How SaaS companies are gearing up for GDPR

SaaS companies are working with their clients to ensure their software is not putting consumer information at risk.

What do CEOs like Mark Hurd of Oracle, and Michael Dell of Dell-EMC have in common? Their teams are busy getting clients to speed up with General Data Protection Rights (GDPR) compliance.

Companies in the Software-as-a-Service (SaaS) industry are busy connecting with their lawyers to comply with the European law that protects consumers from being tracked. They are also racing to ensure all their infrastructure and customers (retailers, bankers, and automobile companies) are compliant with the GDPR rules to ensure data remains anonymous, in the country of its origin, and is not being tracked.

Only if the consumer opts in will the data be crunched for their personalisation.

What are SaaS companies doing?

Oracle, for example, handles business data for more than 25,000 SaaS customers throughout the world - across finance, human resources, supply chain, and customer experience on a daily basis. It has offered its services on EU-based local data centres.

Thomas Kurien, President of Product Development, Oracle, says the $37.7-billion-corporation is telling its clients to protect their customers' data.

“Every business and developer has to ensure that they comply with GDPR rules by the country that they operate in, which means they have to ensure that even if the EU citizen is travelling and uses an application, their data is being protected and not tracked,” says Kurien.

What does this mean for Indian Saas companies?

“There is no way you can escape from compliance,” says Layak Singh, founder of Artivatic. He says most of the organisations in his knowledge are becoming GDPR-compliant in order to streamline their business processes. Every organisation has personal data, and it becomes critical to protect that data in all possible ways.

SaaS companies have to ask some basic questions

Organisations are gearing up by identifying and organising the data they have. Where is the data? Who has access to this data? Can the organisation control the data? Are all processors or data storage systems in place, and with what security levels is the data protected? How is the data getting transferred within the organisation and outside the organisation? Most of the organisations are trying to follow these questions to avoid any GDPR infringement.

“Organisations are implementing the ISO27001 certification, keeping all data on cloud, monitoring of the data, and processes and documentation is kept in place because they also know India will soon have its data laws too,” says Layak.

Basically, startups are applying a five-step formula to understand GDPR for any future regulation.

Access - Assessments and data access across governance, people, processes, data and security in an organisation.

Design – The implementation plan for each business activity is designed to be GDPR compliant.

Transform – Implementing procedures, processes and tools to ensure proper GDPR compliance.

Operate – Execution and monitoring of relevant business activities and processes and manage consent, data subjects and access rights.

Conform – Implementing monitoring, assessment, auditing and reporting of adherence to GDPR.

“Any business involved in sectors like data-driven marketing, open banking, Blockchain, data lakes, consumer experience management, retail, health, finance, agriculture, supply chain and pharma will be under the GDPR radar,” says Layak.

More compliance

In terms of legal perspective, an organisation must have either hired corporate and data lawyers, or consult with law firms to ensure all practices are followed effectively so that there is no harm to business processes and operations now or in the future.

Any industry using user data must also focus on cyber-attacks or breaches. This law is applicable to both B2C and B2B startups because both use consumer data in all activities and processes.

“All startups in Machine Learning and Artificial Intelligence (AI) use data as the primary source to build technology and business model. We are working with lawyers to understand how we can use data,” says Anirudh Shah, co-founder of AI startup 3LOQ.

Now, it is in the interest of large companies to protect small companies in their accelerator programmes. Everyone, from Microsoft to SAP to Bosch, have accelerator programmes running in the country.

IERO, the edge computing startup that draws information from sensors in retail stores, which is funded by Bosch, has been working for the last six months to ensure there is anonymity of data collected from its edge devices in retail stores. It works with some of the top retailers (in Europe), and has jointly worked to ensure the devices don’t pull information from mobile phones and identify a registered customer unless the consumer has opted for personalisation.

“We have signed a lot of documents to ensure consumer protection, and the regulation wants to know that the edge device does not make use of an individual’s information without their consent,” says SN Hemanth, co-founder, IERO.

Bosch has a global “Central Cyber Security” department, which has pushed all its startups and consumer businesses to be GDPR compliant. Over the last one year, it has rigorously asked questions related to data privacy, and has asked all startups to answer questionnaires on data protection, and has kept them ready.

As mentioned in an earlier story, a startup (if it has a revenue rate of Rs 70 crore per annum), may have to spend a little extra on managing data within each country. Sources peg this 'little extra' at up to Rs 2 crore on a private cloud per client. So, if you are serving Germany, you have to maintain data within Germany itself. If a company has more than 25 clients in Germany, for example, the cost of the cloud drops as it can use a single server and fewer virtual machines. However, the costs go up in case of a single customer, as a company needs to pay for the entire infrastructure.

The costs incurred mean a company has to invest in new data centre tools like storage, database management and invest in high availability per each country. These large companies must work closely with their cloud vendor to ensure that data sovereignty is managed and invest additionally in each country, which means the cost will go up significantly.

As for startups, it is AWS and Microsoft Azure that are getting them to be compliant. "We have a lot of business in Europe, we are not scaling down. We migrated our services on AWS and signed all documents necessary for anonymity of clients," says Varun Mayya, co-founder of Avalon Labs. He adds that this way, the company does not incur additional costs because AWS will migrate data to clouds based on the sovereignty of an EU member.

YourStory spoke to several businesses on their preparation, and many agree that they are scaling back operations, but refused to go on record.

"We are serving Europe indirectly, our clients in the USA and Middle East came back to us to make us compliant with GDPR. So, even if a European customer uses a US call centre, which we manage through our tech, we have to ensure that the customer has opted in or if he has opted out, then we protect don't use or track his or her data," says Umesh Sachdev, founder of Uniphore.

The additional costs will also come in the form of security costs.

Srinivas Rao, Co-Founder & CEO, Aujas, a security services and analytics company, says,

"In order to be compliant, businesses must begin by introducing the correct security protocols in their journey to reaching GDPR compliance, including encryption, two-factor authentication and key management strategies to avoid severe legal, financial and reputational consequences.”

A phase of Panic

"It is a phase of panic, last minute preparations, double checking of steps taken and, for some, a continuing attitude of denial. Most business houses are frantically trying to put their house in order to be compliant with the data privacy and data protection related requirements of GDPR," says Supratim Chakraborty, Associate Partner, Khaitan & Co.

"What is most interesting to note is that the GDPR has forced business entities to sit up and take a serious look at the data that they have been amassing. Even the smallest of start-ups struggled to decipher how much data they have collected, where they have been stored and how they were processed. Therefore, I would say it is a good wake-up call which should be emulated by all businesses."

GDPR compliance should not only be looked at as an effort and money draining exercise but as a business advantage which can be a differentiator in the market. An entity compliant with GDPR requirements would definitely command more confidence from customers as compared to those who do not.

“This could hurt startups, but they will have to get used to regulation and ensure confidence to their consumers and clients,” says Naganand Doraswamy, founder of IdeaSpring Capital.

Hence, a lot of businesses now will have to stop Europe expansion, and ensure they are legally ready before they start operations again. So for that to stop, you need to consult lawyers immediately.