Software as a Service (SaaS) providers have been an absolute godsend to a growing number of businesses who, for one reason or another, don’t want to deal with hosting and maintaining their own software. The SaaS model we’re talking about here is anything but convenient: The client sends information on its own clients and employees to the SaaS provider, which then hosts it and maintains it on an online server, the so-called “cloud”. The client can get access to this data online anytime and from anywhere, usually in exchange for a subscription fee. Simple as ABC, right?
Still, while the model is very straightforward, the risks can be just as high. Whenever there is personal data involved, a lot is at stake. This is why, in order to prevent a loss or breach of all this valuable information, you need to pull out all the security stops. The first one is to choose a reliable and trustworthy service provider.
Here are five essential steps you need to take to ensure maximum security of your data at all times:
- Check if you have the legal right to provide the data in the first place.
The Data Protection Act states that everyone responsible for using data must do so fairly and lawfully, for limited, specifically stated purposes, and the data must be kept safe and secure at all times.
This is especially important in dealing with sensitive personal data on the subject (the person the data refers to), such as their ethnic background, political opinions, religious beliefs, health and criminal records. The subject should give you explicit consent for processing otheir data. What’s more, the SaaS provider is likely to ask you for a warranty that states you will lawfully transfer the data to them, and that you comply with all the applicable data protection laws. By doing so, they’re limiting their liability – in other words, making sure they won’t get a slap on the wrists if you breach a DPA rule.
- Conduct an audit of the provider.
Would you hand over your valuables to just about anyone, without first doing some research on who they are? Of course you wouldn’t. You must treat your data with utmost care and precaution – it is, after all, the backbone of your business. It is now customary to carry out an audit of the provider whose services you mean to hire. Now, what do you look for in a high-quality provider?
A serious SaaS company should keep detailed records of any personal data processing they are in charge of, as well as provide satisfying answers to all the security questions you may have. Cover the concerns you have and ask them about the encryption policies that will keep your data safe; how will they keep your data separate from their other clients’; what is their backup / recovery plan in case of a systems’ crash or attack on the software.
- See if the provider can subcontract.
Many SaaS providers tend to use subcontractors for various purposes, as they may handle their network capacity, hardware etc. If you’re concerned the data might get in the wrong hands by way of subcontract, ask the provider to apply the same data protection provisions you have agreed with them, to the agreement they are signing with the third party. In fact, you can even require to have a say in choosing the subcontractor.
There’s one more tidbit to consider, and that is if the potential subcontractor is located outside of the EEA. Given that the DPA states that “personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection”, we recommend you take extra care and review the subcontractor agreement to make sure they too honor all the stipulations and security precautions.
- Give detailed processing instructions.
The DPA clearly says you should have a written agreement with your SaaS provider, and that they can act only if and when you have told them to. Your instructions should be detailed and straightforward, for any miscommunication can cause a potential, even if unconscious, violation of the law. Bear in mind the provider will also want to protect themselves from any possible damage that was caused by following your input.
- Ask for indemnity, just in case.
A breach of the DPA isn’t always caused by the customer of the software; a SaaS provider can step on the forbidden territory too! Secure yourself against the worst-case scenario of having to pay for data-breach fines or damages your provider has caused, and include a non-negotiable indemnity clause in the warranty you signed with the SaaS company. It’s a standard practice, and any professional provider will understand this.