Software as a service. It’s vital to how companies do business and have been for over a decade. But an effective SaaS product isn’t just about functionalities and customer service. They also have to deliver on data security and privacy for their customers. Without these assurances, there’s an inevitable credibility gap for your business. (Not to mention everything that comes along with data breaches and failures in compliance.)
So where is a SaaS company to start when it comes to delivering data security and privacy? Meeting expectations isn’t some kind of one-off project for your SaaS marketing agency, your internal marketing or legal teams. It’s an ongoing business requirement.
That said, there are steps you can take to better position your company to meet privacy and security requirements.
We’ve put together some basic information and best practices on SaaS privacy to help you get started with securing your subscription company. Let’s dive in!
1. Always make privacy a priority
First and foremost, your SaaS should be building in privacy from the ground level. If you were baking a cake, privacy should be your flour. If you were painting a picture, privacy would be your brushes.
You get the point. Privacy isn’t just a requirement to be tacked on at the last minute to appease compliance and regulatory requirements. It should start by valuing the personal data you collect, knowing how it informs your products, and informing how you educate your team and your customers.
If you haven’t done this yet, it’s not too late.
2. Limit the information you gather
When you’ve built privacy into your business foundations, it becomes easier to recognize the vital importance of protecting your data. It also becomes more apparent that the more data you have, the harder it is to sufficiently protect it. (And the more sensitive the information, the more tantalizing it is for cybercriminals.)
So to minimize risk, don’t collect information if you don’t expressly need it. You’re not a stamp collector, after all. Here’s another way of looking at it: Always have a purpose for the data you’re asking your customers to share with you.
3. Encrypt your data
But limiting your data only takes you so far. Your data needs protection and that means - for the sake of your customers, employees, business reputation, etc. - encrypting your data.
Encryption needs to be implemented throughout every part of your technology. If a data breach happens, then your customers’ data isn’t free-floating out in the world.
Encrypting your data also helps with another, less tangible metric: Consumer confidence. Your customers want to know that you’ve got their privacy in mind. Communicating encryption and other security practices is how you show it.
4. Data inventorying is a good thing
A data inventory is required for GDPR, yes, but it’s also useful for informing your privacy practices. After all, if you’re fuzzy on what data you’re collecting, how you’re using it, sharing it, processing it, storing it - can you be sure you’re meeting privacy requirements?
More specifically, a solid data inventory helps:
- Keep tabs on what information you’re processing to support data minimization
- Track the flow of data into, throughout, and out of your systems
- Track your vendor relationships
- Ensure that your privacy notices are up-to-date
- Locate data to support personal data rights
5. Be transparent regarding data privacy.
Speaking of communicating your approach to privacy, how transparent are you with your customers?
(But depending on what regulations apply to your company, you’ll need different disclosures. Remember, complying with one set of regulations doesn’t automatically solve compliance for another!)
Whether they realize it or not, your customers are going to bump up against numerous privacy touchpoints throughout their interactions with you. Use each and every one of those interactions to communicate:
- What personal information you’re asking for
- What you’re using it for
- Who you’re sharing the data with or sell it to, depending on how applicable regulations define these actions
- Why you’re using it
- And how it benefits them
When you’re implementing privacy disclosures, whether they are strictly required or not, it’s important to be clear and intentional in your language. Avoid legalese at all costs and make sure you’re speaking to your actual audience. (Not just the audience you have in mind.)
6. Train employees regarding data privacy
That being said, some regions and industries have specific and rigorous protections in place that demand a high degree of compliance. Take California, for example. All employees should be trained on the California Consumer Privacy Act (CCPA) to avoid triggering serious penalties.
Depending on what regulations apply to your SaaS, training may involve questions and issues like:
- What data needs to be protected? And what is considered personal data in the first place?
- How should data be organized?
- How critical data is backed up
- What regulations impact your business?
In the COVID era, don’t overlook privacy issues pertaining to personal devices. With a greater number of people remotely accessing workplace platforms from their phones or personal computers, it’s important to have clear communication about what the risks are and what is permitted by your company.
7. Back up customer data in several locations
Data breaches can be very messy events, but they can be made less messy if you have your data stored in multiple locations. This measure won’t stop a data breach from happening, but it will stop it from completely shutting things down in the event of a disaster or an incident.
However, it’s important to be systematic about your backup processes. Backups should be done regularly to keep your data collection current and useful.
When it comes to backing up data, though, your customers need to be assured that if they've asked you to delete their data, that it's deleted across all backup locations. This is where data encryption delivers additional value - all you need to do is delete the individual key associated with the data subject.
8. Individual rights
Whether you're thinking about GDPR or CCPA, individual rights should inform your privacy practices. Each regulation defines individual rights slightly differently, so it’s important to have a plan for how you’re going to honor and uphold them. (Very matrimonial sounding, I know - but not doing it is a recipe for compliance disaster.)
Getting individual rights can be complex, but let me make it simple. Know what the rights are and then develop your process for managing consumer rights requests.
9. Make your marketing team a priority
Your marketing program is a big source of consumer data, so it’s critical to be fluent in marketing rules and regulations. Remember, these rules go beyond your own geographical location - if you have customers or are targeting customers across the country and across the world, you need to know a whole range of laws. What you do in the US isn’t the same as Canada or Europe or Brazil. (And so forth.)
Moreover, different rules apply depending on the digital technologies that you’re using. Email, social media, website and app cookies - whatever tools you are using, you need to be well-versed in what laws impact you.
It’s also critical to translate these regulations to your customers. Putting in the legwork to demystify privacy for customers will help build trust. One excellent approach to this is a thoughtfully designed preference center where you can detail your data processing practices and give customers control over how they share their information.
10. Focus on building trust for the long-term.
It all comes back to trust, doesn’t it? Even if you follow the nine steps above perfectly, your business won’t thrive without customer trust.
Trust takes time and it takes ongoing effort. Create solutions that actively build trust between you and your customers. Credits, extended warranties, service plans - these are all ways to show that you’re invested in trust, not just tell.
The trust that you build ultimately becomes a selling point for your product, as well. Forty-six percent of American consumers feel they’ve lost control over their data. Seventy percent believe their personal data is less secure now than it was five years ago. So use your privacy page to share all the great work you’ve done for privacy and security. Lots of companies are putting a real emphasis on their compliance efforts, which demonstrates both a recognition of consumer expectations and their own company values.
Software as a service is a major part of the business landscape, but just because it’s important doesn’t mean that you can skimp on privacy, data security, or creating trust and transparency between you and your customers. But by starting with the basics, you can achieve your goals while meeting expectations for privacy standards.
Jodi Daniels is a Certified Informational Privacy Professional (CIPP/US) with more than 20 years of experience helping a range of businesses from solopreneurs to multi-national companies in privacy, marketing, strategy, and finance roles. Since launching in 2017, Red Clover Advisors has helped hundreds of companies create privacy programs, achieve GDPR, CCPA, and US privacy law compliance, and establish a secure online data strategy their customers can count on.