The introduction of Brexit – and uncertainty of a deal or no-deal situation – has created confusion in almost all areas of UK life. Even a simple passport query led me down a rabbit hole of potential IT problems. I’d been planning to get my passport renewed in December when I have a few weeks where I don’t need to travel – I’d checked earlier in the year and it was valid until then for all the destinations I was planning to visit. However, a quick check on the UK Government’s passport checker site revealed that under a no-deal Brexit I’d need a new one. After dealing with this, I then spotted a discussion on twitter about the possibility of needing to complete customs paperwork for IT equipment (laptops, cameras, microphones etc) when travelling for business – which made me realise that there has been little (or even no) discussion about the implications for technology assets and how to prepare.
What do people think the impact will be?
Back in April of this year, a survey conducted by Snow Software across the UK, Germany, France, Spain, Portugal, and Italy asking participants how they felt Brexit would impact them. When UK respondents were asked about whether they were worried about the impact Brexit would have on their job, 53% said yes and 47% said no, compared to the rest of Europe where 45% said yes and 55% said no.
Despite more information being made available by various government agencies across the EEA, anecdotal evidence suggests that concern about the impact on business is increasing – uncertainty and an inability to prepare has already had an impact. Businesses are losing contracts or moving operations out of the UK to avoid this. The most concerning of these is the lack of communication to end-users from within their organisations – many of those who work internationally haven’t heard anything from their IT departments, or indeed elsewhere in their organisations. A couple of people mentioned that they’d been advised to minimise travel commitments around the Brexit deadline, but these were the exception.
If no one knows what’s happening, what can you do to prepare?
When we finally know what’s going on, it will help if you have worked out:
- Which software installations are physically located in the UK
- Which software is assigned to users employed in the UK
- Which SaaS subscriptions are assigned to users employed in the UK (and where that SaaS is delivered from)
- Which IaaS/PaaS/hosted services are accessed by users employed in the UK
- Which European Economic Area (EEA, which at the time of writing consists of the EU countries plus Iceland, Norway and Lichtenstein – Switzerland is not part of the EEA but is part of the single market)employees spend a significant amount of time in the UK and what devices are assigned to them
- Which UK employees spend time in EEA countries and what devices are assigned to them (identify roaming users and confirm their country of employment with HR)
- Where you purchase the software and where it is deployed to (i.e. are you exporting from the UK to the EEA or from the EEA to the UK)
Some of these may have been identified already for GDPR purposes, so make sure that you talk to your DPO or equivalent rather than duplicating effort. Of course, if you have the information easily available in your ITAM systems, then you can work together to validate both sets of data.
Until we know what the deal is there is little more you can do to prepare, but armed with this information you’ll have an idea of the scope of the problem – the parts of the business impacted, the individuals involved and the technology vendors you’ll need to work with.
Once you’ve identified all the software and cloud services that are used in the UK/by UK employees, then you need to check the entitlement. If you have a global contract then there may not be any issues, but you do need to check whether the terms are consistent globally or whether there are any EEA-specific provisions that you need to be aware of. Where global agreements require geographic assignment and currently have the EEA as a single geography, you will need to ensure that you can split out the UK requirements if necessary (in the event of ‘no deal’ or one that leaves the UK outside the single market). Once the taxation implications become clear you may find that at contract renewal you need to rethink where you contract for and purchase your licenses in order to be most tax-efficient (or minimise the bureaucracy).
Other activities to consider implementing immediately include:
- Amending your standard contract negotiation guidelines to ensure that new contracts (or renewals) address the geographic issue by either removing restrictions completely or adding ‘UK’ to the ‘EEA and Switzerland’ terminology that is usually included
- Creating a notification policy or process to identify any breach of terms of service
- Add a workflow that includes a requirement to provide details of ‘country of use’ or ‘country of residency’ to any request or input of contract and license documentation
Mature ITAM, with a strategic focus, takes a process-based approach
While many organisations focus their SAM or licence management activity on a vendor-by-vendor basis, often prioritising based on the size of contract or spend, I have always advocated a process-based approach. The situation caused by Brexit is an example of why – while many software asset managers are focused on compliance from an individual vendor perspective (a legacy of the audit culture that has become less prevalent in recent years), there is more to SAM than licence compliance, and it is not simply the vendors where you spend the most money that you may be exposed to risks or have opportunities.
Taking a process-based approach means that once you have your processes working, then all consumption data can be held and understood. And likewise, any entitlement data can be added to the SAM system as and when it is delivered (or for historic data, when it is located/identified). Taking a process-based approach makes it easier for you to address business challenges (how much is the total cost of providing tech to support e.g. an individual/a business process; can you prove regulatory compliance e.g. assignment of contracts to the correct legal entities, payment of invoices by the entity that uses the product or service), and puts you in a position where events like Brexit (and hopefully there won’t be too many of those) don’t result in massive disruption as you have to start from scratch with the hundreds of vendors who haven’t been on your priority list previously.
To prepare for Brexit you need to know about every single piece of software and every cloud service that is used in the UK or by UK employees. Likewise, you need to understand their entitlement. If you’ve been focused on individual vendors you may have excellent data for a few key vendors (typically Microsoft, Oracle, IBM, SAP, Adobe and around half a dozen others), but be missing data for many of the others. If you have low SAM maturity and have been tactically focused you’ve got a lot of work to do.
Written by Victoria Barber, Technology Guardian at Snow Software