Privacy Compliance Implementation for SaaS companies

What is Privacy Compliance all about

Privacy compliance is coming up in all parts of the world. GDPR(EU) was the first which got enforced and got wider adoption due to enforcement that came into effect on 25th May 2018. Then came CCPA(California, US), and more are rapidly coming up across various parts of the world.

The geography of the product company offices is not the only factor. The location/citizenship of the individuals from whom data is being collected matters, and is a factor when evaluating the applicable privacy regulation.

Unlike other standards and compliances, implementing privacy compliances need a lot of changes in the product and personal data handling practices. So it would be best to align with GAPP(Generally Accepted Privacy Principles), That way you would be prepared to comply with upcoming privacy regulations without needing many changes in your privacy program or Product/Architecture. Below is the list of these principles.

1. Management. The entity defines documents, communicates and assigns accountability for its privacy policies and procedures.

2. Notice. The entity provides notice about its privacy policies and procedures and identifies the purposes for which personal information is collected, used, retained, and disclosed.

3. Choice and consent. The entity describes the choices available to the individual and obtains implicit or explicit consent with respect to the collection, use, and disclosure of personal information.

4. Collection. The entity collects personal information only for the purposes identified in the notice.

5. Use, retention, and disposal. The entity limits the use of personal information to the purposes identified in the notice and for which the individual has provided implicit or explicit consent. The entity retains personal information for only as long as necessary to fulfill the stated purposes or as required by law or regulations and thereafter appropriately disposes of such information.

6. Access. The entity provides individuals with access to their personal information for review and update.

7. Disclosure to third parties. The entity discloses personal information to third parties only for the purposes identified in the notice and with the implicit or explicit consent of the individual.

8. Security for privacy. The entity protects personal information against unauthorized access (both physical and logical).

9. Quality. The entity maintains accurate, complete, and relevant personal information for the purposes identified in the notice.

10. Monitoring and enforcement. The entity monitors compliance with its privacy policies and procedures and has procedures to address privacy-related complaints and disputes.

How it is crucial for B2B SaaS Products

Privacy is more critical to SaaS products since it is accessed from any part of the world and has a lot of integrations and bi-directional data flows across companies and geographies.

The definition of personal data is really wide, most of the B2B SaaS companies would be dealing with at least one category of personal data of your customers, e.g. Name, Email, Phone, IP Address etc.

For a typical multi-tenant SaaS(for your customers) application hosted in any Public Cloud(primarily IaaS for you) for a reference, you need to consider below factors:

1. What data fields(e.g. First name, Last Name, Email Address)

2. For what purpose(e.g. To provide the relevant service/s)

3. Where do you store it(e.g specific AWS region)

4. Where do you access it from and why: Development and maintenance teams, Cloud Infrastructure Management Teams, Support Teams. Even this kind of access is also treated as data transfer or data process

5. With all do you share it within and outside your organization?

6. What are the security controls in place to protect personal data from unauthorized access both from internal and external threats?

7. What role are your organization is playing in the whole data chain:

• A controller is the one who decides the purpose of the data, typically your customer

• Processor(who handles data on Controller’s behalf), typically your organization

• Sub-processor is a third-party vendor that your organization(processor) is using to provide necessary services e.g. hosting, email relay, marketing automation, helpdesk ticketing etc, and who has access to all or some fields of the personal data of your customer(controller)

• You could be playing multiple roles at a time or separate role for separate sets of personal data.

• Make sure you have proper data protection/privacy agreements with all respective data controllers, processors, and sub-processors.

One of the ways to demonstrate this is to publish your organization's privacy policy on your corporate website(with link to the policy in the footer of every page). The policy should have all the details mentioned in the above bullet points. Make sure that all employees of your organization are aware of the policy and take all efforts to abide by the policy while working on new products and features. All the changes in Privacy Policy should be notified to all the stakeholders mentioned above.

Commonly used compliance trio by US-based SaaS companies: GDPR, Privacy Shield and ISO 27001/SOC 2

Personal Data Protection is one of the important requirements for Privacy compliance. The way to demonstrate that the organization has done enough to protect the personal data from unauthorized access or modification, is to implement the standards(ISO 27001/17/18) or third-party attestations like SOC 2 across your organization.

Privacy Shield Certification allows you to transfer/process personal data from EU to US(e,g, AWS region). Update( Yr 2023) Privacy Shield is currently under disput and not valid anymore. As an alternative, companies can include Standard Contractual Clauses(SCCs) in their contracts.

Key Product/Architecture Considerations

Now that you are aware(and a bit overwhelmed) of Privacy compliance requirements, let’s consider how some important architecture-level considerations will make it relatively easy to comply with current and upcoming privacy regulations.

• Mandatory Checkbox to capture consent along with a link to the organization’s privacy policy, on all external forms, user registration screens, where personal data is collected.

• Avoid or mask personal data before pushing to the logs(system, application, network, web-server, load-balancer, cloud trail, cloud watch etc), better to right masking/filtering library which can be reused when adding new products or features. That way at least this part can be excluded from below complex requirements.

• Customer/Tenant level data segregation: You should design your data architecture such that it enables you to segregate and trace all the personal data for single-tenant/customer, across all the datasets and components of your product(e.g. Databases, Compute instances, Object Storage, various logs). At the end of the contract, when the tenant is leaving you, you will be required to either delete all the data within the defined timeline or provide a copy/dump of all the personal data, as per the agreement/contract/terms-of-use you have in place with that tenant.

• Individual-level personal data records: You may get a request to delete, provide a copy of, or correct the personal data you have collected from any particular individual. You should have a mechanism or some script to be able to perform these operations across all your cloud-native and on-premise datasets having personal data of any individual. If your organization is playing a data-processor role you should do these changes only after confirmation from your controller(customer) even if you directly get a request from the end-users/customers of your Customers

• Data Retention timelines should be standardized, implemented across all your on-premise and cloud-native data sources(EC2, S3, RDS) and logs(OS, application, DB, centralized log collectors) containing personal data, as per your business needs, contracts, terms of service etc. Use Automated enforcement of timelines whenever possible e.g. S3 retention, automated deletion etc.

Important Documentation to help compliance requirements, answer questionnaires, and manage important communication

• Data Processing Agreements(DPAs) as amendments to contracts, agreements, term of service documents or purchase orders, which should be mutually signed by both parties.

• Records of Personal Data Processing (Description of the product/offering, What data, what purpose, what processing operations, who do we share etc)

• Data Protection Impact Assessments ( summary of records of data processing + risk assessments/mitigation + residual risk if any after implementing mitigation controls)

• List of sub-processors preferably published on your corporate website.

• Data retention policy

• Privacy Policy

• Data Breach Notification Process which includes response timelines, content of the notification, various internal and external stakeholders to be notified

• General privacy compliance document describing your product, service offerings. How personal data may be collected, processed, shared, deleted. What controls you have implemented to meet the data-subject access rights, who is your Data Protection Officer(DPO), where to contact in case of privacy-related concerns etc.

• It would be handy to have a list of security/privacy contacts for each of your customers, useful and timesaving for notifying: Change in Privacy Policy, On-boarding new sub-processor who will touch customer’s PII, Breach notification, or any other announcement

Looking forward to your valuable feedback and improvement suggestions!