As of today, you will have noticed some changes on our website. Not just the logo, the design and the layout, but also how we describe ourselves and what we offer.

This is because today is the start of the next stage of our evolution, and our next phase of innovation.

In 2012, we launched the world’s first public cloud platform with data privacy at its heart and were the first to offer data residency guarantees. Since, we have extended our cloud coverage across multiple jurisdictions around the world, created a dedicated data privacy professional services team and built a global customer base of cloud infrastructure customers.

But as of today, Calligo offers even more. Data privacy is growing in importance for businesses worldwide, largely caused by regulations such as GDPR and the upcoming ePrivacy Directive. These regulations and others have emphasized what we have always believed ever since we began: that data privacy should be the starting point to every data interaction. As such, every stage of the wider data journey – not just where and how a business’ data is stored – is being scrutinized more heavily both internally and externally for its impact on privacy adherence.

In another world first, we have therefore evolved our capabilities to support our customers more thoroughly. Our unique collection of innovative cloud-based services now covers the entire data journey, from capture and storage to analysis, monetization and archival – with data privacy embedded at every step.

These services include public & hybrid cloud, data analytics,  and archival & erasure services, all supported by ‘privacy-first’ data management consultancy and specific assistance with national, international and industry-specific data protection obligations.

In short, we are now Data Optimization and Privacy Specialists.

What does “Data Optimization” mean?

Until now, the term has been synonymous with realizing the full value of your data. This typically involved the organization and profitable use of your data, using analytics to identify trends and correlations in order to make sound business decisions and discover new opportunities.

This remains the case, but we believe now with a vital extension.

Data privacy has grown in importance so markedly in the last 24 months that we anticipate the industry understanding of the term ‘optimization’ to very soon also incorporate privacy assurance.

For your data to be considered optimized, it will not only have to be secure, accessible, useful and revenue-generating – for which modern cloud infrastructure, data analytics and AI are essential – it will also have to adhere with relevant privacy laws. This is the direction that we and industry analysts see the business world rapidly moving in, and we are the first to offer a complete portfolio of services to match.

Today, we announced that we have partnered with Corent Technology, a leader in migration, optimization and ‘SaaSification’ technology.

The GDPR Interview Series continues to be incredibly well-received, with interest from around the globe and across business departments.

One department that has responded in particularly high numbers has of course been IT. We were fortunate enough to speak to James Nunns, the former editor of Computer Business Review, about what he has seen from his numerous interviews of CIOs, IT directors and vendors over the last few months.

We have interviewed representatives of the privacy industry, legal experts, technology specialists, the media and even regulators, and paired them up into a four-part series of eight interviews.

The first instalment was released this week, featuring Emma Martins, Data Protection Commissioner for Guernsey, and Omer Tene, the Chief Knowledge Officer at the International Association of Privacy Professionals.

Despite the perception that they may come at GDPR from wholly different stances, there was in fact a reassuring amount of consistency between the two. Both Emma and Omer agreed that those who have already made the effort to conform with existing data protection regulations will be in a strong position for GDPR observance. After all, both those regulatory frameworks and the GDPR are based on the same fundamental principles.

However, when it came to how companies are approaching the 25th May deadline, the two sides’ different perspectives showed. The regulator hopes that most companies want to do right by the people on whom they hold data – echoing the intention of the legislation. On the other hand, the view of the privacy professional is that many businesses prefer to wait to see how enforcement manifests before committing to any change.

Such a strategy is, of course, perilous. Many organisations, including the EU itself, are educating citizens in their data rights, increasing the likelihood of them identifying inappropriate usage of their personal information and reacting. This reaction may, in the worst case, be informing the regulator. More likely though is that they will vote with their feet. Lack of respect for personal data is becoming as damning to a customer experience as poor support or service fulfilment – perhaps more so.

As Emma said herself, this is where the Data Protection Officer (DPO) comes in. Businesses require a collaborative and constructive presence observing how data is used, manipulated, stored and purged, and representing the interests of the data subject in order to avoid unwelcome backlash.

Unfortunately, many companies are slow to appoint a DPO as they see the protection of data subjects’ personal information as obstructive to their companies’ activity. However, a well-appointed DPO can in fact be entirely additive to the business. We have repeatedly seen DPOs’ impacts reach far beyond the basic protection of personal data. Typically, their ongoing review of how data is used leads to marked improvements in process efficiency, accuracy, productivity, resilience and even brand strength. And this is by no means an exhaustive list.

The greatest DPO-driven benefits to a business typically come when the DPO is external. As with any outsourced scenario, the pool of expertise that can be brought to bear by a service provider is far greater than any single, time-constrained internal appointment. An external DPO also enjoys easier independence within the company than any employee, and usually wider and deeper access to the business’ executives – a crucial necessity that Emma Martins points out in her interview.

This is why Calligo has designed its Data Protection Officer as a Service offering.

Ok, obviously your GDPR project is in full swing, you know the impact on your organisation, you’ve made the plans to keep compliant, the education of the workforce is in full effect and now you are down to the last few tasks before this can all be put to bed and job done and on to the next big thing. Does that sound like your world?

No? Ok, a little secret here is you are not the only one in that situation. Tuth is that most have done nothing, some are beginning to start and the few have been mobilising for a while and are working through their GDPR project.

One area that keeps cropping up in conversations with customers around GDPR is the whole Data Protection Officer (DPO) thing. Most organisations we speak to don’t currently have one and are trying to work out where the position best sits within the existing structures, but the reality is that most are struggling to find the head that fits the hat.

Let’s be clear, the DPO is a serious position, this role will be critical to enabling companies of having a fighting chance of getting to grips with the new regulation and importantly providing the oversight for the continued monitoring of compliance to it, so let’s just take a quick look at some of the requirements and attributes of the Data Protection Officer, Articles 37,38 and 39 covers off the main elements around DPO.

…”this role will be critical to enabling companies of having a fighting chance of getting to grips with the new regulation”

When MUST you appoint a DPO?

Article 37 states that under the GDPR, you must appoint a data protection officer (DPO) if you:

are a public authority (except for courts acting in their judicial capacity);
carry out large scale systematic monitoring of individuals (for example, online behaviour tracking); or
carry out large scale processing of special categories of data or data relating to criminal convictions and offences.

It should also be noted that member states can also decide additional laws for the mandatory appointment for DPOs.

So, if you don’t fit into the above then you don’t need to mandatory appoint a DPO, but it is probably a wise thing not to cross it off your list, not having a DPO doesn’t mean you have absolved yourself of the responsibilities of the position. Regardless of whether the GDPR obliges you to appoint a DPO, you must ensure that your organisation has sufficient staff and skills to discharge your obligations under the GDPR.

Some of the more flexible considerations are;

You may appoint a single data protection officer to act for a group of companies or for a group of public authorities, taking into account their structure and size.
Take the DPO on the basis of a service contract

Whichever method you choose to fulfil the requirements of a DPO you must publish the contact details of the DPO and communicate them to the supervisory authority. A key consideration for how you decide to approach this is in the requirement in Article 37 Clause 5 – “The data protection officer shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39.”

Article 38 concentrates on the Position of the Data Protection Officer and this states;

Controllers and Processors shall;

Ensure the DPO is involved, properly and in a timely manner, in all issues which relate to the protection of personal data.
Shall support the DPO in performing the tasks (article 39 has these) by providing resources necessary to carry out those tasks and access to personal data and processing operations, and to maintain their expert knowledge
Ensure the DPO does not receive any instructions regarding the exercise of those tasks. The DPO will not be dismissed or penalised by the controller or processor for performing their tasks
Report directly to the highest management level
Be contactable by Data Subjects with regard to all issues related to the processing of personal data and to the exercise of their rights (that’s the data subject) under the Regulation
Be bound by secrecy or confidentiality concerning the performance of their tasks, in accordance with Member State Law.
Be able to perform other tasks, but there must be no tasks or duties that result in a conflict of interests.

Ok, so it is pretty clear that the DPO position requires a particular set of skills that are not always that accessible within an organisation, equally the position needs access to the highest management and actually have the rights of the data subjects at the forefront of their thoughts when dispensing their duties. Organisations are going to have to perform in a very mature manner to ensure that the role has the independence required to operate without interference and ensure adherence to the regulation. The key point of a lack of conflict of interests precludes many existing positions (such as those responsible for security) from being appointed to the role in addition to their other duties.

Whilst discussing duties, here are the task of the DPO as defined by Article 39 of the regulation;

The data protection officer shall have at least the following tasks:

to inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to this Regulation and to other Union or Member State data protection provisions;
to monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;
to provide advice where requested as regards the data protection impact assessment and monitor its performance pursuant to Article 35;
to cooperate with the supervisory authority;
to act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation referred to in Article 36, and to consult, where appropriate, with regard to any other matter.

The data protection officer shall in the performance of his or her tasks have due regard to the risk associated with processing operations, taking into account the nature, scope, context and purposes of processing.

Ok, so time to draw breath, in an attempt to elevate the discussion here is the headline news version of all the above;

DPO isn’t mandatory for all, but against the backdrop of the above is it something that can just be attended to on an as and when basis?
The skills required to dispense the role are not typically found in one person, there is the need for legal/regulation/compliance knowledge but equally once the privacy elements are covered off you still have significant requirements to oversee areas that will involve technology.
The independence of the role makes it a difficult one to resource internally without falling foul of the “conflict of interests”, DPO’s appointed from within might want to expect fewer invites to Christmas parties…

Maybe when you step back it isn’t that surprising that many organisations have struggled to identify where this naturally sits because in most companies it doesn’t have a natural resting place because it presents such a fundamentally different approach, essentially it is an internal guardian of data subjects rights, as opposed to protecting the organisation it works for in the first instance. In time organisations will evolve with this, but it is a massive jump for many at this stage.

It is our belief that many will look to resource this externally, with a DPO as a Service (DPOaaS), as it avoids many of the struggles of resourcing internally, that is why we have created a dedicated service team focussed solely on DPOaaS. We have combined the Regulatory expertise with Compliance responsibility and integrated technology thought leadership to create a uniquely focussed service designed to interface with our clients to provide excellence in Data Protection Officer delivery.

Calligo, a leading global cloud solution provider, is excited to announce that it has purchased Canadian cloud services provider 3 Peaks Inc.

The acquisition of the Burlington, Ontario and Vancouver, BC based business and its Pacific Online business, which has clients right across Canada and the USA, is an important step in Calligo’s ongoing growth strategy which includes expansion into North America.

Calligo is excited to announce that it has purchased the IT services division of Fusion Systems, the highly respected Guernsey based business serving a wide range of clients.

“We’re thrilled to have found the right partner in AMS Systems PSF during this exciting period of growth for our business,” said Julian Box, Chief Executive Officer, Calligo. “I’m confident that AMS Systems’ proven track record, complementary technology services and excellent reputation will support.

Calligo’s strategic expansion into Luxembourg. This acquisition gives us a fantastic team, respected clients and unlocks the Luxembourg market. We’re also excited to announce that we will be the first CSP to host Azure Stack in Luxembourg. With the backing of our investor Investcorp Technology Partners, we are actively looking to execute further strategic add-on acquisitions over the coming months as we continue to expand our global footprint.”

Mark Gillies, AMS Systems said: “We are very excited about this agreement with such a respected and dynamic business as Calligo because it brings together two highly entrepreneurial organisations, providing us with a unique opportunity to expand our services while sharing in the success of Calligo’s expanding international cloud network.”

Post-acquisition, AMS Systems PSF will be integrated into Calligo. The rebranded company will continue to operate from its existing location with no change of personnel thereby ensuring continuity of service for its clients. Over the next few months, Calligo will expand the range of services provided including being the first service provider to offer Azure Stack in Luxembourg.

KPMG in Jersey & Luxembourg and AMMC Law in Luxembourg acted as advisors on the transaction.

ABOUT AMS SYSTEMS PSF

AMS Systems PSF supplies and manages IT services for small and medium-sized businesses in Luxembourg. Its services cover every aspect of a business’s IT requirements. From supporting the day to day needs of employees to managing the rollout of new business applications, AMS take the stress out of IT, allowing organisations to focus on their core business. AMS Systems PSF is regulated by the CSSF in Luxembourg as a “Professionnel du Secteur Financier” allowing its specialist provision of services to financial organisations that are subject to stringent regulatory standards.

ABOUT CALLIGO

Calligo is an innovative cloud service provider offering mid-sized companies the highest levels of data privacy and security. Calligo offers unparalleled application performance guarantees, commercial flexibility and a personalised support service from its globally located cloud platforms. Through its four pillars of focus, Calligo delivers a platform that businesses can trust to deliver the high level of service and protection they expect and which is lacking in many cloud offerings.

Calligo, the Channel Islands’ leading cloud solution provider, today announces that it has reached an agreement with Investcorp for it to invest $20 million. This is one of the largest inward investments to be made into a Channel Islands’ technology business.

Founded in 2012, with the aim of leveraging jurisdictions that offer a robust data protection framework, Calligo provides a trusted, privacy conscious cloud solution to businesses across the globe. Calligo’s proprietary cloud platform offers the highest levels of data protection along with application performance guarantees, commercial flexibility and a personalised support service. Calligo services hundreds of clients worldwide from its locations in Jersey, Guernsey, Switzerland, Singapore and Bermuda. The investment by Investcorp will accelerate Calligo’s international expansion with new office locations in Guernsey, North America and the UK.

Calligo is well positioned in the fast growing public cloud Infrastructure as a Service (IaaS) market, which grew 51% in 2015 and is expected to more than triple in size by 2020. Mid-size enterprises represent the fastest growing, most underserved business segment with a cloud adoption rate of only 5%. During the first nine months of 2016 Calligo grew its revenues by over 100% year-on-year. Investcorp has established a market leading position of investing in lower midmarket technology companies with a particular focus on Data / Analytics, IT Security and Fintech / Payments and has raised more than $1 billion in dedicated technology funds. Other recent technology transactions include the sale of CSIdentity to Experian, the sale of TDX Group to Equifax Inc; the partial exit of Fishnet through a merger with Accuvant; the ultimate full sale of Skrill Group to Optimal Payments (now renamed Paysafe Group plc); and the flotation of Sophos Group plc on the London Stock Exchange.

Commenting on the investment, Julian Box, Chief Executive Officer, Calligo, “We’re extremely pleased to have found the right partner in Investcorp during this exciting period of growth for the business. I believe Investcorp’s proven track record, global presence and extensive network will support the company’s continued international expansion and product innovation. Our ability to raise funding of this size is a fantastic validation of the business we’ve built and is great for the wider technology industry in Jersey as it’ll bring about increased awareness of the island, create many new jobs and act as inspiration to other local businesses.”

Gilbert Kamieniecky, Managing Director in Investcorp’s Corporate Investment team in Europe, added, “The mid-tier enterprise segment is lagging behind in adopting cloud solutions. In our view Calligo pairs an attractive market opportunity with a highly compelling product and a proven and experienced management team. With our strong track record of working with fast-growing, founder-owned businesses in the technology space, we believe that we will be a valuable partner to the company as it continues to expand internationally, both organically and through targeted add-on acquisitions.”

About Investcorp

Investcorp is a leading global provider and manager of alternative investment products. The Investcorp Group has offices in London, Bahrain, New York, Saudi Arabia, Abu Dhabi and Doha. Investcorp has three business areas: corporate investment, real estate investment and alternative investment solutions (formerly known as hedge funds). As at June 30, 2016, the Investcorp Group had $10.8 billion in total assets under management (‘AUM’), including assets managed by third party managers and assets subject to a non-discretionary advisory mandate where Investcorp receives fees calculated on the basis of AUM. Further information, including our most recent periodic financial statements, which details our assets under management, is available at www.investcorp.com. 

About Calligo

Calligo is an innovative cloud service provider offering mid-sized companies the highest levels of data privacy and security. Calligo offers unparalleled application performance guarantees, commercial flexibility and a personalised support service from its globally located cloud platforms. Through its four pillars of focus, Calligo delivers a platform that businesses can trust to deliver the high level of service and protection they expect and is lacking in many cloud offerings.

Q Advisors, a leading TMT investment banking boutique, acted as financial advisor and placement agent to Calligo