It’s now almost three years since the official launch of the EU GDPR.
At the time of its launch in May 2018, there was much hype around its significance and how it was going to change the world of privacy. Initially, things seemed like a bit of a damp squib – almost a millennium-bug like anti-climax. However a growing public discontent with the actions of major consumer software platforms like Facebook, Google and others has sent privacy to the top of the global agenda.
GDPR seems to have inspired governments everywhere, with well over 100 countries now having legislation in place to secure the privacy and protection of data. In the US, the California Consumer Privacy Act (CCPA) is now being enforced, with other states following suit – for example, both Michigan and New York announced upcoming legislation following the inauguration speeches this month. Federal legislation is sure to follow during the Biden administration.
There can be no doubt that appropriate handling of Personally Identifiable Information (PII) is now the expected norm. Over 90% of consumers say they are more likely to trust companies with their personal information if they are transparent about how that information will be used.
We have also seen a dramatic increase in adoption of Cloud-hosted Software-as-a-Service (SaaS) applications by organisations across the world. According to Gartner, SaaS spend will reach $104B in 2020, and already represents one-quarter of the whole global enterprise software market.
But, unfortunately these two somewhat irresistible forces are not entirely compatible, and when they collide, organisations may be damaged in the fallout.
The incompatibility arises from the fundamentals of each trend.
- Privacy legislation is about being fully accountable for the data you collect and process.
- SaaS is about handing that same data to a third-party vendor to process inside their application and infrastructure, out of your direct control.
In many ways this is similar to the dilemma that faces parents when they decide that they need help balancing work and childcare. They want help with managing the children, but they often have a lot of angst over selecting a nanny or a nursery. At the same time they are trusting a stranger with their most precious possession, and they must retain accountability for their child’s wellbeing even if they can’t be there 24×7. So they draw up a list of candidates, conduct interviews, consult references and do all they can to ensure their children will be well looked after.
And this is exactly what organisations should do when they start using SaaS applications.
They entrust a third party with their most precious possession – the most personal and private data about their customers or their employees, but just like a parent, they have a clear legal and moral responsibility to safeguard that data even when it has been handed to a third party for processing.
So, like responsible parents, privacy professionals have developed best practices for managing privacy sensitive data within an organisation. The majority of such practices involve the key steps of:
- Taking an inventory of the data you hold – showing where the PII data is held.
- Mapping your business processes to show how data flows through your organisation.
- Identifying, analysing, and controlling the major risks to PII data.
- Gap analysis to determine what is needed to achieve compliance.
- Developing the policies, processes and technical measures needed to achieve compliance.
- Training staff in the processes, procedures and tools provided.
A final step (number 7) is really an ongoing iterative cycle of activities needed to maintain compliance:
- Identifying new systems and sources of PII data.
- Keeping up-to-date records of processing.
- Scheduling regular audits.
- Undertaking further risk assessments as things change.
However, just like the parent who has to give up direct involvement in every minute of their child’s life when they employ a nanny, when an organisation moves data into a SaaS application, they lose a degree of control over how that data is cared for.
Cloud-based SaaS applications are targeted directly towards line-of-business users who often adopt them enthusiastically and without involving anyone outside their team – business teams now directly spend more budget with SaaS software vendors than is routed through the IT team.
This means that increasingly, software applications are chosen by users with limited experience in how to ‘raise and nurture’ privacy-sensitive data. They are much less likely to consider how the SaaS application will treat the data they offer it. They are akin to parents who struggle to spot the nanny who bends the rules, who likes the easy life and does not always put the children first.
Unfortunately, many less mainstream SaaS vendors do not always have the resources, experience and skilled staff that larger established software vendors can bring to bear. Startups trying to establish themselves may be more focussed on core operational functions rather than compliance with every regulation that may be important to you or your legislators – and in consequence, they may not look after your data exactly how you would want in all circumstances.
The EU has highlighted this very point with the Schrems II ruling.
As parents we want our kids to have fun but we would also want a nanny to handle the less fun aspects of childcare – making sure homework and chores are completed, and setting clear boundaries.
Similarly we want our SaaS vendors focus on the less ‘fun’ aspects of data processing, to ensure that they meet our expectations on processing and protection of the privacy-sensitive data we have handed to them.
The business users will most likely have chosen a SaaS application for its ‘fun’ core features which allow them to innovate and reduce cost – important things that benefit the organisation a great deal. But someone in the organisation has to make sure the SaaS applications are good nannies for PII data as well, otherwise the organisation is at risk of severe consequences – reputational damage, legal action and significant fines.
Thinking back to the seven-step process above, a proliferation of user-sourced SaaS has a number of implications. The most basic is that it makes it very difficult to track down all the systems where PII might be stored. A single user somewhere across the organisation can start using a SaaS application and store privacy-sensitive information within it, without the existence of that application being recorded anywhere.
You can’t map data flows that you don’t know about, so we really need to add a step zero, an audit that can discover all the SaaS our users have adopted. Only then can we proceed with mapping PII to these systems and understanding the true extent of informal data flows out of the organisation and into the Cloud.
The other major problem with SaaS is ensuring we can quantify the true risks to PII inside the application. Since we can’t directly control the actions of the SaaS vendor, and only have a limited visibility into what they do with our data after it is handed over, it can be difficult to assure our compliance with legislation.
Compliance can only be achieved by digging deep into each and every SaaS application and vendor, asking questions and making sure they have the correct certifications, policies and protections in place. And we also need to inspect the contract with each SaaS vendor to make sure we are enforcing our requirements, something that is very difficult with user-sourced SaaS where the contract is a large, click-through EULA on a webpage.
There is significant legwork in finding and assessing user-sourced applications. It’s generally accepted in the industry that most organisations are using hundreds of SaaS applications from as many different vendors – and with no central register of the applications in use.
Just like parents faced with the bewildering choice of childcare options, every organisation needs help managing the enormous array of SaaS applications that are on offer across every business function.
Using Ampliphae SaaSGuard you can extend your privacy governance across SaaS applications in an effective way. It can discover and catalogue all the SaaS in use across the organisation, help you map the flows of data out into the Cloud, and mitigate the privacy risks that your organisation faces from SaaS.
In the next blog we will dig deeper into the processes required to ensure privacy compliance with SaaS.
