It’s been well over a year since GDPR was implemented, and the results across industries have been profound — both in the EU and beyond. More than ever before, internet users are aware of how important it is that their personal data be safeguarded, and they’re taking action when necessary (whether through social media pressure, official complaints, or both).
This alone is good reason for companies to be concerned. Any that stores data of EU citizens is subject to regulation, but even businesses that don’t can be scrutinized. The matter of compliance doesn’t stop there, though, particularly in certain areas. SaaS finance is a prime example, taking sensitive data and routing it through the web on a daily basis.
We’ve already alluded to some major issues, so let’s now take a closer look at the compliance demands SaaS finance businesses really should consider matters of priority:
Storing only the data that’s necessary
Four of the six foundational principles of GDPR are relevant here: purpose limitation, data minimization, storage limitation, and accuracy. Any data that an organization stores must be collected for a specific and clearly-stated purpose, kept to a practical minimum, and deleted when it’s no longer necessary for the aforementioned purpose.
GDPR also empowers any individual to request the deletion of their personal data, except when there’s legal obligation or a public interest reason to keep it — and if the data is inaccurate or incomplete, the request needs to be met within 30 days. This pushes the companies storing it to get rid of the data entirely or completely anonymize it. It still isn’t common, but the more cavalier you get with data storage, the more likely it is that you’ll push someone to complain.
There are several potential problems with this, including the vagueness of data being “necessary” (if you store data for several years between customer purchases, is that justified by their eventual return?) and the onerous nature of consistently scrubbing data — particularly when it’s on a large scale. And while it’s true that any company making a basic effort should be fine, the prospect of someone with an axe to grind opening an investigation is highly frustrating.
Keeping vital data protected
Another of GDPR’s principles is integrity and confidentiality, stating that businesses must guarantee “appropriate security” […] including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage”. Once again, we face the issue of vagueness. What level of protection is “appropriate”? For finance, at least, you can only assume that anything less than a major effort will be considered insufficient.
With security threats changing on a near-constant basis, this calls for SaaS finance companies to keep their security safeguards updated and protected through solid internal IT practices. Their transactions are particularly important, needing to meet or exceed the PCI standard for storing and using cardholder information, adhere to the data limitations, and provide exceptional UX, all at once. That’s a delicate balancing act.
The last of GDPR’s principles is lawfulness, fairness and transparency, and the very last part of it is vitally important when talking about privacy policies. Businesses are no longer permitted to maintain veils of secrecy, never disclosing what they’re doing with the data they store — or even what data they store. The wild west of the internet is steadily being cleaned up.
Getting informed consent
Consent in GDPR is something of a mess, all because of a common lack of clarity over when it’s technically required. If you’re collecting data obviously required for your expected process, you shouldn’t ask for consent, because you can’t realistically do anything without it. If it’s possible to continue in some sense without the data in question, then you must ask for consent.
As for what consent involves, it must be unambiguous with a “clear affirmative action” for each processing operation. For instance, you could have a cookie pop-up giving the user a set of toggles to cover a variety of data processing elements. With many pieces of personal data being absolutely required for SaaS finance, companies must think carefully about what’s optional and what isn’t, and only ask consent for anything they could plausibly do without.
With the ePrivacy Regulation likely to achieve full implementation sooner or later, GDPR should be extended and clarified to do away with the aforementioned clumsy phrasing. By that point, SaaS businesses will really need to have all their processes figured out, because the risks of failing to comply will get significantly more worrisome.
Adhering to tax regulations
GDPR isn’t the only concern, because there’s also the thorny matter of tax calculation. Finances almost always need to be taxed at some point, and it often falls to SaaS providers to carry out the necessary calculations (and even registrations) on behalf of their customers. It’s generally a big selling point — for instance, Wave Payroll points to its “Payroll Accuracy Guarantee” (a guarantee that tax calculations will always be correct) as a core strength of the system, as is the case with other payroll outsourcing and software development services.
Tax compliance when handling customer finances isn’t just important for looking professional and maintaining a good reputation. It’s also an effective legal necessity, because saying you’ll deal with something to a reasonable standard puts you on the hook should there be a problem. If a company messes up some tax calculations and their customer falls foul of the law, the blame will rapidly be redirected to the culpable party.
Avoiding guilt by association
SaaS wouldn’t have risen to its current heights if it weren’t so ripe for integration. Through APIs and services such as Zapier, cloud-based services can readily combine to achieve remarkable levels of power, versatility, and convenience. This presents a problem, however. Just as each plugin added to a CMS needs to be as strong as the CMS itself, the integration-friendly design of SaaS systems can leave them relying on linked systems to be similarly compliant.
If data securely stored on your system is accessed by another system, you can’t know exactly what will happen to it. What if that data gets copied and stored elsewhere for whatever purposes? Despite working diligently to adhere to GDPR and other regulations, you’d attract a great deal of criticism if that data abuse were traced back to you.
What this means, then, is that it’s essential to work exclusively with companies that are also committed to full compliance. In general, it’s best to have a compliance expert review prospective partners or affiliates before making any decisions.
The SaaS world has greatly expanded the possibilities of the financial world, but that increase has also presented fresh complexity when it comes to matters of regulation. With GDPR already in effect and likely to be extended in the near future, any company performing financial operations online needs to be aware of all of these concerns — and take action accordingly.
Kayleigh Alexandra is a writer and campaign designer for MicroStartups, a website focused on helping charities and microbusinesses. After years working in the sustainability, marketing and creative industries, Kayleigh now loves to devote her time to supporting other businesses to grow and thrive. Visit her blog or follow her on Twitter @getmicrostarted for the latest news, tips and advice for startups and solopreneurs.