If you are a Software-as-a-Service provider, you may find yourself in some particularly murky water when it comes to Data Privacy and keeping in compliance with the many privacy laws out there. Here are three things to consider when providing such a service.
Cross Border Transfers
Many privacy laws restrict the flow of PII (Personally Identifiable Information) across international borders without consent from the data subject (the person who the data belongs to). If you transfer from one region to another where the privacy laws are not of equal or stronger standing, you are likely to run into issues.
Australia is particularly strict in this regard in that even viewing the information across a border is a breach in compliance in many cases. This, as you are probably imagining, creates a serious problem if you have distributed support teams. The laws have also been recently amended to exclude VPN connectivity, meaning that a user in another country, connected and viewing a piece of data over a local VPN, is still in breach and a cross-border transfer has taken place. I would not be surprised if other regions followed suit in this regard.
One of the things you can do in this case is to put in place binding corporate rules between your regional offices, ensuring a minimum standard of data protection in all your offices, regardless of whether the local region’s laws are in play. For example, you may put in binding rules that all your offices will comply with GDPR; enforcing that your regional offices comply even though local laws do not dictate this.
While securing your SaaS environment, you should ensure that protecting your databases and clusters are of paramount importance. In most privacy laws, you need to take “reasonable measures” to protect information. While the measures aren’t specified, you can bet that the more secure you are, the better standing you’ll have should something happen.
Given the costs of hosting, it is understandable that you would want to cost-save as much as possible. Do not skimp on your database servers or security. You want your databases inaccessible from the public domain, and they should absolutely not be hosted on the same tier as your web or application layers.
Security is also more than just securing your infrastructure, it is about responsible coding. Any sensitive information in your databases should be encrypted (and salted – Tom Scott does a great video on this here) so that if someone steals a database at rest, the PII therein is useless.
Water-tight End User License Agreements (EULAs)
In any sort of PII, there are generally three parties involved, with various levels of responsibility. You have the data subjects (who the data belongs to), the responsible party (who is issuing the instructions on what to do with data), and the processor (who is doing something to the data, be it hosting or calculations).
In each relationship, there is a level of responsibility on each different party, but mostly on the responsible party. In a SaaS environment, you are likely to not know exactly what your clients are storing in every circumstance. As such, it is difficult to accept responsibility for that which you can neither see (without breaching an agreement) nor control. It is therefore of vital importance that you clarify up-front who is responsible for what.
Where do we start?
Considering many of these laws are already in place – particularly the GDPR in the EU – you need to start immediately if you haven’t already. It is by no means an easy or quick process to complete, however help is available. Through a network of preferred partners, Ross G Saunders Consulting offers multiple compliance and training solutions for data privacy, from training in Do-It-Yourself methods, through to ready-made frameworks that can be applied to your business.
Reach out to us now for a discussion over Zoom or in person.