Click to learn more about author Joe Gaska.
On August 20, 2021, the People’s Republic of China passed its first comprehensive data privacy law, the Personal Information Protection Law (PIPL). The law, set to take effect on November 1, 2021, includes several new obligations for companies handling personal information collected from the country’s citizens. It stipulates that the collection and processing of personal information be limited to the minimum level necessary for an organization’s specific purpose. This applies to entities outside of China that are processing any personal information from people within China, meaning it has sweeping impacts globally.
This news comes amidst a wave of new data privacy regulations around the world, including several in the United States that have already passed or are in review, that aim to establish who is liable in the event data is mishandled. It’s clear that companies operating globally must find a way to comply with existing regulations while also preparing for new ones that will arise. They need to be proactive, implementing best practices that give them better control over customer data in order to safeguard personal information and avoid regulatory violations. Here’s how they can do it.
Understand the Situation
It’s crucial that companies understand the stakes associated with protecting customer data – that it’s about much more than complying with a single regulation. Of course, everyone wants to avoid fines and legal repercussions, but arguably even more important is cultivating stakeholder trust. Businesses can’t succeed without stakeholder confidence and customer loyalty – and a data privacy violation could be devastating to these relationships. To avoid this, companies need to be good stewards of the data they generate and collect.
Part of being a good data steward is knowing where customer data is stored and understanding the role each storage location plays in providing protection. Massive amounts of data are now stored in third-party SaaS applications that, according to ESG, account for one-third of the average organization’s mission-critical apps. There is a misconceived notion that SaaS vendors, such as Salesforce or Microsoft 365, are responsible for data protection. However, the truth is that companies are solely responsible for protecting their SaaS app data, and vendors are mainly responsible for maintaining the app itself. This misconception could lead to companies unknowingly violating a new regulation, like China’s PIPL.
To avoid being caught unprepared for a new regulation and risking stakeholder trust and customer churn, companies need to proactively implement a robust security framework. This framework should be able to adapt over time so they can readily respond to changes in regulations and stakeholder expectations, and not have to spend time catching up, re-architecting their data protection and privacy policies.
The foundation of this security framework must be data ownership. Rather than storing data in a SaaS application or backup vendor’s infrastructure, businesses should store data in their own secure cloud data lake, such as AWS or Azure. Owning data in this way enables companies to better control who can access it and from where, and minimizes data loss, corruption, and security breaches.
Once companies completely own their data, employees can access the information they need, when they need it, without restrictions imposed by third parties. For instance, companies often use APIs to access and download their SaaS app data for uses outside of the app itself. However, vendors restrict the number of API requests a customer can make within a certain period. Exceeding these limits can lead to companies losing data access or paying hefty fees. This method also leads to employees creating multiple versions of a data set, which means no one can be sure they are working with accurate information. All this downloading and altering leads to data sprawl as information is saved to different locations, including unsecured personal devices.
By storing data in a central, company-owned cloud data lake, companies eliminate the need to use APIs for access and reuse. This helps minimize the surface area of exposure, reducing the potential for breaches. But backing up SaaS app data to a secure data lake once isn’t enough. Companies need high-frequency backups to capture every change in the lifecycle of data, including where and when it has been stored, altered, or copied, and by whom. This helps ensure an airtight digital chain of data custody, which is essential to prepare for potential audits and comply with regulations.
Go Beyond Compliance
With full data ownership, historical SaaS app data can become more than just a protection check box for regulatory or data loss purposes. Data generated in SaaS apps can be an asset to organizations that effectively analyze it to improve cybersecurity, customer service and retention, sales and product development; streamline operations; and even feed machine learning and AI training sets. Companies can unlock these benefits by streaming historical data directly from their cloud data lake into industry analytic tools that identify patterns and provide actionable insights that inform future decisions and actions.
Rather than sitting dormant in your cloud storage as a collection of unintelligible data points, SaaS app data can provide a wealth of information when it is combined with these powerful analytics. This strategy helps organizations to better identify potential threats, predict market trends, and leverage opportunities as they arise. Companies that are reusing SaaS app data for these purposes will become truly data-driven, agile, and resilient.
The Future of Data Regulation
The conversation surrounding data privacy will undoubtedly continue as technology evolves and regulations become even more prevalent. Companies can be prepared for these changes by considering their internal policies sooner rather than later and establishing best practices now that not only engender stakeholder trust but also provide a competitive advantage.