Compliance Solutions

Step-by-Step Data Transfer Control Workflow

Preventing the illegal transfer of technology isn't a single event—it's an integrated part of the ongoing human workflow of your company, consisting of numerous individual actions and cooperative behavior between employees and departments at every management level. That's why illegal technology transfer control requires a comprehensive, company-wide solution that can manage compliance effectively at every step of the process.

Technical data and documentation referring to controlled goods itself qualifies, under United States export laws, as controlled technology. It therefore requires strict monitoring and regulation to prevent its illegal dissemination to denied parties and unauthorized foreign nationals. This can include hardcopy documents, emails, phone calls, and even face-to-face conversations. Assuring that your company remains compliant without slowing your export workflow to a crawl requires a multifarious solution.

Step 1: First, long before any transfers occur, everyone who is intended to be a party to the transactions must be screened against all applicable Denied Party Lists—as provided by the U.S. government, the United Nations, and other international organizations. Denied Party Screening must include any of your employees with access to the data, your vendors and customers with whom data will or may be sent, and any foreign nationals who may be in a position to receive the data. This is so that, once you are ready to apply officially for the mandatory agreement, all parties listed therein will have already been vetted as not presenting a risk to security.

Step 2: At this point, you must obtain the agreement itself from the U.S. Department of State, or possibly the Department of Commerce. The specifics of the agreement application will depend on the jurisdiction under which the technology and/or information you intend to export falls, but must include all information relevant to the technology transfer. This includes the names of all your employees who will be parties to the agreement, the names of all vendors and customers (plus foreign countries and foreign nationals) who may be in receipt of your technical data, details of the specific technology involved in the transfer (including any individual parts or components that may themselves be considered "controlled"), and so on.

Step 3: When you receive an agreement, it will include terms delineating its scope in terms of dollar amounts, transaction limits, expiry dates, etc. It will also likely include intricate specifics with regard to who may receive what in order to remain in compliance; for instance, persons located in a certain country may be permitted to receive information on how to operate a certain piece of equipment, but not information on its technical specifications, while for a person in other countries there might be no such restrictions. Your company must have an effective tracking system to record these details in order to assure that all relevant persons have access to the information to avoid violations and stick scrupulously to the requirements of the agreement.

Step 4: Beyond this, the system must also provide a standardized means of recording transactions via all the different types of communication by which technology may be transmitted (e.g. telephone, email, direct file transfers, or face-to-face conversations, etc.). Authorization profiles must also be created for everyone in your company with any access to technical data on controlled goods, as well as for any vendors, customers, or foreign nationals currently have access to your technical data, or will have technical data shared with them over any medium. Any user granted an authorization profile must document that they have read and understood the responsibilities and limitations placed upon them with respect to possessing and transferring controlled technology. The system itself must be readily available for the use of all employees at the point at which exports occur—i.e. details of the technology transfers should be recorded and logged in the central system by employees immediately upon the event of the transfer.

Step 5: From a centralized location, your management and/or Compliance Department must engage in an oversight process for transactions on a daily basis—to record and track who is viewing your technical data, what data or documents are being accessed or shared, the date and time of their transmission or viewing, and from where they are being accessed. This ongoing process is necessary to ensure that the transactions occur only within the scope of the agreement, and with only authorized parties.

Step 6: In addition, daily monitoring of exports must also take place to assure that any values specified in the agreement have not been exceeded, and that expiry dates have not elapsed. If the applicable agreement has expired or become exhausted, even a transfer between approved persons that otherwise conforms to the terms of the agreement, is considered illegal, and the consequences can be severe if the violation is detected.

Step 7: Your monitoring and recording solution must have the capability to produce documentation for any mandatory government reporting requirements specified as part of your export agreement.

Besides this, all technical data transfer activity must be logged in detail, with extensive documentation, for your own ongoing record-keeping purposes. This is important for summary reporting for management and/or your Compliance Department, as part of the continual process of overseeing employee workload and export activities. It is also vital in the event of a government investigation, so that your company has conclusive proof of your intent to comply with all applicable regulations. Without documentation proving that your transfers were conducted legally, your company may have no way to prove compliance if suspicions of illegal activity arise.

Tech Data Transfer Supervisor is the tool that does all this and more, allowing you to maintain control and supervision over your important technical data to assure your company remains compliant, and operating within the boundaries of your agreements in order to prevent illegal export activity when transferring your technical data. At the same time, it saves you money by automating your export control workflow, dramatically reducing the time your employees would otherwise spend manually assuring all their documents, information, and recipients are authorized and legal.

Why Comply?

Organizations must comply

Technology Transfer Control Laws

The U.S. government's definition of "technology" refers not only to physical goods, but to any specific information necessary for the development, production, or use of a product. Therefore any of your company's technical data that is "leaked" to unauthorized foreign nationals constitutes an export of technology to that foreign country, so that from an export control standpoint, the security of your technical data is vital for maintaining compliance with export control regulations.

Even when technology transfers are being conducted in a perfectly legal manner, it is important for company compliance officers to have the ability to view, monitor, and track that the transfers are occurring according to all government guidelines, and according to the details of the relevant agreements. This is because, for many corporations, there will be numerous individuals named in agreements who are authorized to access technical data; they will likely be doing so from a variety of different subsidiary companies in diverse locations throughout the world. Without effective oversight of tech data transfers, there is no way to know that your company is not inadvertently transmitting data to unauthorized parties who may use your technology to harm the United States and its allies.

Penalties are severe

Penalties for Illegal Technology Transfer

Proper supervision of tech data transfers is a responsibility your company cannot afford to ignore—if your technical data is being transmitted illegally, you are accountable. Because the illegal transfer of technical data poses a grave threat to the lives of the soldiers who put themselves in danger every day to protect you, which is why companies found to be violating export regulations with unauthorized tech data transfers face all the same penalties as they would for physically delivering controlled goods to any denied, restricted, or debarred party.

The consequences for non-compliance can include millions of dollars in monetary fines, temporary or permanent revocations of export Licenses or cancellation of agreements, and for violations deemed to have been willful, even criminal prosecution including imprisonment. On top of the inevitable and irreparable damage to your company's reputation if violations are detected, you may be inadvertently aiding enemies of the United States and its allies.

Employees and organizations have been convicted

Technology Transfer Control Risks

Technology Transfer Control is just as important—if not even more—than preventing physical shipment of controlled goods into the hands of terrorists or other barred foreign persons and organizations. It is bad enough allowing controlled goods to be delivered to entities seeking to do harm to the United States and its allies, but providing the information necessary for them to manufacture their own weaponry, aerospace articles, or dual-use goods, guided by American designs, would be even worse.

The government's agreements permitting tech data transfers beyond the United States contain many details and restrictions, but they also make it possible for numerous individuals and divisions across multiple locations throughout the world to work together efficiently and legally. That's why maintaining control over your company's technical data transfers is such a vital piece of your export compliance program. You must keep track of all data being transferred, by whom, to whom, where and why, in order to remain within the boundaries of the agreements and detect and halt any unauthorized transfers.