lagan Technologies,
LogicaCMG, Misys, nCipher, Northgate, RM, Sage
UK-based software businesses invest nearly $1.4 billion pa in R&D
6
UK Software Market
Government invests heavily in IT systems– E-Government– NHS spending around $40B on new IT systems over 10 years– Home Office - National Identity Card programme– Transport for London - Congestion Charging and Oyster card– Many other government contracts, especially in shared services
area
Universities share over $340 million of software research funding– Especially Southampton, Edinburgh, Nottingham, Newcastle,
Imperial, Surrey, Bath, Oxford, UCL, Cambridge, Manchester, and Warwick
Knowledge Transfer Networks– Cyber Security, Displays, GRID Computing
7
UK Market Opportunities
Software Market
Customer Relationship Management (CRM)
Business Intelligence (BI)
Enterprise Resource Planning (ERP)
Compliance Solutions– Finance Sector– Multinationals
Software as a Service (SaaS)
8
Strong Vertical Marketsfor IT
Aerospace: major roles in civil and military projects– Airbus, Joint Strike Fighter, and helicopters
Automotive: UK still manufactures over 600,000 cars pa– Major investments by BMW, Honda, Nissan, Toyota; less by Ford and GM
Financial Services:– London becoming global #1 in financial services
Healthcare: NHS has world’s largest civilian IT project– $10B development project with further $20B implementation
Pharmaceuticals: World leading pharmaceutical players– Astra Zeneca, GSK, Pfizer etc research and manufacture in UK
Retail: World’s leading on-line retailer– Tesco, Sainsbury, Marks & Spencer ..
Security: 2nd largest market in Europe for IT Security– UK leads international security standards initiatives
Transportation: London tackling public transport– Largest smartcard project in Europe (Oystercard) now has 4M daily
users
9
IT Hot Spots in the UK
South East England London
East of England
10
East of England IT Overview
Scale– 14,500 IT/Telecomms companies employing 300,000 staff
Key Vertical markets/clusters– Aero, Auto, Biotech, Financial & Business Services, Food & Drink,
Energy, Film & Media
Regional Business Clusters– Cambridge, Chelmsford, Ipswich, Norwich, South Hertfordshire
Key IT/Digital Media firms– 3Com, ANT, ARM, Accelrys, Autonomy, BT, CCL, Citrix Systems,
Convergys, CSR, Domino Printing Sciences, Elstree Studios, Microsoft, Nortel, PA Technology, Philips, Pointsec, Sagentia, Short Fuze, Symbian, T-Mobile, TTP, Wanadoo, Xaar, Zeus
11
East of England IT Overview
Key Universities– Cambridge, Essex, Hertfordshire
IT/Digital Media Strengths– Low power Mixed-mode chip design, Wireless technology,
Communications, Photonics, Displays, Internet Security, GIS, Speech Recognition, Virtual Reality, Database management, e-business, Engineering, Healthcare, Banking & Insurance, Inkjet
Key Enterprise Zones, Science Parks, and Incubators– Capability Green, Woodside, Luton; Hertfordshire BIC
– Cambridge Business Park; Cambridge Science Park; St Johns Innovation Centre
Key Agencies / Networks– East of England International; Cambridge Network, Cambridge Wireless,
CETC, CHASE, EMMA
12
London IT Overview
Scale IT/Telecomms sector is the largest in Europe with 22,600
companies 19 of 25 software and services suppliers have their HQs in London
Key Vertical Markets/Clusters Financial, Business, Life sciences, Environmental, Creative
Industries, Government, Aerospace, Hospitality
Key IT/Telecomms Firms Amstrad, Atos Origin, BT, Bloomberg, CSC, EDS, EiDOS, France
Telecom, Glu, IBM, Infosys, Infogrammes/Atari, I Play, Fujitsu, Konami, LogicaCMG, Microsoft, Oracle, Fujitsu, Samsung, SAP, SCI, SEGA, Sony, Symbian, Tata Infotech, Vtech Communications ltd, Ubisoft, Yahoo!
13
London IT Overview
Key Universities Imperial College of Science, Technology and Medicine, Birkbeck
College, Goldsmiths College, Queen Mary College, University College
IT/Digital Media Strengths Software, Business & Financial Services, Hardware, Creative and
Digital Media, Telecoms, Internet services, Mobile telephony
Key Enterprise Zones, Science Parks, and Incubators The Thames Gateway Technology Centre; Innova Science Park; Brunel Science Park; South Bank Technopark
Key Agencies / Networks BCS, IET, Intellect, London Technology Network (LTN), New Media
Knowledge
14
South East IT Overview
Scale– 30,000 IT/Telecomms companies in the region; 185,000 people
employed
Key Vertical Markets/Clusters– Aerospace, Built Environment, Marine, Health/Life Sciences,
Environmental Technologies, Digital Content
Regional Business Clusters– Brighton, Guildford, Oxford
Key IT/Digital Media Firms– Babel Media, Climax, Dell, Electronic Arts, Epic, Ericsson, Fujitsu, Hitachi
Data Systems, Hutchinson 3G, Kuju, LG Electronics, Lionhead Studios, Microsoft, Mobisphere, Motorola, Nokia, Oracle, O2, Panasonic, Philips, Pinewood Film Studios, Rebellion, Sage, Shepperton Film Studios, Siemens, Virgin Media, Vodafone
15
South East IT Overview
Key Universities– Oxford, Southampton, Kent, Sussex, Surrey, Reading
IT/Digital Media Strengths Software, Information Security, Hardware, Creative and Digital
Media (inc Film), Computer Games Development, Opto-electronics, Telecommunications, 3G Comms, Satellite Communications, Publishing
Key Enterprise Zones, Science Parks, and Incubators– Science Parks in Oxford, Surrey and Southampton; 22 Enterprise
Hubs
Key Agencies / Networks– SE Media Network; Wired Sussex; mVCE; Royal Holloway Security
Group, Screen South
16
Methods of Entry into the UK
Distributors and Sales Agents
Partnerships
Sales Office
Research & Development Facility
17
Distributors & Sales Agents
Often the first point of entry into a foreign market
Done right can present the lowest risk with a minimal financial outlay
Important to ensure distributor/agent meets your needs
18
Distributors & Sales Agents
Support from the US Export Assistance Center
Identify Distributors and Sales Agents in the UK through the work of the US Embassy in London
Local contact:Suzette Nickle
Senior International Trade Specialist
Tel: (303) 844-6623 ext 16
www.buyusa.gov
19
Partnerships
Collaborative Partnerships with a like minded UK company
Sales focussed or R&D focussed
Relatively inexpensive
Results depend on resources allocated to selection of partner and maintaining partnership
20
Partnerships
Global Partnerships Program run by UKTI
R&D focused matchmaking program
Typical report identifies 10-20 potential partners
Free to US qualifying US companies
21
Sales Office
Typically company’s first physical presence in UK
Company employees on the ground in the UK
Transfer US staff to UK or hire locally
More control over direction company and product line is taking in the UK
Relatively easy to establish
UK as a Gateway to Europe
22
Research & Development Facility
UK-based software businesses invest nearly $1.4 billion pa in R&D
Government continuing to develop tax credits for companies investing in R&D in the UK
Access to large talent pool of qualified graduates and highly skilled software engineers
Links with UK Universities and Research Institutes
All the world’s major software firms are in UK– Accenture, EDS, Google, IBM, Infosys, Microsoft, Oracle, Tata– UK firms include: Asidua, Autonomy, Capita, Lagan Technologies,
LogicaCMG, Misys, nCipher, Northgate, RM, Sage
23
Help from UK Trade & Investment
Comparative research across UK and Europe
Identify suitable locations in the UK
Registering as a company
Employment law
Taxation advice
Resolve visa issues
Legal, Accounting & Banking Introductions
24
Funding Options
Government Funds– Financial Incentives– R&D Tax Credits– Training Grants
Venture Capital
Alternative Investment Market (AIM)
25
Rob McNeillVice Consul (Trade & Investment)
British Consulate-General Chicago
Tel: (312) 970-3844
Best PracticesConfidentiality and Data Protection
Philip Haleen
Faegre & Benson LLP
Frankfurt
27
Setting the Stage
Of the various consequences of the Internet Age, one area of particular interest is the impact of the computer and the Internet on issues of CONFIDENTIALITY.
The computer and the increased storage capabilities available have enabled vast amounts of data to be accumulated, stored and transmitted electronically. These new technological capabilities have not yet fully found their legal or contractual response in the business world.
28
Traditional Approaches to Confidentiality
• Confidentiality agreements are signed with employees and third party vendors;
• Access controls to business premises or sensitive areas within those premises are initiated; and,
• In the transactional setting, a standard “boilerplate” confidentiality clause is included. Such clause can be as simple as:
29
Traditional Approaches to Confidentiality
The Parties agree to keep confidential all information constituting trade secrets of the other party known to it and will not disclose such information, directly or indirectly, to any third party. The foregoing obligations of confidentiality shall not apply to confidential information, which was or is lawfully obtained by a Party from other sources, which was or is or becomes generally available to the public, which ceases to be a trade secret, or which is required to be disclosed to a competent tribunal or government agency or other regulatory body.
Note: Focus is on deterrence through threat of liability rather than prevention.
30
Traditional Approaches to Confidentiality
In the Internet Age, can these traditional measures still be adequate to assure an adequate level of confidentiality?
Simply put: More data is available and is more easily accessed, copied and transmitted over computer networks than was ever possible before.
What then does this mean for efforts to protect the confidentiality of such data?
31
The Data Protection Law in the European Union (EU Directive 95 / 46 / EC)
• A good place to turn for comparison purposes • However, the EU Data Protection Rules only apply as to
“personal data”. – Personal data is data on individuals that can serve to identify a
particular individual. • Should not the same principles apply with to business data,
especially in the context of outsourcing?
32
The Data Protection Law in the European Union (EU Directive 95 / 46 / EC)
Section VIII, Confidentiality and Security of Processing (Articles 16 and 17)
The Directive obligated Member States to transpose the following require ments into their respective national laws:
Article 16Confidentiality of processing
Any person acting under the authority of the controller or of the processor, including the processor himself, who has access to personal data must not process them except on instructions from the controller, unless he is required to do so by law.
33
The Data Protection Law in the European Union (EU Directive 95 / 46 / EC)
Section VIII, Confidentiality and Security of Processing
Articles 17Security of processing
1. Member States shall provide that the controller must implement appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.
Having regard to the state of the art and the cost of their implementation, such measures shall ensure a level of security appropriate to the risks represented by the processing and the nature of the data to be protected.
34
The Data Protection Law in the European Union (EU Directive 95 / 46 / EC)
Section VIII, Confidentiality and Security of Processing
Articles 17, Security of processing (continued)
2. The Member States shall provide that the controller must, where processing is carried out on his behalf, choose a processor providing sufficient guarantees in respect of the technical security measures and organizational measures governing the processing to be carried out, and must ensure compliance with those measures.
35
The Data Protection Law in the European Union (EU Directive 95 / 46 / EC)
Section VIII, Confidentiality and Security of Processing
Articles 17, Security of processing (continued)
3. The carrying out of processing by way of a processor must be governed by a contract or legal act binding the processor to the controller and stipulating in particular that:– The processor shall act only on instructions from the
controller,– The obligations set out in paragraph 1, as defined by the
law of the Member State in which the processor is established, shall also be incumbent on the processor.
4. For the purposes of keeping proof, the parts of the contract or the legal act relating to data protection and the requirements relating to the measures referred to in paragraph 1 shall be in writing or in another equivalent form.
36
The Data Protection Law in the European Union (EU Directive 95 / 46 / EC)
Note:
• The controller not only must fulfill the requirements itself (Article 17(1)); but also
• The controller must require from any third party processor that it provides sufficient guarantees in respect of the required technical security and organizational measures and ensure compliance of the processor with those measures. (Article 17(2)); and finally
• The agreement between the controller and processor must be governed by contract and the provisions relating to these measures must be in writing (Article 17(3) and (4)).
37
Data Protection Law in the European Union (Organizational Measures)
What are these “appropriate organizational and technical measures that must be implemented” pursuant to Article 17(1)? Specifically, under the transposed data protection rules in Germany (from the Annex), the organizational measures are to be designed:
1. To prevent unauthorized persons from gaining access to data processing systems with which the confidential information is processed (entry control);
2. To prevent data processing systems from being used by unauthorized persons (user control);
38
Data Protection Law in the European Union (Organizational Measures)
3. To ensure that persons entitled to sue a data processing system have access only to the data to which they have a right of access and that the confidential information cannot be read, copied, modified or deleted by unauthorized persons (access control);
4. To ensure that the confidential information cannot be read, copied, modified or deleted when they are transferred electronically or transported, and that the confidential information can only be reviewed and verified, at which point or stage of the process a transfer of the confidential information by data transmission facilities is foreseen (communication control);
39
Data Protection Law in the European Union (Organizational Measures)
5. To ensure that it is possible to check and establish, after an input, which confidential information has been input, modified or deleted in data processing systems by whom and at what time (input control);
6. To ensure that, in the case of commissioned processing of the confidential information, the confidential information is processed strictly in accordance with the instructions of the principal (outsourcing control);
40
Data Protection Law in the European Union (Organizational Measures)
7. To prevent unauthorized input into the memory and the unauthorized examination, modification or erasure of stored confidential information (memory control);
8. To ensure that the confidential information that is collected for different purposes is processed separately (which I would describe as “integrity control”).
41
Data Protection Law in the European Union (Technical Security Measures)
German legislation does not address specific technical security measures.
The legal literature suggests a company will need to ensure of itself and of its third party vendors that information systems are not installed/used in a manner:
• Which could provide the opportunity to create unauthorized links to other systems,
• Thereby allowing the ability to bypass authentication mechanisms,
• Circumvent data access control procedures, or• Otherwise jeopardize the security of the company’s
computer systems.
42
Data Protection Law in the European Union (Technical Security Measures)
There must be notification procedures:
Actual or suspected instances of information asset theft or abuse, as well as
• Potential threats (e.g. hackers, viruses, fire etc.) or
• Obvious control weakness affecting security, are to be reported immediately to IT security personnel at the company.
43
Data Protection Law in the European Union (Technical Security Measures)
Further policies, procedures/guidelines to enhance technical security would:
1. Protect all information technology resources (e.g. computers, communications, software etc.) from theft, tampering, misuse, malicious software (e.g. viruses, hackers etc.), destruction and loss.
2. Ensure that all individuals who come in contact with the confidential information have completed the appropriate written confidentiality, nondisclosure and policy compliance documents.
44
Data Protection Law in the European Union (Technical Security Measures)
3. Ensure individual and organizational accountability for the use and protection of information systems, through the assignment of unique identification codes and authentication procedures (e.g. respectively user id’s and system passwords).
4. Prohibit the sharing and other unauthorized disclosures of passwords and other confidential system access controls through areas such as dial up or system passwords.
45
Data Protection Law in the European Union (Technical Security Measures)
5. Ensure supplemental user authentication processes and access controls for individuals entering the systems through dialup, Internet or other communications.
6. Provide prompt notification to system/security administrators of changes in status (e.g. transfers, terminations) of employees, contractors, clients, or other users that could/will affect their access privileges.
46
Data Protection Law in the European Union (Technical Security Measures)
7. Control access to confidential information based on criteria defined by the company. The level of default protection for all proprietary information, including software, must allow no access unless specifically authorized.
8. Apply additional controls to ensure the proper protection and use of security software features (e.g. security administration commands) to prevent unauthorized bypassing of implemented security procedures.
47
Data Protection Law in the European Union (Technical Security Measures)
9. Produce, review, follow-up and retain audit trails of all security relevant logs, data access and administration events for ALL systems that process the confidential information.
10. Regularly perform self-assessments and audits to detect security vulnerabilities and non-compliance to the company’s security policy(s) and policy derivatives.
48
Data Protection Law in the European Union (Technical Security Measures)
11. Define and apply appropriate procedures for the use of cryptography (encryption/decryption) where it is deemed information may be sensitive or business critical (e.g. Laptops, Dial-in). This must include systems that store such information with limited physical protection (e.g. desktops).
12. Ensure that all information technology is procured and/or designed with security control features that include:
i. User identificationii. Authenticationiii. Data and software access authorizationiv. System integrity protection and ability to audit use.
49
Data Protection Law in the European Union (Technical Security Measures)
13. Apply appropriate authorization, copy protection and non-disclosure controls for all confidential information, released to third party entities.
14. Maintain, test and update business continuation plans and procedures (e.g. backup, disaster recovery), to ensure continued availability of systems resources, particularly business critical systems.
50
Data Protection Law in the European Union (Technical Security Measures)
15. Define and apply all information retention procedures that are necessary to satisfy all internal and external requirements, including notification requirements for security breaches and loss of personal data under local law.
16. Properly erase, shred or otherwise dispose of information that is no longer needed.
51
Best Practices, Confidentiality and Data Protection
Conclusion
EU data protection rules only apply in the EU, and only as to personal data.
Will not global companies will start to demand the same or similar confidentiality standards for its business data?
IT departments and software vendors will need to provide the software and system solutions necessary to meet these legal and business obligations for enhanced protection of personal and sensitive business data.
As representatives of the software industry, you will find abundant opportunities in assisting your customers to meet these challenges of the global workplace.
52
Philip B. [email protected]+49 69 631 561 20
Frankfurt OfficeFaegre & Benson LLPMain TowerNeue Mainzer Strasse 52-58Frankfurt am Main, 60311Phone: 49-69-631-561-0Fax: 49-69-631-561-11
Thank you for your time and attention.
Best Practices
John Enstone
Faegre & Benson LLP
London
54
The Opportunities and Challenges for Outsourcing in the UK
By 2009 the combined outsourcing market for the UK, France and Germany will be worth more than 40 billion dollars (UK National Outsourcing Association)
• Impact of mature outsourcing experience among UK users on consultants and suppliers
• Opportunities for new EU members in Central Europe
• Impact of new EU members on the outsourcing market
• Potential legal issues