As a Software-as-a-Service (SaaS) provider, POPIA is going to have a profound effect on your business. The act, now signed, comes into effect on the 1st of July, 2020, with the deadline for compliance being the 30th of June 2021. This is not a lot of time, and you’ll need to address a number of challenges in the year to come. Let’s discuss some specifics for SaaS and software developers.
You can’t just pull the “Operator” card
A few software companies that I’ve dealt with have mistakenly claimed that they are Operators (Processors under GDPR), and therefore would not be required to comply with a number of the aspects of POPIA or GDPR. Sure, as an Operator you have fewer responsibilities, however the classification of your company can change depending on what activity is being performed. If your software is niched within a speciality or industry, you may become a joint responsible party simply by holding the subject matter expertise in a field. Plainly put, when you advise a client on best practice, you are starting to skirt the space of Responsible Party instead of Operator.
You need watertight processing agreements
Most SaaS providers will not have any control over what their clients place within their systems. It is of critical importance to have well defined SaaS and Data Processing agreements in order to clarify the responsibility over data. In most cases, your clients will solely be responsible for what is placed in your infrastructure, however you will need to be sure that they are following the correct paths to processing lawfully; considering that by hosting the information in your infrastructure, you are in fact ‘processing’ it too.
You need business governance before privacy compliance
Part of compliance with POPIA and GDPR is knowing how data moves within the organisation. If you do not have standard operating procedures in place, this becomes incredibly difficult to map out. Having SOPs throughout the business allows you to see where and how data flows, enabling you to do gap analysis and close any holes in the process.
You need to consider unseen data
As a SaaS provider, you will also be collecting a lot of unseen data. You need to ensure this is mapped too, and that steps are taken to minimize the data to only that which you explicitly require. Challenges in the spaces of backup retention, log files, diagnostic information, support ticketing systems and change management are huge in a tech heavy organisation, however they are not insurmountable.
Get a second pair of eyes on data
With only 12 months to comply, it is worth your while to get someone in to highlight where you need to focus your efforts. I offer a number of CISO-as-a-Service packages where I help you map out the organisation and comply with legislation, as well as training to bring all levels of the organisation up to speed on their privacy responsibilities. If you’d like to find out how I can help your organisation, you can book a no-obligation discovery call directly in my calendar using the booking tool below.