Outsourcing IT services from Poland to the GCC market: security and legal challenges

We meet Marta Dębiak-Bartosewicz, Legal Advisor at Bąk i Dębiak Kancelaria Radców Prawnych, to talk about the readiness of Polish software development companies to provide software development outsourcing services in the GCC (Gulf Cooperation Council) markets. We share our experiences in an attempt to answer an important question: is experience in developing software for Polish and European financial institutions enough to provide the same services in the regulated market of the GCC region?

Outsourcing IT services from Poland to the GCC market: Security and legal challanges. Interview with Marta Dębiak-Bartosewicz

Are there any special legal preparations a software development company needs to make before they can begin to work with the GCC market? Can you tell us about how it has worked out for Altkom Software?

M.D-B.: Today, as we finalise our further framework agreements, I can definitely name one area that requires a special approach and a lot of preparation. Specifically, our partners in the GCC region attach a critical importance to cybersecurity, information security and data flow. Their restrictive requirements in this respect are practically non-negotiable; there is hardly any talk of concessions or compromise. And the experience that Altkom Software and my own law firm have gained together over many years working for entities from the regulated sector and applying for ISO 27001 certification in 2022 has really given us an important advantage over companies that haven’t done the same work and don’t have such elements in their portfolio. Thanks to our prior experience, we didn’t have to do anything else or get any new elements to be prepared: we were ready to go and start working.

You’ve mentioned that contracts in GCC countries contain very rigorous clauses about data security. Would you say that they place a greater emphasis on security than we do in Europe?

M.D-B.: Indeed, I think their expectations are higher. The provisions they make in contracts and documents are more restrictive and unequivocal. This also applies to clauses that stipulate that the agreement can be broken if any element of data security is violated or not met.

Were there any provisions that surprised you in contracts you have worked on thus far?

M.D-B.: At first, I was surprised by what was expected of developers working on the premises, i.e., those working in our partner’s offices. Already framework agreements feature a detailed list of norms that need to be met by anyone involved in the project before they can travel to their country on business. It’s not just one requirement; it’s a long list of elaborate guidelines that cover employment law and healthcare standards that Altkom Software employees must meet.

In an era of remote working, we are no longer used to these kinds of requirements, even though, of course, it’s a matter of compromise and openness to a different approach. I must admit that in the Middle East there is a lot of emphasis on personal interaction in business. Clients really do want to meet us and see how we work; they want to discuss project objectives and hammer out the standards of further cooperation, which, over time, will go online. For some companies, this might be a cultural and organisational challenge, but we did manage to meet these expectations.

What were your preparations like in terms of contract templates, negotiations or legal matters that might be new to us in some respect?

M.D-B.: Because of our previous international cooperation, we already have a number of contract templates ready, which we have signed with clients from Germany or Great Britain without any problems. However, when it comes to GCC countries, we have thus far only worked based on contracts drafted by our partners. Of course, there may be many reasons for that; one is familiarity – the other party feels safer working with their own documents. This is particularly evident in contacts with clients from the regulated sector, where negotiations are especially difficult and the entities are quite inflexible when it comes to their provisions. And since their templates have already got the green light from the supervisory authorities, their reluctance to change anything is understandable.

Contracts with GCC countries require us to act in accordance with applicable legislation, which naturally doesn’t mean Polish or European law. We are working on a project they need; they are mostly active in the regulated market and that means they handle confidential data. They obviously need to feel that the data will be properly safeguarded.

It’s worth adding that our experience with all negotiations thus far has been positive: even though our partners can be assertive, the talks take place in a friendly atmosphere. Also, when it comes to provisions that we want to push through, such as the issue of employee security and responsibility for their work, the other party shows a lot of understanding.

Not knowing every aspect of the legislation in every country of the region may cause potential problems. How can you cope with such concerns?

M.D-B.: In order to avoid the risks that come with not knowing certain nuances, we are in constant communication with selected law firms wherever we are particularly active, e.g., in Qatar, United Arab Emirates and Saudi Arabia. This background support gives us a great sense of security. Also, in our entire history of international cooperation, Altkom Software has never had any problems of this kind: no disputes that would need to be settled in court. In this respect, the culture of GCC countries seems even less conflictive. So, for this reason, and especially to ensure effective cooperation, we always give them the benefit of the doubt, assuming that both parties will first of all want to reach an amicable settlement.

Let’s tackle a difficult question: do you think an average European software development company that has never worked with GCC countries before is ready to start now?

M.D-B.: Honestly, it’s difficult to give a definitive answer to your question. But if I had to choose one thing that I believe is an absolute prerequisite for working with Gulf countries, it would be that you really need to put your internal processes in order. Without a clear and secure information and data management system, businesses can’t even start thinking about offering software development services on the GCC market. The standards of cybersecurity, information management and information protection are really restrictive over there. Especially when it comes to clients from a regulated sector.

I know Altkom Software, I know the quality of their work, and I know how much effort we have invested over the past 2-3 years to meet the high requirements of our clients. This is why we no longer need to worry about any such clauses in our contracts; we can say with confidence that Altkom Software meets all the required standards. To prove this, we also have applied for the ISO 27001 certificate, as I’ve mentioned before; this document will reassure a potential business partner that their provider adheres to really high standards. Since this is an international information security management system standard, it has really opened the doors for our cooperation with financial institutions in the Persian Gulf. I would recommend other software development companies not to take these issues too lightly or be too optimistic, because in their agreements, GCC clients often reserve the right to perform an audit. The client may decide to perform a physical audit of data processed under the agreement at any time (in person or through an auditing company).

To recap: if you want to know what an average software development company should do to enter the GCC market, I would say they need to put their processes in order and create a tight and secure information management and data processing system. Of course, everything also depends on what companies they want to work with.

From what I’ve seen, GCC companies active on a regulated market that want to outsource their software development to Poland, really put a great emphasis on experience. They will only start negotiations if the software development company in question can demonstrate a large portfolio of clients from the sector, a long list of developers and analysts working on similar projects, as well as managers who understand the client’s business needs.

Despite differences in legislation, did the Polish and European experience with financial sector companies prepare Altkom Software for offering software development services in Saudi Arabia, Qatar and other countries of the region?

M.D-B.: Definitely, even though each GCC country has its own regulations, which need to be strictly followed. In practice, however, these requirements are very similar to what we already know from Poland and Europe; in a sense, we’re in a winning position here, because Poland also has very high standards in place when it comes to IT and tech security.

I need to emphasise that in any market, providing IT outsourcing services for the financial sector always means having to meet requirements far more restrictive than those expected from commercial market players. Companies without any experience in this area would need to do a humongous amount of work to get ready. The question is: would it really make sense if you just want to work with one client? But if you already have a whole portfolio of such companies, most requirements are obvious, no matter the region.

And I don’t just mean checking all the boxes on the to-do list, but about time and the project load, which show in practice that a software development company is ready for work in the sector. At Altkom Software, we have come a long way over the years: we have deployed solution after solution, we have developed continuity plans, GDPR documentation, ISO procedures and tested all that in practice in different projects. This allows us to go further and work on IT projects for financial clients from various regions around the world.

So, if a software development copmany doesn’t have enough experience…

M.D-B.: They can hire a company that will prepare the necessary documents and create the necessary safeguards for them, but if this is not tested out in practice, the risk is huge. And, on top of that, the software development company in question will not get the clients’ trust just like that.

After all, no serious company wants their strengths to depend on contract clauses alone. As I said before, we want to rely largely on trust. And trust-building starts when you show experience, not when you boast how many documents you have. You need to prove you can be counted on in difficult situations, in managing complex projects and large teams.

Let’s also talk briefly about the risks connected to software development outsourcing between Poland and the GCC region.

M.D-B.: First of all, when we sign an agreement, we commit to making sure our software will comply with local legislation. In theory, this is a very risky promise to make, because who knows the law down to the smallest provision, especially foreign law? But my experience tells me there are certain standards, and even though you need to become familiar with many regulations, you can’t prepare yourself for everything. Again, to an extent, we really need to rely on trust on both sides to know that we are working safely. And of course, we need to be in contact with local law firms, just in case.

Another difficulty and potential risk for a Polish or European software development company comes with the long payment periods. As per standard, we work for a month and wait another month for the invoice to be paid. For smaller businesses, this may cause problems with financial liquidity. You need to have some safety net, especially with large projects, where a client from Saudi Arabia, the Emirates or Qatar may need as many as several dozen developers.

So, to wrap up, maybe you can tell us about something that is a standard in Polish agreements, but doesn’t seem that important in Gulf countries? Even though it could actually benefit them?

M.D-B.: There is one such thing, very typical of the Polish market. We attach a lot of importance to the issue of copyright and licensing; we try to transfer as much as possible of the copyright to the client. This is clearly regulated in each agreement and often safeguarded by many complicated clauses. Until now, in contracts with GCC countries, I have observed a different approach. In principle, the provisions are very general, not too complicated, and the copyright remains with the service provider, while the client gets a license, which of course entitles them to use all aspects of the software, but we can still use the finished product or code fragments in other projects.

Of course, the issue of copyright is regulated in more detail in individual orders, but the provisions of framework agreements, as compared to Polish contracts, are very general, limited to just a few sentences. In Polish agreements, copyright transfer and licensing clauses are very detailed, and they make sure to safeguard the client in the event of any difficult situation, such as when the software development company goes bankrupt or is sold. This makes the clauses very extensive and they are one of the main issues covered in negotiations. In our contacts with GCC countries, this has never been a moot point.

Facing IT challenges? Discuss them with our experts: Contact us

Bąk i Dębiak Kancelaria Radców Prawnych s.c. has provided professional legal consulting services for the Altkom group for more than ten years, focusing on providing support for Altkom Software in Polish and international projects for the financial sector and large international entities. Legal advisor Marta Dębiak-Bartosewicz has drafted and negotiated dozens of deployment contracts on our behalf, providing business support backed up by many years of professional experience.

You can learn more about Marta on her Linkedin.