First up I’m not a lawyer, I’m one of those odd people who have an information technology law degree, but aren’t lawyers.
Salesforce.com have just announced a sand box solution. http://www.salesforce.com/products/sandbox.jsp (saw this on the big endian blog, which I linked to from Jeffs blog.) This seems to be a copy of a live system into a test or sandbox environment.
To quote from the site “In response to customer requests, we’ve created a simple, one-click process for cloning your entire Salesforce deployment — an exact replica that includes all customizations and data.” (judging that it is also offered on the UK site and the German site, SF plan to offer this in Europe too)
At least over here the terms sandbox and live data probably shouldn’t go in the same sentence. The data captured in CRM systems is typically personal information. (according to the UK Data Protection act of 1998 personal data “means data which relate to a living individual who can be identified”)
Under UK Law I reckon this sandbox of “exact data” would be illegal under the Data Protection act of 1998. (similar laws exist across europe,as they derive from the same EU directive) Data protection is sometimes referred to as Privacy, especially in the US. http://www.itweek.co.uk/itweek/news/2084624/managers-test-law
To quote:Iain Bourne of the government’s Information Commission said: “Firms should use dummy records for testing. If live records are in use, that is something we’d be interested in.”
The law provides powers to fine the data controller and to shut the system down if necessary.
Understanding the mass of law that impacts software globally is not easy. What may be perfectly sound business practice in country A is illegal in country B. That is why things like global HR systems and global CRM are complex. The German user group have a 120 page guide to the legal issues around this just for CRM. Data Protection law is a big, messy complex area. Too many software firms, consultancies and customers don’t take it seriously enough.