SaaS Product Managers - Get your Data Processing Agreement in place

The European Union General Data Protection Regulation (EU GDPR) has come into effect on 25th May 2018. This is a landmark regulation to protect consumer data for SAAS companies that want to do business in the EU.
In essence, data collection requires informed consent of users, a data governance policy and data management tools, which includes the “right to be forgotten”. Actually, a more detailed e-privacy regulation is also in the works within the EU, but is yet to become law. Here is a brief description of how this impacts cross-border SaaS.

Impact on your SaaS website

For marketing and tracking user activities, websites often use cookies. These are either
  • essential cookies (login, session etc.)
  • preference cookies (remember password, language, time zone etc.)
  • statistical cookies (analytics, user activities)
  • marketing cookies (advertising, 3rd party data)
For engaging website visitors in EU countries, you need to allow users to understand what these cookies do and how they are used. Users must be able to opt out of the last 2 categories, or else they must be allowed to exit the site. And your privacy policy must explain clearly how individual user data is being used or anonymized.

Impact on your SaaS marketing

For marketing and advertising on 3rd part websites, or via social media or email, you need explicit consent of users. This consent must be captured, stored and deleted based on the user preference at that time. And there must be an easy way (email or website) to allow the user to change their preferences. Not only this, there should be adequate controls in place for protecting user data, whether it remains with you, or is shared with a 3rd party or vendor.

Data Processing Agreement

Unless you are a multi-billion SaaS business that is completely siloed, with its own data centres, you will rely on vendors for cloud storage, web analytics, email marketing and several other activities. The GDPR specifies that when you share user data, a written DPA is required with these vendors and 3rd parties.

The DPA is a legally binding contract that states the rights and obligations of each party concerning the protection of user data. A Data Processing Agreement identifies the data controller and data processor roles. The data processor must have controls in place, that can be audited, to ensure that user data is not leaked, lost or stolen. The GDPR also specifies hefty fines in case of non-compliance.
More details on this topic are available on the official website.

Typical Use Cases

  • A SaaS marketing team that wants to use an external email marketing service needs a DPA
  • A SaaS product manager who wants to display 3rd party advertising on the website needs a DPA
  • A SaaS product manager wishing to integrate with another SaaS or on-premise service may also need a DPA
 The last use case is often overlooked by integration teams; I will post more about this in the future.

Bottom Line

If you want to engage consumers in the EU region, and are sharing their data with vendors, get a DPA created and processes properly audited. Going forward, such regulations are likely to impact your international reach and expansion, not just in the EU, but in many other regions and countries.

No comments:

Post a Comment