What are Technical Data Export Controls?
Export-controlled technical data is any information or related data that cannot be released or transferred to foreign countries or representatives of a foreign nation, without first obtaining approval or license. “Technical Data” refers to technical information beyond general and basic marketing materials about a controlled commodity. It does not refer to the actual product or the controls that accompany it. Some examples include technical documentation for software, or blueprints, photograms, or diagrams that include technical specifications.
To transfer any of these materials internationally, you must abide by and be compliant with Export Control Regulations. Export Control Regulations have existed since the 1940s and differ depending on what export a certain enterprise may deal with. Some of the predominant regulations include the Export Administration Regulations (EAR) implemented by the Dept. of Commerce, The International Traffic in Arms Regulations (ITAR) implemented by the State Department, and the Office of Foreign Assets Control (OFAC) implemented by the Treasury Department.
These Regulations exist as a means to protect national security interests, the unregulated transfer of technology could aid international threats and enemies of the state. These regulations do not solely apply to the purchasing and selling of products and the associated technical data but also include the collaboration of foreign partners and even non-us citizens within the United States.
- White Paper: Electronic Export Compliance
- Solution Brief: Technical Data Export Compliance for SAP GTS
- On-Demand Webinar: Next-Generation Solutions to Effectively Manage Export Controlled Data
How Export Control Regulations Impact Enterprises
A proper grasp of Export Control Regulations, and the controls associated with them, is the gateway for enterprises and organizations to operate on an international scale. These regulations impact more than just an organization’s business transactions but other activities, such as research and collaboration as well. The more a company grows and expands the more they will have to adhere to these regulations and the more likely they will accidentally incur penalties without proper procedure.
Each violation of export control regulations can lead to fines of up to $1,000,000,000 and jail time of up to 20 years. Besides monetary penalties and imprisonment, these violations can also lead to the debarment from all government contracts as well as the loss of a companies export privileges. Essentially barring companies from looking to do business internationally.
Common Business Practices you Should Know for Technical Data Export Compliance
Classifying your Data
If you are trying to figure out if your technical data is controlled under the U.S Export Administration Regulations, the first thing you should do is check if it has been assigned an Export Control Classification Number (ECCN). These numbers are also associated with the reason why the export is controlled and will let you know what license if any, your organization needs to apply for.
Another common practice is including an export control section in your annual company training. Ensure that employees know that emailing or transferring technical data, even internally, can be considered regulation violations if the proper procedures haven’t been followed. It is also a good idea to clarify what actions and data are controlled by export regulations.
Organize your Data
A detailed data organization should also be implemented. The labeling of all technical data should be marked whether or not is deemed for export as well as whether or not it is controlled/restricted by ITAR or EAR. This should also apply to any external storage that technical data is stored on such as hard drives and USB devices. Depending on how large your organization is, it might be beneficial for your technical data labels to include which partner the data is associated with as well as its correlating ECCN classification number.
Digital Access Control
One of the best ways to avoid accidental violations is to implement an automated Attribute-Based Access Control (ABAC) solution. This access control method dictates access and privileges to data and files based on a number of attributes that could include location, nationality, and citizenship. This means that even if a foreign citizen had gained access to your cloud system, whether it be through an accidental email or link they would not be able to access these files, avoiding an accidental violation
How to Achieve Technical Data Export Compliance
Following regulations when exporting your technical data is only half of achieving compliance, the other half is proving compliance. This is best done by creating and keeping track of a comprehensive audit trail. This means keeping tabs on your data, including who has access to it, who has accessed it, and who it has been sent to. However, this can be difficult to manually, which is why many people turn towards automated compliance solutions.
A quality automated compliance solution will streamline your export regulation process by applying policies across the servers, applications, and workstations where technical data is managed and stored. These policies assist in controlling who can access, share and edit data in order to prevent compliance violations caused by human error.
When looking for automated compliance solutions, keep in mind a few key aspects:
- Control access to technical data based on user citizenship, certification training, computer system, and physical location.
- Track and apply policy-based controls on technical data to control duplication, storage, copy/paste, printing, removable media, e-mail,
- Automatically match technical data export to Export Licenses or Technical Assistance Agreements (TAA).
- Create information barriers around projects, applications, and systems to prevent leakage of export-controlled technical data into uncertified systems or applications.
- Detect user activity that constitutes Deemed Export and automate the process of export license determination and/or manager approval.