Thinking About SaaS Risks – Part 2: The Dangers of Non-Compliance
In a world that’s increasingly regulated, a well-designed and tightly-integrated CRM is imperative to an organization’s compliance efforts. In the United States, regulated industries with strict mandates like financial services, healthcare, and insurance are often finding that “out of the box” cloud-based CRM systems don’t comply with regulatory requirements.
For example, financial services companies simply cannot tolerate unplanned or provider-planned downtime. Healthcare organizations must adhere to strict HIPAA compliance requirements regarding patient data.
On top of regulatory compliance, outside the United States, many countries have significantly more strict rules around the gathering and storage of customer data. After the Edward Snowden revelations, cloud-based SaaS CRM apps can also bring about regulatory compliance challenges. Some countries now prohibit hosting data on U.S. servers, or require that data is stored within national boundaries. In many cases, the most desirable solution for multinational corporations or companies in highly regulated industries is to deploy servers on-premise. It’s the best way to maintain security and control, and to ensure regulatory compliance.
If companies in these regions and industries fail to comply with these mandates the penalties can be burdensome, or even disastrous. Being out of compliance in some regions or industries is an issue of breaking the law, and strict financial penalties for noncompliance can be crippling. The stakes are high. In 2014, USA and European banks paid nearly $65 million in fines for an array of violations.
Many SaaS and cloud providers will skirt the issue of data location and ownership with complex data key encryption. The customer data is actually stored in a data center in another country, but cannot be accessed without an encryption key stored locally. While encrypting data is an important security measure, it does not achieve compliance. Simply put, if the data is not in the region or country where the customers reside – compliance and control issues can still arise.
So, if your business is in a closely regulated industry, you need to know whether the CRM system you are considering supports these legal requirements. Additionally, if your business operates globally, or in countries with strict data laws, it is important to ask the right questions before choosing a CRM provider. So what are those questions? We’ve compiled a list. Be sure to get answers to these questions – in writing:
- Can you decide where data is stored?
- How can you be sure your data is being stored in your region? In your country?
- Does the vendor offer on-premise deployment or are they cloud only?
- How often can you export your data?
- Can data be exported in multiple formats?
- Can ALL of the system data be retrieved at any time? Or can you export only the database?
- What about unstructured data such as activity streams, call records and other system metadata?
- Is the data always “yours” and not owned by the vendor?
- How does the vendor guarantee access to your data in the event of or business discontinuity?
If the potential vendor cannot answer these questions (and more important “put it in writing” as part of their SLA) you may want to re-think your choice.
At SugarCRM we have customers in more than 120 countries. We realize companies around the world are subject to many different laws and regulations. Legal requirements in one country or industry may be inconsistent with legal requirements applicable elsewhere. Hence, we offer a multi-tenant cloud service, a private instance in the cloud, and also allow customers to deploy on-premise on their own servers. This gives customers a level of control they can’t achieve in a proprietary SaaS-only model where their data is locked up in one vendor’s data silo. A flexible deployment approach allows our customers to more easily comply with international data security and privacy laws.