Since the GDPR came into effect in 2018, businesses are reviewing their operational practices and privacy policies to comply with the new regulation.
Many apps today are delivered as Software as a Service, or SaaS for short.
SaaS is a distribution model where software is hosted online and accessed on demand in exchange for a subscription fee. Common examples of SaaS web applications are Dropbox, Xero, Microsoft Office 365 and Mailchimp. There’s more, of course. So many more. This delivery model offers unprecedented levels of convenience, productivity and collaboration to customers, hence webapps have quickly become a daily part of our personal and professional lives.
According to a survey conducted by SaaS management software company BetterCloud, “73% of organisations say nearly all their apps will be SaaS by 2020”. This is an exciting projection, but also signals the need for caution. Sensitive information such as company finances, confidential processes and personal data about customers (like addresses and credit card numbers) are all prime targets for data theft, which makes security a top concern for businesses shopping around for a SaaS product.
Given that these apps and their users’ data are typically hosted on remote servers around the world, it can be unclear where exactly data is located at any point in time, potentially limiting the control and authority customers (and governments) have over the security and authority of their data. Sometimes, when a customer travels outside of their home country and needs to access their data, the SaaS provider may need to transfer this information to corresponding servers due to specific regional data protection laws in place — some offering more security than others.
Another key consideration is the level of access a SaaS company is given to customer data. To facilitate a key function of the app or provide client support, SaaS employees and other third parties may need greater access to sensitive data. This leaves customers vulnerable to potential abuses or even phishing attacks targeted at employees who already have access to important private information.
Web apps like Facebook have become the subject of public scrutiny since it was revealed that multiple tech firms were given special access to private user data. When even the biggest names in the tech industry are clear of privacy violations, where does that leave the rest of us?
The policy must clearly explain what the app owners do with user data once it has been collected.
Customers should be made aware of where their data is stored, and the security measures taken to protect it.
If a SaaS business collects and processes data about customers using third-party sources, it must be disclosed and proven that these sources do so in compliance with applicable privacy laws.