Everyone loves the cloud. What's not to love. No more server banks in the office; no more decisions on software upgrades (does it really offer enough to justify?) and annual maintenance contracts; access to centralized data...no matter where or when you are; and no more fretting about how long you and your team will be shutdown when you apply the "simple update."
Cloud computing and SaaS have simplified many business IT considerations. And for companies with global sales and virtual/remote teams the opportunity to collaborate across time zones and teams is incredible.
But there are risks lurking at the intersection of SaaS/cloud computing and global sales of which companies should be cognizant.
Data Privacy Regulations
You face a fluid data privacy environment, and one which is confused and convoluted - even lacking an infrastructure and precedent to navigate.
A recent European Court of Justice ruling struck down the "safe harbor" privacy agreement between the US and the EU. In essence EU laws recognized that US data privacy regulations were more lax, but that companies that controlled transfer of their own information and managed their own internal compliance would be protected from the more onerous EU regulations.
Radius World Wide published a timely article after the ruling and provided some options for companies that still want to transfer data, including data transfer agreements and Binding Corporate Rules.
All that's complicated enough - but then the cloud floats by. That raises a bunch of other questions:
- Where is your data actually stored?
- Where are the cloud servers that host your data?
- Where is it mirrored?
- Do you segregate data storage location by location of contact? (Or do you have a single database of contacts from the EU, APAC, MENA and other regions?)
- What about communications archiving requirements? If your team is obliged to archive mails and text messages, and some of the data is communication with protected parties, what do you do?
And then it's easy to envision a number or scenarios which might quite innocently violate the regulations (if nothing else simply because they are so poorly defined.)
What happens when a contractor of yours from the EU flies to your US office for training and carries their laptop with locally stored information? And then your IT department backs it up and reimages the drive?
Will most middle market companies be investigated, fined or censured for unknowingly running afoul of these regulations? Likely not. But you're in the uncomfortable position of exposure to political risk. As politicians on all sides of the TAFTA/TTIP free trade agreement jockey for position, you could end up suddenly facing a complex and costly compliance requirement that is arbitrarily enforced.
These may seem to be remote or abstruse examples. And maybe none remotely like these will apply to your business. It's worth thinking about at least.
And Then, Due Diligence
Wrapped up among all of these (data privacy, export compliance & trade secrecy) is a question of due diligence. A recent article from Trace Intl. (@Trace_inc) touches on an interesting element of this discussion.
In order to export you must know your buyer. In order to form a partnership, you must know your partner. In order to hire, you must know the employee. "Knowing" in these cases requires research and vetting - and the information which one must develop is very likely protected from transatlantic transmission. So how's one to proceed?
That's a fair question, and one that may have more immediate implications than you assume. Ask one of your folks to send you recently received CVs for an open position, and you could well find that a candidate who is perturbed to have not received an offer, "dimes you out."
The cloud and global mobility introduce another set of exposures. In some cases the objects of your global sales will be export controlled. When that's the case, often even the information about those products is export controlled as well.
And yet when you store export controlled information in a cloud resource library you likely have no way of knowing where the cloud servers (or again their backup mirrors) are physically located. You may, completely unknowingly, violate export controls simply by storing information which your cloud service provider happens to warehouse in a location outside the US.
Similarly when your sales rep carries their laptop with them overseas, with controlled data locally stored in an .ost for instance, they are likely violating export controls. Defense contractors often rigorously manage this exposure and have extensive export controls policies. But some companies with low thresholds for BIS (vs. ITAR) licensing requirements might not be as proactive.
Every company that's engaged in global sales should have clearly established policies regarding trade secrecy. That's just common sense. But it's often overlooked.
Laptops and smart phones are often treasure troves of information when lost, stolen or even scanned. Where and when certain conversations are held has implications to individual safety in certain markets, and to commercial success in others.
The "right answer" will vary by company and individual, based on risks, industry, market etc. But the right answer rarely emerges by chance. Make deliberate and informed decisions and implement and enforce policies accordingly.
Want to boil all this down? It's about risk management - that's a critical discipline for successful global sales. The "unknown unknowns" are what can get you in trouble. Want a heads up about some others? Download our free guide "An Export Dozen: 12 tips that many exporters should know."