5-9-07.PPT

Denver Software ClubRob McNeill Philip Haleen John Enstone

May 9, 2007

2

3

Market Entry into the UK

Rob McNeillVice Consul (Trade & Investment)British Consulate-General Chicago

4

Overview

UK Software Market

UK Market Opportunities

IT Hotspots in the UK

Methods of Entry into the UK

5

UK Software Market

UK Enterprise Products & Services market is largest in the EU– IT professional services – around $33Bpa, growing at +$1.75Bpa– Computer hardware & Office equipment – around $23Bpa, growing

by + $550Mpa– Support software products – over $12Bpa, growing + $950Mpa – IT support services – around $12Bpa, growing at +$550Mpa– Application software products – over $9.5Bpa, growing at +

$680Mpa– 120,000 firms employing over 500,000 staff

All the world’s major software firms are in UK– Accenture, EDS, Google, IBM, Infosys, Microsoft, Oracle, Tata– UK firms include: Asidua, Autonomy, Capita, Lagan Technologies,

LogicaCMG, Misys, nCipher, Northgate, RM, Sage

UK-based software businesses invest nearly $1.4 billion pa in R&D

6

UK Software Market

Government invests heavily in IT systems– E-Government– NHS spending around $40B on new IT systems over 10 years– Home Office - National Identity Card programme– Transport for London - Congestion Charging and Oyster card– Many other government contracts, especially in shared services

area

Universities share over $340 million of software research funding– Especially Southampton, Edinburgh, Nottingham, Newcastle,

Imperial, Surrey, Bath, Oxford, UCL, Cambridge, Manchester, and Warwick

Knowledge Transfer Networks– Cyber Security, Displays, GRID Computing

7

UK Market Opportunities

Software Market

Customer Relationship Management (CRM)

Business Intelligence (BI)

Enterprise Resource Planning (ERP)

Compliance Solutions– Finance Sector– Multinationals

Software as a Service (SaaS)

8

Strong Vertical Marketsfor IT

Aerospace: major roles in civil and military projects– Airbus, Joint Strike Fighter, and helicopters

Automotive: UK still manufactures over 600,000 cars pa– Major investments by BMW, Honda, Nissan, Toyota; less by Ford and GM

Financial Services:– London becoming global #1 in financial services

Healthcare: NHS has world’s largest civilian IT project– $10B development project with further $20B implementation

Pharmaceuticals: World leading pharmaceutical players– Astra Zeneca, GSK, Pfizer etc research and manufacture in UK

Retail: World’s leading on-line retailer– Tesco, Sainsbury, Marks & Spencer ..

Security: 2nd largest market in Europe for IT Security– UK leads international security standards initiatives

Transportation: London tackling public transport– Largest smartcard project in Europe (Oystercard) now has 4M daily

users

9

IT Hot Spots in the UK

South East England London

East of England

10

East of England IT Overview

Scale– 14,500 IT/Telecomms companies employing 300,000 staff

Key Vertical markets/clusters– Aero, Auto, Biotech, Financial & Business Services, Food & Drink,

Energy, Film & Media

Regional Business Clusters– Cambridge, Chelmsford, Ipswich, Norwich, South Hertfordshire

Key IT/Digital Media firms– 3Com, ANT, ARM, Accelrys, Autonomy, BT, CCL, Citrix Systems,

Convergys, CSR, Domino Printing Sciences, Elstree Studios, Microsoft, Nortel, PA Technology, Philips, Pointsec, Sagentia, Short Fuze, Symbian, T-Mobile, TTP, Wanadoo, Xaar, Zeus

11

East of England IT Overview

Key Universities– Cambridge, Essex, Hertfordshire

IT/Digital Media Strengths– Low power Mixed-mode chip design, Wireless technology,

Communications, Photonics, Displays, Internet Security, GIS, Speech Recognition, Virtual Reality, Database management, e-business, Engineering, Healthcare, Banking & Insurance, Inkjet

Key Enterprise Zones, Science Parks, and Incubators– Capability Green, Woodside, Luton; Hertfordshire BIC

– Cambridge Business Park; Cambridge Science Park; St Johns Innovation Centre

Key Agencies / Networks– East of England International; Cambridge Network, Cambridge Wireless,

CETC, CHASE, EMMA

12

London IT Overview

Scale IT/Telecomms sector is the largest in Europe with 22,600

companies 19 of 25 software and services suppliers have their HQs in London

Key Vertical Markets/Clusters Financial, Business, Life sciences, Environmental, Creative

Industries, Government, Aerospace, Hospitality

Key IT/Telecomms Firms Amstrad, Atos Origin, BT, Bloomberg, CSC, EDS, EiDOS, France

Telecom, Glu, IBM, Infosys, Infogrammes/Atari, I Play, Fujitsu, Konami, LogicaCMG, Microsoft, Oracle, Fujitsu, Samsung, SAP, SCI, SEGA, Sony, Symbian, Tata Infotech, Vtech Communications ltd, Ubisoft, Yahoo!

13

London IT Overview

Key Universities Imperial College of Science, Technology and Medicine, Birkbeck

College, Goldsmiths College, Queen Mary College, University College

IT/Digital Media Strengths Software, Business & Financial Services, Hardware, Creative and

Digital Media, Telecoms, Internet services, Mobile telephony

Key Enterprise Zones, Science Parks, and Incubators The Thames Gateway Technology Centre; Innova Science Park; Brunel Science Park; South Bank Technopark

Key Agencies / Networks BCS, IET, Intellect, London Technology Network (LTN), New Media

Knowledge

14

South East IT Overview

Scale– 30,000 IT/Telecomms companies in the region; 185,000 people

employed

Key Vertical Markets/Clusters– Aerospace, Built Environment, Marine, Health/Life Sciences,

Environmental Technologies, Digital Content

Regional Business Clusters– Brighton, Guildford, Oxford

Key IT/Digital Media Firms– Babel Media, Climax, Dell, Electronic Arts, Epic, Ericsson, Fujitsu, Hitachi

Data Systems, Hutchinson 3G, Kuju, LG Electronics, Lionhead Studios, Microsoft, Mobisphere, Motorola, Nokia, Oracle, O2, Panasonic, Philips, Pinewood Film Studios, Rebellion, Sage, Shepperton Film Studios, Siemens, Virgin Media, Vodafone

15

South East IT Overview

Key Universities– Oxford, Southampton, Kent, Sussex, Surrey, Reading

IT/Digital Media Strengths Software, Information Security, Hardware, Creative and Digital

Media (inc Film), Computer Games Development, Opto-electronics, Telecommunications, 3G Comms, Satellite Communications, Publishing

Key Enterprise Zones, Science Parks, and Incubators– Science Parks in Oxford, Surrey and Southampton; 22 Enterprise

Hubs

Key Agencies / Networks– SE Media Network; Wired Sussex; mVCE; Royal Holloway Security

Group, Screen South

16

Methods of Entry into the UK

Distributors and Sales Agents

Partnerships

Sales Office

Research & Development Facility

17

Distributors & Sales Agents

Often the first point of entry into a foreign market

Done right can present the lowest risk with a minimal financial outlay

Important to ensure distributor/agent meets your needs

18

Distributors & Sales Agents

Support from the US Export Assistance Center

Identify Distributors and Sales Agents in the UK through the work of the US Embassy in London

Local contact:Suzette Nickle

Senior International Trade Specialist

[email protected]

Tel: (303) 844-6623 ext 16

www.buyusa.gov

19

Partnerships

Collaborative Partnerships with a like minded UK company

Sales focussed or R&D focussed

Relatively inexpensive

Results depend on resources allocated to selection of partner and maintaining partnership

20

Partnerships

Global Partnerships Program run by UKTI

R&D focused matchmaking program

Typical report identifies 10-20 potential partners

Free to US qualifying US companies

21

Sales Office

Typically company’s first physical presence in UK

Company employees on the ground in the UK

Transfer US staff to UK or hire locally

More control over direction company and product line is taking in the UK

Relatively easy to establish

UK as a Gateway to Europe

22

Research & Development Facility

UK-based software businesses invest nearly $1.4 billion pa in R&D

Government continuing to develop tax credits for companies investing in R&D in the UK

Access to large talent pool of qualified graduates and highly skilled software engineers

Links with UK Universities and Research Institutes

All the world’s major software firms are in UK– Accenture, EDS, Google, IBM, Infosys, Microsoft, Oracle, Tata– UK firms include: Asidua, Autonomy, Capita, Lagan Technologies,

LogicaCMG, Misys, nCipher, Northgate, RM, Sage

23

Help from UK Trade & Investment

Comparative research across UK and Europe

Identify suitable locations in the UK

Registering as a company

Employment law

Taxation advice

Resolve visa issues

Legal, Accounting & Banking Introductions

24

Funding Options

Government Funds– Financial Incentives– R&D Tax Credits– Training Grants

Venture Capital

Alternative Investment Market (AIM)

25

Rob McNeillVice Consul (Trade & Investment)

British Consulate-General Chicago

Tel: (312) 970-3844

[email protected]

Best PracticesConfidentiality and Data Protection

Philip Haleen

Faegre & Benson LLP

Frankfurt

27

Setting the Stage

Of the various consequences of the Internet Age, one area of particular interest is the impact of the computer and the Internet on issues of CONFIDENTIALITY.

The computer and the increased storage capabilities available have enabled vast amounts of data to be accumulated, stored and transmitted electronically. These new technological capabilities have not yet fully found their legal or contractual response in the business world.

28

Traditional Approaches to Confidentiality

• Confidentiality agreements are signed with employees and third party vendors;

• Access controls to business premises or sensitive areas within those premises are initiated; and,

• In the transactional setting, a standard “boilerplate” confidentiality clause is included. Such clause can be as simple as:

29


The Parties agree to keep confidential all information constituting trade secrets of the other party known to it and will not disclose such information, directly or indirectly, to any third party. The foregoing obligations of confidentiality shall not apply to confidential information, which was or is lawfully obtained by a Party from other sources, which was or is or becomes generally available to the public, which ceases to be a trade secret, or which is required to be disclosed to a competent tribunal or government agency or other regulatory body.

Note: Focus is on deterrence through threat of liability rather than prevention.

30


In the Internet Age, can these traditional measures still be adequate to assure an adequate level of confidentiality?

Simply put: More data is available and is more easily accessed, copied and transmitted over computer networks than was ever possible before.

What then does this mean for efforts to protect the confidentiality of such data?

31

The Data Protection Law in the European Union (EU Directive 95 / 46 / EC)

• A good place to turn for comparison purposes • However, the EU Data Protection Rules only apply as to

“personal data”. – Personal data is data on individuals that can serve to identify a

particular individual. • Should not the same principles apply with to business data,

especially in the context of outsourcing?

32


Section VIII, Confidentiality and Security of Processing (Articles 16 and 17)

The Directive obligated Member States to transpose the following require ments into their respective national laws:

Article 16Confidentiality of processing

Any person acting under the authority of the controller or of the processor, including the processor himself, who has access to personal data must not process them except on instructions from the controller, unless he is required to do so by law.

33


Section VIII, Confidentiality and Security of Processing

Articles 17Security of processing

1. Member States shall provide that the controller must implement appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.

Having regard to the state of the art and the cost of their implementation, such measures shall ensure a level of security appropriate to the risks represented by the processing and the nature of the data to be protected.

34



Articles 17, Security of processing (continued)

2. The Member States shall provide that the controller must, where processing is carried out on his behalf, choose a processor providing sufficient guarantees in respect of the technical security measures and organizational measures governing the processing to be carried out, and must ensure compliance with those measures.

35



Articles 17, Security of processing (continued)

3. The carrying out of processing by way of a processor must be governed by a contract or legal act binding the processor to the controller and stipulating in particular that:– The processor shall act only on instructions from the

controller,– The obligations set out in paragraph 1, as defined by the

law of the Member State in which the processor is established, shall also be incumbent on the processor.

4. For the purposes of keeping proof, the parts of the contract or the legal act relating to data protection and the requirements relating to the measures referred to in paragraph 1 shall be in writing or in another equivalent form.

36


Note:

• The controller not only must fulfill the requirements itself (Article 17(1)); but also

• The controller must require from any third party processor that it provides sufficient guarantees in respect of the required technical security and organizational measures and ensure compliance of the processor with those measures. (Article 17(2)); and finally

• The agreement between the controller and processor must be governed by contract and the provisions relating to these measures must be in writing (Article 17(3) and (4)).

37

Data Protection Law in the European Union (Organizational Measures)

What are these “appropriate organizational and technical measures that must be implemented” pursuant to Article 17(1)? Specifically, under the transposed data protection rules in Germany (from the Annex), the organizational measures are to be designed:

1. To prevent unauthorized persons from gaining access to data processing systems with which the confidential information is processed (entry control);

2. To prevent data processing systems from being used by unauthorized persons (user control);

38


3. To ensure that persons entitled to sue a data processing system have access only to the data to which they have a right of access and that the confidential information cannot be read, copied, modified or deleted by unauthorized persons (access control);

4. To ensure that the confidential information cannot be read, copied, modified or deleted when they are transferred electronically or transported, and that the confidential information can only be reviewed and verified, at which point or stage of the process a transfer of the confidential information by data transmission facilities is foreseen (communication control);

39


5. To ensure that it is possible to check and establish, after an input, which confidential information has been input, modified or deleted in data processing systems by whom and at what time (input control);

6. To ensure that, in the case of commissioned processing of the confidential information, the confidential information is processed strictly in accordance with the instructions of the principal (outsourcing control);

40


7. To prevent unauthorized input into the memory and the unauthorized examination, modification or erasure of stored confidential information (memory control);

8. To ensure that the confidential information that is collected for different purposes is processed separately (which I would describe as “integrity control”).

41

Data Protection Law in the European Union (Technical Security Measures)

German legislation does not address specific technical security measures.

The legal literature suggests a company will need to ensure of itself and of its third party vendors that information systems are not installed/used in a manner:

• Which could provide the opportunity to create unauthorized links to other systems,

• Thereby allowing the ability to bypass authentication mechanisms,

• Circumvent data access control procedures, or• Otherwise jeopardize the security of the company’s

computer systems.

42


There must be notification procedures:

Actual or suspected instances of information asset theft or abuse, as well as

• Potential threats (e.g. hackers, viruses, fire etc.) or

• Obvious control weakness affecting security, are to be reported immediately to IT security personnel at the company.

43


Further policies, procedures/guidelines to enhance technical security would:

1. Protect all information technology resources (e.g. computers, communications, software etc.) from theft, tampering, misuse, malicious software (e.g. viruses, hackers etc.), destruction and loss.

2. Ensure that all individuals who come in contact with the confidential information have completed the appropriate written confidentiality, nondisclosure and policy compliance documents.

44


3. Ensure individual and organizational accountability for the use and protection of information systems, through the assignment of unique identification codes and authentication procedures (e.g. respectively user id’s and system passwords).

4. Prohibit the sharing and other unauthorized disclosures of passwords and other confidential system access controls through areas such as dial up or system passwords.

45


5. Ensure supplemental user authentication processes and access controls for individuals entering the systems through dialup, Internet or other communications.

6. Provide prompt notification to system/security administrators of changes in status (e.g. transfers, terminations) of employees, contractors, clients, or other users that could/will affect their access privileges.

46


7. Control access to confidential information based on criteria defined by the company. The level of default protection for all proprietary information, including software, must allow no access unless specifically authorized.

8. Apply additional controls to ensure the proper protection and use of security software features (e.g. security administration commands) to prevent unauthorized bypassing of implemented security procedures.

47


9. Produce, review, follow-up and retain audit trails of all security relevant logs, data access and administration events for ALL systems that process the confidential information.

10. Regularly perform self-assessments and audits to detect security vulnerabilities and non-compliance to the company’s security policy(s) and policy derivatives.

48


11. Define and apply appropriate procedures for the use of cryptography (encryption/decryption) where it is deemed information may be sensitive or business critical (e.g. Laptops, Dial-in). This must include systems that store such information with limited physical protection (e.g. desktops).

12. Ensure that all information technology is procured and/or designed with security control features that include:

i. User identificationii. Authenticationiii. Data and software access authorizationiv. System integrity protection and ability to audit use.

49


13. Apply appropriate authorization, copy protection and non-disclosure controls for all confidential information, released to third party entities.

14. Maintain, test and update business continuation plans and procedures (e.g. backup, disaster recovery), to ensure continued availability of systems resources, particularly business critical systems.

50


15. Define and apply all information retention procedures that are necessary to satisfy all internal and external requirements, including notification requirements for security breaches and loss of personal data under local law.

16. Properly erase, shred or otherwise dispose of information that is no longer needed.

51

Best Practices, Confidentiality and Data Protection

Conclusion

EU data protection rules only apply in the EU, and only as to personal data.

Will not global companies will start to demand the same or similar confidentiality standards for its business data?

IT departments and software vendors will need to provide the software and system solutions necessary to meet these legal and business obligations for enhanced protection of personal and sensitive business data.

As representatives of the software industry, you will find abundant opportunities in assisting your customers to meet these challenges of the global workplace.

52

Philip B. [email protected]+49 69 631 561 20

Frankfurt OfficeFaegre & Benson LLPMain TowerNeue Mainzer Strasse 52-58Frankfurt am Main, 60311Phone: 49-69-631-561-0Fax: 49-69-631-561-11

Thank you for your time and attention.

Best Practices

John Enstone

Faegre & Benson LLP

London

54

The Opportunities and Challenges for Outsourcing in the UK

By 2009 the combined outsourcing market for the UK, France and Germany will be worth more than 40 billion dollars (UK National Outsourcing Association)

• Impact of mature outsourcing experience among UK users on consultants and suppliers

• Opportunities for new EU members in Central Europe

• Impact of new EU members on the outsourcing market

• Potential legal issues

Documents

5-9-07.PPT