First up I’m not a lawyer, I’m one of those odd people who have an information technology law degree, but aren’t lawyers.
Salesforce.com have just announced a sand box solution. http://www.salesforce.com/products/sandbox.jsp (saw this on the big endian blog, which I linked to from Jeffs blog.) This seems to be a copy of a live system into a test or sandbox environment.
To quote from the site ”In response to customer requests, we’ve created a simple, one-click process for cloning your entire Salesforce deployment — an exact replica that includes all customizations and data.” (judging that it is also offered on the UK site and the German site, SF plan to offer this in Europe too)
At least over here the terms sandbox and live data probably shouldn’t go in the same sentence. The data captured in CRM systems is typically personal information. (according to the UK Data Protection act of 1998 personal data “means data which relate to a living individual who can be identified”)
Under UK Law I reckon this sandbox of “exact data” would be illegal under the Data Protection act of 1998. (similar laws exist across europe,as they derive from the same EU directive) Data protection is sometimes referred to as Privacy, especially in the US. http://www.itweek.co.uk/itweek/news/2084624/managers-test-law
http://www.legalday.co.uk/lexnex/eversheds/e80051002.htm
To quote:Iain Bourne of the government’s Information Commission said: “Firms should use dummy records for testing. If live records are in use, that is something we’d be interested in.”
The law provides powers to fine the data controller and to shut the system down if necessary.
Understanding the mass of law that impacts software globally is not easy. What may be perfectly sound business practice in country A is illegal in country B. That is why things like global HR systems and global CRM are complex. The German user group have a 120 page guide to the legal issues around this just for CRM. Data Protection law is a big, messy complex area. Too many software firms, consultancies and customers don’t take it seriously enough.
March 22, 2006 at 1:41 am
[...] Thomas just posted a really interesting item about Saleforce.com launching a service to create sandbox/development systems which, according to Thomas, appears to be a copy of a live production system that a SFdC customer would have. Being astute as he is (SAP has some very smart people) Thomas notes that this service may be illegal under UK, and potentially EU, data privacy regulations which prohibit the use of real people data in development systems. The immediate question is whether or not Saleforce.com's new service is legal in the EU, and another more interesting question is whether or not Salesforce considered the legal requirements of the regions they operate in when they conceived this service. At least over here the terms sandbox and live data probably shouldn’t go in the same sentence. The data captured in CRM systems is typically personal information. (according to the UK Data Protection act of 1998 personal data “means data which relate to a living individual who can be identified”) This issue of global regulatory compliance is a huge issue, as ebay, google, and yahoo have discovered in recent years. As enterprise software companies increasingly rely on subscription services they are also subject to increased regulation from any of the countries they have customers in. Traditional enterprise software has always been subject to regulatory compliance within the software we developed, but of course we always had the option of not shipping a product to a country where it was not in compliance. With online services this is a much more difficult proposition, even though it is still possible to simply not accept new users from countries where the products are infringing. Irrespective of the above, it is still an essential function within a company shipping products or services across borders that they monitor and take into account in the product planning function the legal requirements they are subject to. [...]