GDPR Data Privacy Regulations and Impact on SaaS Companies and Their Vendors

As data privacy regulations evolve, they will continue to shape the foundation of global business in the cloud. Data administrators can no longer assume that their existing data privacy protections are sufficient and must actively partner with their vendors and internal teams to ensure compliance. “People burying their head in the sand will soon be violating the law and risk fines at the expense of the company,” said Susanne Dehmel of Bitkom, referring to the latest updates new standard contractual clauses (SCCs) update to general data protection regulation (GDPR) published by the European Commission on June 4 2021.

The New SCC regulations require all service providers to undergo a thorough diligence process and enter into contracts that ensure customers’ personal data receives adequate protection and safeguards. EU companies, particularly those dealing with US companies, are advised to consider initiating agreement renewals using the new SCCs.

The new regulations reinforce data subjects’ rights by entitling them to be informed about data processing operations, having the means to contact foreign controllers, receiving a copy of the New SCCs and being compensated for damages that occurred concerning their personal data. By December 27 2022, all agreements executed under the Old SCCs will need to have been transitioned to the New SCCs.

The primary objective of the GDPR is the harmonization of European data protection. A secondary, though core objective, speaks to the enormous technological changes over the past 25 years. The GDPR features a plethora of different protections SaaS companies need to be aware of, like data minimization, transparency and confidentiality. It also requires companies to only collect and process data for specific purposes that must be clearly outlined and documented. It also prohibits the processing of personal data without specific permission.

Every software company’s responsibility is to comply with privacy regulations if they hope to remain salient. The steps below should be considered to help ensure your organization has the right systems, processes and people in place to comply with expanding privacy requirements.

Build Agile Security Capabilities

Because most modern software lives in the cloud, businesses can no longer easily inspect for security and privacy compliance due to infrastructure barriers between the vendor and their own data. Businesses need a more nuanced way of validating the trustworthiness of the SaaS vendors they are considering within their compliance ecosystem. Vendors, in kind, can distinguish their offerings by providing transparent documentation that outlines current security capabilities and how post-sales onboarding professionals support them.

To level-set customer expectations and mitigate compliance requests, vendors should train frontline sales teams in the basic security features of their offerings to ensure they can respond to prospect inquiries accurately and intelligently. Vendors should also create a dedicated team of sales engineers or other enablement support who can bring a specialist’s approach in response to questions from a prospect’s CISO.

Additionally, vendors should provide customers with a clearly documented escalation path to security engineers who can answer the most complicated questions about identity and authentication management (IAM), telemetry, key management and other issues.

Facilitate Integrations

SaaS vendors should consider making it easier to integrate their offerings with the rest of their customers’ security environments. This means assessing their customers’ vendor ecosystem and responding by building a comprehensive set of connectors to the most relevant security tools.

Vendors may also want to invest in better APIs by creating a consistent, well-documented security-API model across the products they offer. Work with customers’ security teams to provide the granular capabilities required for complaints in the markets you serve, and deploy easy-to-understand API semantics that customers and prospects can access.

Leverage Thought Leadership and Targeted Feature Investments

Vendors must recognize and respond to the knowledge and trust gaps within our current security climate. With expanding market and regulatory demands for data privacy, SaaS vendors have an obligation and opportunity to provide leadership in this area. CISOs need vendors to provide shortcuts to understanding the regulatory expectations of the markets in which they participate and how best to prepare for future sea changes with data-driven, industry-approved methodologies.

Preparing annual white papers or other resources that distill this research and pairing them with key feature investments (e.g. encryption, key-management, logging, data-tracking, data-purging capabilities, etc.) set vendors on a pathway to reclaim some control over a rapidly changing set of demands and legal interpretations.

Opaque vendor capabilities and insufficiently addressed security concerns are, at best, extending procurement processes by weeks and months, and adding significant cost and complexity to SaaS deployments. At worst, they cause companies to eliminate certain vendors from consideration altogether. By actively addressing these issues programmatically and perennially, vendors will speed the ongoing migration from traditional on-premises applications to SaaS, reduce litigation risk and prevent customer churn. 

What’s Hot on Infosecurity Magazine?