We depend and rely upon SaaS technologies from third parties to operate our business, and interruptions or performance problems with these technologies may adversely affect our business and results of operations.
We rely heavily on hosted SaaS applications from third parties in order to operate critical functions of our business, including billing and order management, financial accounting services, enterprise resource planning, customer relationship management, human resources management and customer support. If these services become unavailable or lose certain functionalities that we depend on, due to extended outages, interruptions, disruptions, errors or defects, acquisitions or integration into other solutions or because they are no longer available on commercially reasonable terms or at all, our expenses could increase, our ability to manage finances could be interrupted and our processes for managing sales of our CXM platform and supporting our customers could be impaired until equivalent services, if available, are identified, obtained and implemented, all of which could adversely affect our business.
We are subject to stringent and changing laws, rules, regulations, self-regulatory schemes, contractual obligations, industry standards and other legal obligations related to data privacy, protection, and security. Any actual or perceived failure by us, our customers, partners or third-party service providers to comply with such obligations could harm our reputation, limit the use and adoption of our CXM platform, subject us to significant fines and liability, or otherwise adversely affect our business.
Our customers can utilize our CXM platform to use, collect, manage, store, transmit and otherwise process personal data of their employees, customers and partners. We also use, collect, manage, store, transmit and otherwise process such information in the course of our operations. We and our customers are subject to state, federal, local and foreign laws, rules, regulations, and self-regulatory schemes, contractual obligations, industry standards and other legal obligations regarding data privacy, protection and security, including the use of data in artificial intelligence and machine learning. The number and scope of such laws, rules and regulations is changing and may be subject to differing applications and interpretations, which may be inconsistent among jurisdictions or in conflict with each other. Laws, rules and regulations relating to data privacy, protection and security are particularly stringent in Europe and Asia. Numerous foreign countries and governmental bodies, including the European Union, or EU, its member states and the United Kingdom, have laws, rules and regulations concerning the use, collection, management, disclosure, storage, transmission and other processing of personal information, which often are more restrictive than those in the United States.
For example, the General Data Protection Regulation, or GDPR, took effect in the EU on May 25, 2018. The GDPR increased covered businesses’ data protection obligations and imposed stringent data protection requirements, including, for example, detailed notices about how such businesses process personal information, the implementation of security measures, mandatory security breach notification requirements, contractual data protection requirements on data processors and limitations on the retention of records of personal data processing activities. Noncompliance with the GDPR carries fines of up to the greater of €20 million or 4% of global annual revenue, and can result in data processing bans and other administrative penalties. The GDPR also allows EU member states to introduce further conditions, including limitations, and make their own laws and regulations further limiting the processing of ‘special categories of personal data,’ including personal data related to health, biometric data used for unique identification purposes and genetic information, which could limit our ability to collect, use and share EU data, and could cause our compliance costs to increase. Many member states have introduced such further limitations and more could in the future, which could ultimately have an adverse impact on our business, and harm our business and financial condition. Our efforts to meet GDPR requirements have required significant time and resources, including a review of our technology and systems against its requirements.
Further, the June 2016 referendum in which voters in the United Kingdom approved an exit from the EU, generally referred to as Brexit, and ongoing developments in the United Kingdom, have created uncertainty with regard to the regulation of data protection in the United Kingdom. As of January 2021 (when the transitional period following Brexit expired), we are required to comply with the GDPR as well as the United Kingdom
30