Denver Software Club

1
Denver Software Club

• Rob McNeill
• Philip Haleen
• John Enstone
• May 9, 2007

2
(No Transcript)
3

• Market Entry into the UK
• Rob McNeill
• Vice Consul (Trade Investment)
• British Consulate-General Chicago

4
Overview

• UK Software Market
• UK Market Opportunities
• IT Hotspots in the UK
• Methods of Entry into the UK

5
UK Software Market

• UK Enterprise Products Services market is
  largest in the EU
• IT professional services around 33Bpa, growing
  at 1.75Bpa
• Computer hardware Office equipment around
  23Bpa, growing by 550Mpa
• Support software products over 12Bpa, growing
  950Mpa
• IT support services around 12Bpa, growing at
  550Mpa
• Application software products over 9.5Bpa,
  growing at 680Mpa
• 120,000 firms employing over 500,000 staff
• All the worlds major software firms are in UK
• Accenture, EDS, Google, IBM, Infosys, Microsoft,
  Oracle, Tata
• UK firms include Asidua, Autonomy, Capita, Lagan
  Technologies, LogicaCMG, Misys, nCipher,
  Northgate, RM, Sage
• UK-based software businesses invest nearly 1.4
  billion pa in RD

6
UK Software Market

• Government invests heavily in IT systems
• E-Government
• NHS spending around 40B on new IT systems over
  10 years
• Home Office - National Identity Card programme
• Transport for London - Congestion Charging and
  Oyster card
• Many other government contracts, especially in
  shared services area
• Universities share over 340 million of software
  research funding
• Especially Southampton, Edinburgh, Nottingham,
  Newcastle, Imperial, Surrey, Bath, Oxford, UCL,
  Cambridge, Manchester, and Warwick
• Knowledge Transfer Networks
• Cyber Security, Displays, GRID Computing

7
UK Market Opportunities

• Software Market
• Customer Relationship Management (CRM)
• Business Intelligence (BI)
• Enterprise Resource Planning (ERP)
• Compliance Solutions
• Finance Sector
• Multinationals
• Software as a Service (SaaS)

8
Strong Vertical Marketsfor IT

• Aerospace major roles in civil and military
  projects
• Airbus, Joint Strike Fighter, and helicopters
• Automotive UK still manufactures over 600,000
  cars pa
• Major investments by BMW, Honda, Nissan, Toyota
  less by Ford and GM
• Financial Services
• London becoming global 1 in financial services
• Healthcare NHS has worlds largest civilian IT
  project
• 10B development project with further 20B
  implementation
• Pharmaceuticals World leading pharmaceutical
  players
• Astra Zeneca, GSK, Pfizer etc research and
  manufacture in UK
• Retail Worlds leading on-line retailer
• Tesco, Sainsbury, Marks Spencer ..
• Security 2nd largest market in Europe for IT
  Security
• UK leads international security standards
  initiatives
• Transportation London tackling public transport
• Largest smartcard project in Europe (Oystercard)
  now has 4M daily users

9
IT Hot Spots in the UK
10
East of England IT Overview

• Scale
• 14,500 IT/Telecomms companies employing 300,000
  staff
• Key Vertical markets/clusters
• Aero, Auto, Biotech, Financial Business
  Services, Food Drink, Energy, Film Media
• Regional Business Clusters
• Cambridge, Chelmsford, Ipswich, Norwich, South
  Hertfordshire
• Key IT/Digital Media firms
• 3Com, ANT, ARM, Accelrys, Autonomy, BT, CCL,
  Citrix Systems, Convergys, CSR, Domino Printing
  Sciences, Elstree Studios, Microsoft, Nortel, PA
  Technology, Philips, Pointsec, Sagentia, Short
  Fuze, Symbian, T-Mobile, TTP, Wanadoo, Xaar, Zeus

11
East of England IT Overview

• Key Universities
• Cambridge, Essex, Hertfordshire
• IT/Digital Media Strengths
• Low power Mixed-mode chip design, Wireless
  technology, Communications, Photonics, Displays,
  Internet Security, GIS, Speech Recognition,
  Virtual Reality, Database management, e-business,
  Engineering, Healthcare, Banking Insurance,
  Inkjet
• Key Enterprise Zones, Science Parks, and
  Incubators
• Capability Green, Woodside, Luton Hertfordshire
  BIC
• Cambridge Business Park Cambridge Science Park
  St Johns Innovation Centre
• Key Agencies / Networks
• East of England International Cambridge Network,
  Cambridge Wireless, CETC, CHASE, EMMA

12
London IT Overview

• Scale
• IT/Telecomms sector is the largest in Europe with
  22,600 companies
• 19 of 25 software and services suppliers have
  their HQs in London
• Key Vertical Markets/Clusters
• Financial, Business, Life sciences,
  Environmental, Creative Industries, Government,
  Aerospace, Hospitality
• Key IT/Telecomms Firms
• Amstrad, Atos Origin, BT, Bloomberg, CSC, EDS,
  EiDOS, France Telecom, Glu, IBM, Infosys,
  Infogrammes/Atari, I Play, Fujitsu, Konami,
  LogicaCMG, Microsoft, Oracle, Fujitsu, Samsung,
  SAP, SCI, SEGA, Sony, Symbian, Tata Infotech,
  Vtech Communications ltd, Ubisoft, Yahoo!

13
London IT Overview

• Key Universities
• Imperial College of Science, Technology and
  Medicine, Birkbeck College, Goldsmiths College,
  Queen Mary College, University College
• IT/Digital Media Strengths
• Software, Business Financial Services,
  Hardware, Creative and Digital Media, Telecoms,
  Internet services, Mobile telephony
• Key Enterprise Zones, Science Parks, and
  Incubators
• The Thames Gateway Technology Centre Innova
  Science Park
• Brunel Science Park South Bank Technopark
• Key Agencies / Networks
• BCS, IET, Intellect, London Technology Network
  (LTN), New Media Knowledge

14
South East IT Overview

• Scale
• 30,000 IT/Telecomms companies in the region
  185,000 people employed
• Key Vertical Markets/Clusters
• Aerospace, Built Environment, Marine, Health/Life
  Sciences, Environmental Technologies, Digital
  Content
• Regional Business Clusters
• Brighton, Guildford, Oxford
• Key IT/Digital Media Firms
• Babel Media, Climax, Dell, Electronic Arts, Epic,
  Ericsson, Fujitsu, Hitachi Data Systems,
  Hutchinson 3G, Kuju, LG Electronics, Lionhead
  Studios, Microsoft, Mobisphere, Motorola, Nokia,
  Oracle, O2, Panasonic, Philips, Pinewood Film
  Studios, Rebellion, Sage, Shepperton Film
  Studios, Siemens, Virgin Media, Vodafone

15
South East IT Overview

• Key Universities
• Oxford, Southampton, Kent, Sussex, Surrey,
  Reading
• IT/Digital Media Strengths
• Software, Information Security, Hardware,
  Creative and Digital Media (inc Film), Computer
  Games Development, Opto-electronics,
  Telecommunications, 3G Comms, Satellite
  Communications, Publishing
• Key Enterprise Zones, Science Parks, and
  Incubators
• Science Parks in Oxford, Surrey and Southampton
  22 Enterprise Hubs
• Key Agencies / Networks
• SE Media Network Wired Sussex mVCE Royal
  Holloway Security Group, Screen South

16
Methods of Entry into the UK

• Distributors and Sales Agents
• Partnerships
• Sales Office
• Research Development Facility

17
Distributors Sales Agents

• Often the first point of entry into a foreign
  market
• Done right can present the lowest risk with a
  minimal financial outlay
• Important to ensure distributor/agent meets your
  needs

18
Distributors Sales Agents

• Support from the US Export Assistance Center
• Identify Distributors and Sales Agents in the UK
  through the work of the US Embassy in London
• Local contact
• Suzette Nickle
• Senior International Trade Specialist
• suzette.nickle_at_mail.doc.gov
• Tel (303) 844-6623 ext 16
• www.buyusa.gov

19
Partnerships

• Collaborative Partnerships with a like minded UK
  company
• Sales focussed or RD focussed
• Relatively inexpensive
• Results depend on resources allocated to
  selection of partner and maintaining partnership

20
Partnerships

• Global Partnerships Program run by UKTI
• RD focused matchmaking program
• Typical report identifies 10-20 potential
  partners
• Free to US qualifying US companies

21
Sales Office

• Typically companys first physical presence in UK
• Company employees on the ground in the UK
• Transfer US staff to UK or hire locally
• More control over direction company and product
  line is taking in the UK
• Relatively easy to establish
• UK as a Gateway to Europe

22
Research Development Facility

• UK-based software businesses invest nearly 1.4
  billion pa in RD
• Government continuing to develop tax credits for
  companies investing in RD in the UK
• Access to large talent pool of qualified
  graduates and highly skilled software engineers
• Links with UK Universities and Research
  Institutes
• All the worlds major software firms are in UK
• Accenture, EDS, Google, IBM, Infosys, Microsoft,
  Oracle, Tata
• UK firms include Asidua, Autonomy, Capita, Lagan
  Technologies, LogicaCMG, Misys, nCipher,
  Northgate, RM, Sage

23
Help from UK Trade Investment

• Comparative research across UK and Europe
• Identify suitable locations in the UK
• Registering as a company
• Employment law
• Taxation advice
• Resolve visa issues
• Legal, Accounting Banking Introductions

24
Funding Options

• Government Funds
• Financial Incentives
• RD Tax Credits
• Training Grants
• Venture Capital
• Alternative Investment Market (AIM)

25

• Rob McNeill
• Vice Consul (Trade Investment)
• British Consulate-General Chicago
• Tel (312) 970-3844
• Rob.McNeill_at_fco.gov.uk

26
Best PracticesConfidentiality and Data Protection

• Philip Haleen
• Faegre Benson LLP
• Frankfurt

27
Setting the Stage

• Of the various consequences of the Internet Age,
  one area of particular interest is the impact of
  the computer and the Internet on issues of
  CONFIDENTIALITY.
• The computer and the increased storage
  capabilities available have enabled vast amounts
  of data to be accumulated, stored and transmitted
  electronically. These new technological
  capabilities have not yet fully found their legal
  or contractual response in the business world.

28
Traditional Approaches to Confidentiality

• Confidentiality agreements are signed with
  employees and third party vendors
• Access controls to business premises or sensitive
  areas within those premises are initiated and,
• In the transactional setting, a standard
  boilerplate confidentiality clause is included.
  Such clause can be as simple as

29
Traditional Approaches to Confidentiality

• The Parties agree to keep confidential all
  information constituting trade secrets of the
  other party known to it and will not disclose
  such information, directly or indirectly, to any
  third party. The foregoing obligations of
  confidentiality shall not apply to confidential
  information, which was or is lawfully obtained by
  a Party from other sources, which was or is or
  becomes generally available to the public, which
  ceases to be a trade secret, or which is required
  to be disclosed to a competent tribunal or
  government agency or other regulatory body.
• Note Focus is on deterrence through threat of
  liability rather than prevention.

30
Traditional Approaches to Confidentiality

• In the Internet Age, can these traditional
  measures still be adequate to assure an adequate
  level of confidentiality?
• Simply put More data is available and is more
  easily accessed, copied and transmitted over
  computer networks than was ever possible before.
• What then does this mean for efforts to protect
  the confidentiality of such data?

31
The Data Protection Law in the European Union (EU
Directive 95 / 46 / EC)

• A good place to turn for comparison purposes
• However, the EU Data Protection Rules only apply
  as to personal data.
• Personal data is data on individuals that can
  serve to identify a particular individual.
• Should not the same principles apply with to
  business data, especially in the context of
  outsourcing?

32
The Data Protection Law in the European Union (EU
Directive 95 / 46 / EC)

• Section VIII, Confidentiality and Security of
  Processing
• (Articles 16 and 17)
• The Directive obligated Member States to
  transpose the following requirements into their
  respective national laws
• Article 16
• Confidentiality of processing
• Any person acting under the authority of the
  controller or of the processor, including the
  processor himself, who has access to personal
  data must not process them except on instructions
  from the controller, unless he is required to do
  so by law.

33
The Data Protection Law in the European Union (EU
Directive 95 / 46 / EC)

• Section VIII, Confidentiality and Security of
  Processing
• Articles 17
• Security of processing
• Member States shall provide that the controller
  must implement appropriate technical and
  organizational measures to protect personal data
  against accidental or unlawful destruction or
  accidental loss, alteration, unauthorized
  disclosure or access, in particular where the
  processing involves the transmission of data over
  a network, and against all other unlawful forms
  of processing.
• Having regard to the state of the art and the
  cost of their implementation, such measures shall
  ensure a level of security appropriate to the
  risks represented by the processing and the
  nature of the data to be protected.

34
The Data Protection Law in the European Union (EU
Directive 95 / 46 / EC)

• Section VIII, Confidentiality and Security of
  Processing
• Articles 17, Security of processing (continued)
• The Member States shall provide that the
  controller must, where processing is carried out
  on his behalf, choose a processor providing
  sufficient guarantees in respect of the technical
  security measures and organizational measures
  governing the processing to be carried out, and
  must ensure compliance with those measures.

35
The Data Protection Law in the European Union (EU
Directive 95 / 46 / EC)

• Section VIII, Confidentiality and Security of
  Processing
• Articles 17, Security of processing (continued)
• The carrying out of processing by way of a
  processor must be governed by a contract or legal
  act binding the processor to the controller and
  stipulating in particular that
• The processor shall act only on instructions from
  the controller,
• The obligations set out in paragraph 1, as
  defined by the law of the Member State in which
  the processor is established, shall also be
  incumbent on the processor.
• For the purposes of keeping proof, the parts of
  the contract or the legal act relating to data
  protection and the requirements relating to the
  measures referred to in paragraph 1 shall be in
  writing or in another equivalent form.

36
The Data Protection Law in the European Union (EU
Directive 95 / 46 / EC)

• Note
• The controller not only must fulfill the
  requirements itself (Article 17(1)) but also
• The controller must require from any third party
  processor that it provides sufficient guarantees
  in respect of the required technical security and
  organizational measures and ensure compliance of
  the processor with those measures. (Article
  17(2)) and finally
• The agreement between the controller and
  processor must be governed by contract and the
  provisions relating to these measures must be in
  writing (Article 17(3) and (4)).

37
Data Protection Law in the European Union
(Organizational Measures)

• What are these appropriate organizational and
  technical measures that must be implemented
  pursuant to Article 17(1)?
• Specifically, under the transposed data
  protection rules in Germany (from the Annex), the
  organizational measures are to be designed
• To prevent unauthorized persons from gaining
  access to data processing systems with which the
  confidential information is processed (entry
  control)
• To prevent data processing systems from being
  used by unauthorized persons (user control)

38
Data Protection Law in the European Union
(Organizational Measures)

• To ensure that persons entitled to sue a data
  processing system have access only to the data to
  which they have a right of access and that the
  confidential information cannot be read, copied,
  modified or deleted by unauthorized persons
  (access control)
• To ensure that the confidential information
  cannot be read, copied, modified or deleted when
  they are transferred electronically or
  transported, and that the confidential
  information can only be reviewed and verified, at
  which point or stage of the process a transfer of
  the confidential information by data transmission
  facilities is foreseen (communication control)

39
Data Protection Law in the European Union
(Organizational Measures)

• To ensure that it is possible to check and
  establish, after an input, which confidential
  information has been input, modified or deleted
  in data processing systems by whom and at what
  time (input control)
• To ensure that, in the case of commissioned
  processing of the confidential information, the
  confidential information is processed strictly in
  accordance with the instructions of the principal
  (outsourcing control)

40
Data Protection Law in the European Union
(Organizational Measures)

• To prevent unauthorized input into the memory and
  the unauthorized examination, modification or
  erasure of stored confidential information
  (memory control)
• To ensure that the confidential information that
  is collected for different purposes is processed
  separately (which I would describe as integrity
  control).

41
Data Protection Law in the European Union
(Technical Security Measures)

• German legislation does not address specific
  technical security measures.
• The legal literature suggests a company will need
  to ensure of itself and of its third party
  vendors that information systems are not
  installed/used in a manner
• Which could provide the opportunity to create
  unauthorized links to other systems,
• Thereby allowing the ability to bypass
  authentication mechanisms,
• Circumvent data access control procedures, or
• Otherwise jeopardize the security of the
  companys computer systems.

42
Data Protection Law in the European Union
(Technical Security Measures)

• There must be notification procedures
• Actual or suspected instances of information
  asset theft or abuse, as well as
• Potential threats (e.g. hackers, viruses, fire
  etc.) or
• Obvious control weakness affecting security, are
  to be reported immediately to IT security
  personnel at the company.

43
Data Protection Law in the European Union
(Technical Security Measures)

• Further policies, procedures/guidelines to
  enhance technical security would
• Protect all information technology resources
  (e.g. computers, communications, software etc.)
  from theft, tampering, misuse, malicious software
  (e.g. viruses, hackers etc.), destruction and
  loss.
• Ensure that all individuals who come in contact
  with the confidential information have completed
  the appropriate written confidentiality,
  nondisclosure and policy compliance documents.

44
Data Protection Law in the European Union
(Technical Security Measures)

• Ensure individual and organizational
  accountability for the use and protection of
  information systems, through the assignment of
  unique identification codes and authentication
  procedures (e.g. respectively user ids and
  system passwords).
• Prohibit the sharing and other unauthorized
  disclosures of passwords and other confidential
  system access controls through areas such as dial
  up or system passwords.

45
Data Protection Law in the European Union
(Technical Security Measures)

• Ensure supplemental user authentication processes
  and access controls for individuals entering the
  systems through dialup, Internet or other
  communications.
• Provide prompt notification to system/security
  administrators of changes in status (e.g.
  transfers, terminations) of employees,
  contractors, clients, or other users that
  could/will affect their access privileges.

46
Data Protection Law in the European Union
(Technical Security Measures)

• Control access to confidential information based
  on criteria defined by the company. The level of
  default protection for all proprietary
  information, including software, must allow no
  access unless specifically authorized.
• Apply additional controls to ensure the proper
  protection and use of security software features
  (e.g. security administration commands) to
  prevent unauthorized bypassing of implemented
  security procedures.

47
Data Protection Law in the European Union
(Technical Security Measures)

• Produce, review, follow-up and retain audit
  trails of all security relevant logs, data access
  and administration events for ALL systems that
  process the confidential information.
• Regularly perform self-assessments and audits to
  detect security vulnerabilities and
  non-compliance to the companys security
  policy(s) and policy derivatives.

48
Data Protection Law in the European Union
(Technical Security Measures)

• Define and apply appropriate procedures for the
  use of cryptography (encryption/decryption) where
  it is deemed information may be sensitive or
  business critical (e.g. Laptops, Dial-in). This
  must include systems that store such information
  with limited physical protection (e.g.
  desktops).
• Ensure that all information technology is
  procured and/or designed with security control
  features that include
• User identification
• Authentication
• Data and software access authorization
• System integrity protection and ability to audit
  use.

49
Data Protection Law in the European Union
(Technical Security Measures)

• Apply appropriate authorization, copy protection
  and non-disclosure controls for all confidential
  information, released to third party entities.
• Maintain, test and update business continuation
  plans and procedures (e.g. backup, disaster
  recovery), to ensure continued availability of
  systems resources, particularly business critical
  systems.

50
Data Protection Law in the European Union
(Technical Security Measures)

• Define and apply all information retention
  procedures that are necessary to satisfy all
  internal and external requirements, including
  notification requirements for security breaches
  and loss of personal data under local law.
• Properly erase, shred or otherwise dispose of
  information that is no longer needed.

51
Best Practices, Confidentiality and Data
Protection

• Conclusion
• EU data protection rules only apply in the EU,
  and only as to personal data.
• Will not global companies will start to demand
  the same or similar confidentiality standards for
  its business data?
• IT departments and software vendors will need to
  provide the software and system solutions
  necessary to meet these legal and business
  obligations for enhanced protection of personal
  and sensitive business data.
• As representatives of the software industry, you
  will find abundant opportunities in assisting
  your customers to meet these challenges of the
  global workplace.

52

• Thank you for your time and attention.

53
Best Practices

• John Enstone
• Faegre Benson LLP
• London

54
The Opportunities and Challenges for Outsourcing
in the UK

• By 2009 the combined outsourcing market for the
  UK, France and Germany will be worth more than 40
  billion dollars (UK National Outsourcing
  Association)
• Impact of mature outsourcing experience among UK
  users on consultants and suppliers
• Opportunities for new EU members in Central
  Europe
• Impact of new EU members on the outsourcing
  market
• Potential legal issues