So you have an idea of the functionalities of your SaaS, how you will charge fees and sign people up. The next step in understanding your SaaS and its challenges is data security and privacy for your customers. It is a contentious topic amongst businesses and is one hurdle many fail to clear.
If you do not carefully consider this and provide your customers with certain assurances, your business may lack credibility and trust and therefore lose customers. There are also some significant legal ramifications set to increase in scope and impact shortly.
Accordingly, it is vital to consider data security and privacy when launching your SaaS and an ongoing process needing ongoing review. This article will help you understand your obligations and how to position yourself best to protect customers. Ultimately, this will protect your commercial interests.
What Data Does this Impact?
There are three key kinds of data to consider:
- inputted data;
- analytics data; and
- output data.
We will consider each of them in turn.
1. Inputted Data
This is the form of data input by you or your customers. Typically, this will include things like the account details of your customer, such as their name, email or phone number and the data you input into your software to ensure that it can complete the tasks.
However, your customers’ data input has significant privacy and protection implications. In almost all cases, this will be a form of personal information or sensitive information. We discuss these types of information below and the privacy obligations they carry with them.
The ownership of this data varies. For example, you will own the data you use to create your SaaS, but your customers will retain ownership of the data they input into it.
2. Analytics Data
Another form of data is the analytics data produced by using your SaaS. For example, in the design of your SaaS, you may choose to add specific analytics cookies or devices to improve your SaaS function. This analytics will produce information like:
- how people accessed your SaaS;
- how long they accessed it;
- what they looked at and for how long; and
- what they interacted with.
The key way to ensure that these analytics do not create particular privacy obligations on you is to ensure that the analytics data you collect does not contain any identifying information.
Regarding ownership, provided that you have well-drafted terms and conditions for your SaaS and have deidentified the data collected, you own the data. This data can be essential to your business as it helps you improve your SaaS. Therefore, you must ensure you have proper ownership and the ability to de-identify the data.
3. Output Data
The final data type to consider is output data. This is the data your SaaS produces and is usually the product your SaaS sells to customers. The way this data looks depends on your type of SaaS. It may be a report, a design, or a presentation. Whatever it may be, this is the output that customers seek from you.
Privacy Obligations
The Privacy Act
The privacy law that governs your obligations is the Privacy Act 1988 and the Australian Privacy Principles (APPs). The APPs regulate how businesses collect, disclose, hold and use personal information.
All Australian businesses need to comply with the APPs as privacy best practices. However, there is an exception if you are a small business with an annual turnover of less than $3 million. Nevertheless, regardless of turnover, you may still need to comply with the APPs depending on the kind of SaaS you run.
You are known as an “APP entity” if you must comply. Overall, it is essential to remember that it is best practice to comply, but only some organisations must comply. As well as best practice, some of your customers may be APP entities who will only use compliant service providers. If you are an APP entity and a SaaS supplier, you should ensure you have a privacy clause in your terms referencing how you comply with your obligations under the APPs.
You may also have obligations under the Notifiable Data Breaches Scheme. For example, if your business experiences a data breach, you must notify the Office of the Australian Information Commissioner and the people whose information was affected. You are responsible for notifying your clients of data breaches that may impact their business. Furthermore, be aware that your client may also request to include a clause in your SaaS agreement obliging you to inform them of data breaches to assist with compliance requirements.
General Data Protection Regulation (GDPR)
The law that governs your privacy obligations overseas varies. The General Data Protection Regulation (GDPR) applies in the UK and other European countries. For your SaaS business, here are a few essential things to remember regarding the GDPR.
Data Processors and Controllers
This terminology describes who receives and sends data. Both parties must sign data processing agreements to outline the responsibilities, expected safeguards and client’s expectations concerning their data.
EU Representative
If you are handling data from the EU or UK, having someone in your company familiar with or responsible for managing that data will be essential. This usually involves an easily contactable representative.
As an Individual
The GDPR affords individuals a broad range of rights, including the right to:
- be informed;
- have access to their information;
- have their information corrected or rectified;
- have the information erased;
- easily retrieve data across different services; and
- general rights to object to specific processing of their information (including processing by automation).
There are many other obligations, terminology and responsibilities involved in the GDPR. For example, if you are dealing with customers in the EU and UK, you must speak to a lawyer who can walk you through the compliance process.
Before buying a business, it is important to undertake due diligence, to verify the information supplied by the seller. This guide will walk you through the due diligence process.
Key Takeaways
The best way to protect your business and comply with your privacy obligations is to prioritise privacy in your SaaS, implement a privacy policy and ensure you have clear terms on ownership and obligations. If you can prioritise privacy and data security, you will likely win your customer’s trust and protect your business.
If you need help with privacy and data considerations, our experienced privacy lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 1300 544 755 or visit our membership page.
Frequently Asked Questions
There are three key kinds of data to consider: inputted data, analytics data and output data.
The GDPR is a set of rules outlining data protection requirements in the UK.
We appreciate your feedback – your submission has been successfully received.
