In this episode we share practical tips to help suppliers deal navigate some of the data related issues associated with taking SaaS to the world.
Data mapping provides a helpful snapshot of data processing activities of SaaS suppliers. This can then feed into wider legal compliance requirements. At a high level, data mapping is an investigation into your data flows. This would include things like where you collect data from, how this data is used, where this data is stored, whether this data is transferred to any third parties, and whether any of these third parties are located offshore.
Answering these questions can then help you better understand the data flows and the various parties involved. Having this information can allow you to check whether your customer-facing documents are fit for purpose and allow your customers to comply with applicable privacy laws.
A data map can also be a helpful tool for checking that you have the right contracts in place with hosting service providers and any other sub-processes.
SaaS suppliers operating in New Zealand must comply with the Privacy Act 2020. The moment you start transferring data overseas, such as to data centres or support departments offshore, you need to start thinking about the data export rules under the Privacy Act as well. Customers are likely to require you to comply with certain privacy provisions such as entering into model courses. This is to ensure that customers are able to comply with their own privacy obligations when they transfer data to you overseas.
Complying with data export requirements becomes more complex as you start to scale up and target other jurisdictions because each jurisdiction will have its own data export requirements. Some clients have data centres and support departments in each major region they operate in to avoid complex data export prerequisites. If budget allows, this could be an effective way of ensuring your data processing activities comply with all applicable laws. We also see clients assisting data exports through a GDPR lens as it has become a gold standard for privacy compliance globally.
Like here in New Zealand, privacy laws in many jurisdictions have extra territorial effect. This means that regardless of where you are based, if you are targeting customers or carrying on business in certain jurisdictions, the privacy laws of that jurisdiction may apply to you.
Once you've identified the key markets that you're keen to launch in, we recommend getting local Privacy Law advice to feed into your wider compliance program. To simplify compliance when you're operating in multiple jurisdictions, consider having one data processing addendum attached your SaaS terms that can be used for all applicable privacy laws.
We've helped numerous clients plan for and execute their data mapping strategies, as well as strategies for simplifying compliance with multiple overseas regulatory regimes. Being well prepared in this space not only lets you unlock additional value from existing data sets, but also makes your services more marketable to clients of all different shapes and sizes.
You can view the Digital Download Series episodes here.