Although discussions about indirect usage of software have been around for decades, the recent lawsuit between SAP and Diageo really put this topic on the map again. Under pressure from subsequent negative reactions, SAP has recently presented a new licensing policy. What does this policy mean for SAP users? And how can you prevent issues with indirect usage in the future?
Problems with indirect usage arise if end users of a "third-party" system have access to information from a system such as SAP, without licenses. With most software vendors - not only SAP, but also Oracle for instance - it is unclear what is or isn’t allowed when it comes to indirect use. Especially on enterprise level, this results in major financial risks, as it turned out recently. After the British beverage supplier Diageo integrated its Salesforce software with its SAP systems, SAP successfully litigated Diageo. Earlier this year, the British multinational was enforced to pay 60 million euros of overdue licenses and support costs.
These types of lawsuits usually do not get public, as they generally result in new commercial agreements. Nevertheless, there was another news story recently on this subject: SAP claims more than 500 million euros from InBev, again because of a compliance issue related to indirect use. Both cases, of course, led to panic among other customers, but also to a great deal of negative reactions. This seems to be effective, because not long after, SAP announced to adapt its pricing model to modern times. Their promise: more transparency and predictability. The big question: do they succeed?
So far, it seems that SAP is solving the problem only partially. That is because no prices are mentioned for indirect usage yet, and more so because even though the policy texts are somewhat clearer, some parts still remain pretty vague. For example SAP states to include an "Indirect Static Read" in its associated software licenses. The explanation is that your data remains yours, and that you don’t have to pay extra if it is a matter of ‘read-only’ and not ‘processing or computing’ in the SAP system. But what does this mean exactly? If I get information from a SAP system, print and share it with my colleagues, are my colleagues then considered readers or users? And what about if you access an SAP system from Salesforce? Do you only have to pay if you put back the data afterwards?
Make contractual agreements upfront
It is positive that SAP takes a step forward and aspires more transparency and clarity, but for now there is still quite some ambiguity about it. Therefore, I would urge SAP users not to wait for SAP and its new policy, but to take control themselves. There is only one way to prevent major back payments like Diageo’s with full certainty: cover everything with SAP legally in advance. Compliance issues regarding indirect usage are best avoided by making clear contractual agreements upfront with the software vendor. If you do this, you will always know exactly what you are entitled to do and there will be no negative (financial) surprises later on.
However, making solid contractual agreements is often easier said than done. What exactly should you agree upon? You should know the added value of SAP to your organisation and be able to look ahead a few years. And most importantly you need to know exactly what happens to your data. A discussion on indirect use is in fact always a conversation about data streams, data ownership and the right to edit data. Making the right decisions about indirect usage can therefore not be done without the organisation's data strategy.
Over the last few years, data has become increasingly fluid within companies. Almost every organisation uses various services from different vendors and data is going from one system to another. The unstoppable rise of cloud and related SaaS models has greatly contributed to this. This brings all kinds of strategic issues to organisations. Do I know where my data is? What do I do with my data? From whom is my data exactly? As more companies are heading towards a data-driven business model, these are vital questions from a privacy and data security perspective. Reasons enough: the lurking hackers, a new, stricter European privacy law and the penalties for a data breach (apart from the reputational damage) speak for themselves. As a result, many companies are serious about their data strategy.
Back to indirect usage: the advantages of a solid data strategy go beyond preventing a data breach and being compliant with the law. It also helps to avoid compliance issues with software vendors. The indirect use case is a perfect example of this. If you have a clear idea of what you want to do with your data, it is easier to know what contractual agreements to make with SAP to prevent potential problems in the future. For example, you can already estimate that within three years, your employees will retrieve data from your SAP database from multiple SaaS platforms. With this knowledge you can include a clause on this in the new contract.
The result is that you are no longer dependent on SAP’s vague terms: you can rely on concrete agreements. Obviously you will still need to discuss these conditions internally with all the technical stakeholders, to make sure everybody knows what to do. With this approach you may pay more short-term, but at least you know for sure it won’t become much more expensive in the long run. So do not wait until SAP is rolling out its new pricing model (or shows up on your doorstep with a claim) – anticipate! You bet Diageo will embrace this approach from now on.
Mark van Wolferen, founder, managing director, B-lay
Image Credit: 360b / Shutterstock