As a Software-as-a-Service (SaaS) provider, you will often be what is known as an “Operator” (POPIA) or “Processor” (GDPR) in privacy legislation. While you do not hold the lion’s share of responsibility for compliance, there are some obligations that you have towards your clients. Whether you are a B2B platform or a B2C platform, there are measures you need to take to ensure that your clients and consumers are protected from a security and compliance point of view. POPIA and GDPR are big subjects, and cover the entire business. In this article, however, we’ll be covering the platforms that you provide to your end users.
Data Privacy Impact Assessments (DPIA)
One of the things you need to cover in your system (and in new features going forward) is a DPIA. This assessment takes into account any processing of personal information – particularly special information such as medical or demographics – and what methods you use to ensure that privacy is maintained and that you are complying with the principles of privacy legislation. Say, for example, your system processes some form of criminal record check, your DPIA would cover why the processing needs to happen (necessity), the amount of data necessary to perform this function (minimisation), how the information is protected, what controls are in place, how you are processing legally, and what development approach you’re intending on taking. You want to enable Privacy by Design and Privacy by Default.
Public Expectations and the State of Technology
Most legislations mention the “state of technology” instead of prescribing what you need to include. This is a blessing, not a curse – however it requires you to do your homework. Part of the reason for this wording is that laws cannot be changed or updated as quickly as technology is updated, so they make room for the current state of affairs in the field. In terms of development, that means using good practices and standards, investing in penetration testing (it is an investment not an expense), and to a certain degree, monitoring what the public expects. Features such as two-factor authentication (2FA) should be made available as a minimum nowadays, as well as (at very least) field level encryption on sensitive data in databases.
You have to have your security controls in place, and I would highly recommend (actually, I insist) that you get a third party to examine your configurations and infrastructure layout. In the tech startup environment, you are often working in an MVP state (Minimum Viable Product) and security is overlooked in favour of getting a release out. This is negligent. Security needs to be as much a part of your SDLC (Software Development Lifecycle) as development and scoping is. The number of companies I work with that have RDP, SSH, or SQL ports open to the public internet on production systems is astounding!
Contracts and Responsibilities
An aside to the actual development process, your contracts are incredibly important. Different roleplayers have different responsibilities in terms of data protection and your contracts and EULAs (End User License Agreements) need to reflect this. You need to be explicit about things like passwords; you’ll put in the effort to ensure that passwords meet minimum complexity and that 2FA is available, but the client is responsible for safeguarding that password. There needs to be a shared effort, and as a service provider you don’t want to be taking on more responsibility than you should. If your clients are not as mature as you are in terms of privacy compliance, you need to give a little push back to ensure your collective compliance.
What else is there?
Every software package is different, and requires a different analysis. Sure, there are basics such as those listed above, but there are many more things to be aware of in terms of privacy and cybersecurity relating to Software-as-a-Service offerings. I have worked with a number of software companies facilitating once-off workshops to identify quick wins, through to ongoing analysis and implementation of safeguards and system testing. To find out more about my once-off workshops or ongoing advisory, please book a no-obligation chat using the calendar below.