Why should business roles bother with a compliance guide? Well, compliance is a very big deal these days, and it covers a lot of ground. Having a comprehensive guide can be very useful. In this article, we’ll dive into the most important compliance areas that affect SaaS companies. While we won’t get into the nitty-gritty that compliance and legal officers need, we’ll give you enough insight to get the gist of it. You’ll understand why it’s important, who’s responsible for what, and why compliance folks are counting on us – business people – to do our part.
You’ll also be better equipped to communicate with all your stakeholders – whether they’re customers, prospects, partners, suppliers, or even your own team. You’ll be able to clearly explain how you comply and why it matters to them.
Also, compliance can give you a competitive edge in the marketplace. On the flip side, a compliance incident can severely damage your reputation, which ultimately has financial consequences – and we’re not just talking about fines, but the risk of losing your business.
What’s more, if you’re preparing to launch a new service or offer a new application, it’s important to speak the language of compliance. That way, you can align your SaaS growth strategy in a way that not only makes sense, but also ensures peace of mind for your compliance colleagues or executive team.
By the end of this article, I hope you’ll have a better understanding of compliance and its implications for SaaS companies, and be fully on board with the idea that “compliance by design” is the smartest approach to moving forward.
A definition of compliance in the context of SaaS
Compliance for SaaS companies refers to the adherence to relevant laws, regulations, standards, and contractual obligations that govern the operation and delivery of SaaS products and services. This includes various aspects such as data protection and privacy regulations, security standards, legal requirements, and industry-specific regulations.
We’ll dive into each area and what’s specific to SaaS in a moment. One takeaway for now is that compliance ensures that SaaS companies operate ethically, protect user data, maintain security standards, and meet legal obligations. The result? You build trust with your customers and mitigate the risks of non-compliance, no matter where you operate in the world or what geographies you serve.
Let’s take a look at the categories of compliance that SaaS companies should prioritize.
Remember, no matter what compliance regulation you’re dealing with as a business function, you’re not in this alone!
We’ll help you identify the internal resources you can turn to for guidance, as well as partners who can help you navigate this space.
Data Protection and Privacy Compliance
Data protection and privacy compliance is about how your SaaS business interacts with and processes the personal data of current and potential customers and partners, including handling sensitive information and maintaining their privacy rights.
It’s obvious that every SaaS company deals with some sort of personal data – which can be any information that directly or indirectly identifies an individual. Some obvious examples include name, email address, and can extend to more sensitive information, such as social security number, or “hidden” information, such as behavioral data.
The appeal of SaaS businesses lies in their ability to instantly reach a global audience. When it comes to privacy, the global reach adds a new dimension due to varying regulatory frameworks.
GDPR (General Data Protection Regulation) in the EU
We started with the GDPR intentionally, as it is the first such comprehensive data protection and privacy regulation. The GDPR grants data and privacy rights to individuals and imposes compliance obligations on organizations. It prevents data misuse and assures citizens that their data is being handled properly.
Its main goal is to empower citizens to control their data and enforce strict penalties for non-compliance. Under the GDPR, EU citizens can access, correct, delete, object to, and export their data. Companies must disclose data details and promptly report breaches.
When will GDPR affect your business?
It applies if you sell your SaaS to citizens in the EU and EEA (European Economic Area), regardless of where you are located or whether you sell B2B or B2C.
You may have heard of the “GDPR Principles”, let’s see what they mean to you as a business role:
- “Lawfulness, Fairness and Transparency”: When dealing with personal data, it’s important to be transparent, fair, and follow the law, i.e. process the data with a valid legal basis. People should know what you’re doing with their information and you should always get their consent.
- “Purpose Limitation”: Use personal information only for the reasons you say you will. Don’t go off track and use it for something else without a good reason.
- “Data Minimization”: Don’t collect more personal information than you need. Keep it relevant and collect only what’s necessary for your purposes. For example, if you only need to know someone’s country, don’t ask for their city as well.
- “Accuracy”: Make sure the personal information you have is accurate and up to date, within reason. Check and clean up your contact lists.
- “Storage Limitations”: Don’t keep personal information any longer than you need to.
- “Integrity and Confidentiality”: Personal information should be kept safe and secure. Protect it from unauthorized access, loss or damage.
- “Accountability”: Organizations need to comply with the GDPR and be able to prove that they’re doing so. This means having the right measures and documentation in place to prove compliance. That’s definitely not your job in a business role, but you can help. For example, if you are in marketing and manage newsletter subscribers, document how and when consent was given to receive the newsletter. In essence, have a CRM or other system in place that automatically logs consent.
Who can help you with GDPR?
Talk to your data protection officer, chief compliance officer or legal team. If you’re a company with more than 250 employees, or in certain sectors like finance or healthcare, you’re required by law to have a data protection officer. You have probably heard of him/her by now! Smaller companies may have an internal DPO or an external DPO or consultant. Don’t hesitate to ask these experts about GDPR!
SaaS GDPR compliance checklist
With the above principles and definitions in mind, let’s run through a quick GDPR checklist that business roles – in this case, mostly marketers – need to consider.
- Display privacy policies and privacy notices. While marketers are not tasked with drafting these documents (that’s the job of the DPO and/or legal team), it’s critical for them to ensure that they are clearly visible and easily accessible on the website. For example, when hosting an event or webinar, make sure attendees can easily access the privacy notice specific to that activity. A general privacy notice may also work; check with your privacy team.
- Provide individuals with options to give consent to the processing of their data. In some cases, you can rely on legitimate interest as a basis for processing. In other cases, however, explicit consent must be obtained and documented (as mentioned above). In addition, you should ensure that individuals have mechanisms to revoke their consent, whether by unsubscribing, selecting specific subscription preferences, or requesting that their data be deleted from your systems. It’s important to note that individuals have the right to make such requests, with some exceptions that can be clarified by your DPO or legal team.
Example of a form submission that includes consent options and a link to the privacy policy.
Source: sumsub.com
- Have a website cookie compliance policy and a cookie consent bar
As part of the larger consent management project, you’re required to have a cookie consent bar. A simple and clear cookie policy not only keeps you compliant, it also shows site visitors that you value their privacy.
Take this seriously! Many national data protection authorities have begun issuing fines for cookie non-compliance. Not to mention, Google is sending emails to publishers or app owners if their sites and apps are not GDPR compliant. Google also announced that third-party cookies will end in Chrome this year, in 2024. Whatever tracking tool you choose instead, data collection will require consent regardless of the technology used.
There’s also Google Consent Mode v2 to think about. This is a new feature Google launched in 2022 to help website owners measure and improve their site analytics and advertising without compromising user consent. Google requires all sites that serve ads to or monitor the behavior of EU/EEA users to implement Google Consent Mode v2 by March 2024.
Example of a cookie policy that uses best practices: Display one-click options and a clear “Decline All” button.
Source: 2checkout.com
- Review and clean up your contact lists on a regular basis.
No one benefits from maintaining large, outdated lists with outdated consents. Conversely, managing large data sets incurs storage and processing costs. Work with your privacy and IT team to establish policies for data cleansing, updating, and retention.
- Help with DSRs = Data Subject Requests
As mentioned before, individuals have rights and can exercise them. They have the right to request access to the information your company holds about them, or to request that their information be permanently deleted, also known as the “right to be forgotten”.
How can you help? Well, everyone should be able to recognize a DSR and help the privacy team handle it. Especially if you’re in customer support, you’ll be trained on how to handle these requests and assist the privacy team.
California Consumer Privacy Act compliance (CCPA)
The CCPA is a major consumer privacy law in the United States. The CCPA grants California residents certain privacy rights and imposes obligations on companies that handle their personal information.
The principles of the CCPA are quite similar to the GDPR, and if you need guidance internally, seek assistance from your legal counsel, compliance officers, or designated privacy professionals.
Instead of going through a similar checklist as the GDPR’s, let’s look at the key differences between the two major personal data protection laws that would be relevant to a business role, someone in marketing or support, or even HR:
GDPR vs. CCPA – Key differences relevant to business roles
| GDPR | CCPA | |
| Who is regulated | Any organization that processes personal data of EU citizens, regardless of where the organization is located or what type of entity it is. |
Businesses with more than $25 million in annual gross revenue OR that collect, buy, or sell personal information from more than 50,000 California residents annually. |
| Personal data it refers to | Individuals | Individuals & Households |
| Consent | Opt-in Opt-in consent is a must. Users give their clear and explicit consent before their personal data is collected and processed. |
Opt-out
Businesses must provide a “Do not sell my personal information” option and allow consumers to opt out of having their information shared or sold to third parties. |
| Minors | Minors under the age of 16 require parental consent. EU member states may lower this age to 13 for their regions. | For children under 13, companies must obtain verifiable parental consent before selling their information. |
| Type of processing | Automated and non-automated means will be treated separately |
Does not specifically delineate a material scope. |
| What you disclose | The identity of the organization How they can contact you specifically for their GDPR rights What type of data you’re collecting, why you’re processing their data, and how long you intend to keep it. Mention with whom and where you’ll share the data. |
What type of data you collect and for what purpose
|
| Fines | Up to 4% of annual turnover or EUR 20 million, whichever is greater. | $2,500 per record for each unintentional breach; $7,500 (or actual damages) for each intentional breach. |
Example of a CCPA opt-out cookie consent banner.
Source: Verifone.com
Overall, CCPA compliance – like GDPR and any other compliance law – requires a collective effort across the organization to ensure that consumers’ privacy rights are respected and upheld.
Of course, there are many other privacy laws around the world with similar principles, such as Brazil’s General Data Protection Law (LGPD), New Zealand’s Privacy Act, or India’s Digital Personal Data Protection (DPDP).
In addition, you’ll need to consider other laws related to data, such as the Data Act in the EU, the EU Digital Services Act, or the forthcoming AI Act that will soon be approved by the EU Parliament.
Depending on the scope of your geographic operations, you should always consult with the privacy and compliance team to ensure that your department’s actions are compliant.
Information security compliance frameworks and standards
The privacy regulations we just examined typically include provisions related to security compliance. All of these regulations aim to protect personal information by requiring organizations to implement various security measures to protect it from unauthorized access, disclosure, alteration, or destruction. Examples of such measures include encryption, access controls, periodic security assessments, and incident response procedures.
Lawmakers have developed specific frameworks or standards to help organizations effectively manage security measures. Here’s a brief overview of the most important ones and why they are important for business roles in SaaS.
ISO 27001
ISO/IEC 27001 is an international standard that provides a framework for organizations to establish, implement, maintain, and continually improve an Information Security Management System (ISMS). ISO 27001 covers various aspects of information security and it is THE most recognized international standard for ISMS.
ISO 27001 was established in 2005, long before the GDPR came into effect.
While the GDPR focuses on personal data, ISO 27001 takes a much broader approach to data security. One thing is for sure: ISO 27001 certification is very helpful when it comes to GDPR compliance.
ISO 27001 does not cover everything in the organization that is related to information security. That’s why it’s important to understand the scope of the standard and how to market it to your customers and prospects. SaaS products require more attention here due to the increased complexity associated with servers deployed in cloud environments.
The benefits of ISO 27001 from a go-to-market perspective include:
- Enhanced reputation: Adopting the standard demonstrates to the marketplace that your organization is committed to addressing cyber risks. Don’t be shy about displaying the official ISO logo.
- Increased win rate: Meeting customer demands for a high level of technical and cybersecurity awareness from suppliers can lead to a higher success rate in securing contracts.
Guidelines for using the ISO logo and abbreviations from the International Organization for Standardization.
Source: iso.org
There are also other specific standards within the ISO 2700 series that you should be aware of, such as ISO 27018, which provides guidelines for protecting personal data in the cloud, or ISO 27040, which provides guidelines for protecting stored data, including data stored in the cloud, among many others.
Vendors demonstrate the use of ISO standards within their own operations and throughout the supply chain to build trust and enhance reputation.
Source: Verifone
NIS D and NIST
The Directive on Security of Network and Information Systems (NIS Directive or NIS D) is a European Union (EU) directive aimed at improving the overall level of cybersecurity in the EU. It requires operators of essential services and digital service providers (DSPs) to implement appropriate security measures and to report significant cybersecurity incidents to national authorities. The NIS Directive sets out specific requirements for sectors such as energy, transport, banking, and healthcare.
In addition to NIS, there’s also the NIST Cybersecurity Framework, which provides guidelines and guidance on how private sector organizations in the U.S. can review and improve their ability to prevent, detect, and respond to a cyber-attack.
Why should business roles care about ISO, NIS, or NIST?
Simply because by using these guidelines and standards, organizations can better protect their assets, reputation, and bottom line. Knowing and communicating about them is a plus.
Among many other security regulations, there’s HIPAA, the U.S. Health Insurance Portability and Accountability Act. HIPAA requires healthcare providers, including SaaS healthcare companies, to maintain the confidentiality and security of digital health information that is stored or transmitted.
Who should you turn to for help with security compliance?
Typically, information security managers, IT managers, chief compliance officers or chief security officers are responsible for coordinating and managing ISMS standards and frameworks.
SOC (Service Organization Control) Audits
At the intersection of finance and information security, SOC compliance certifies that a service organization has completed third-party audits and implemented certain security controls.
SOC reports are a set of standards that help service organizations demonstrate control over information and data security. If your SaaS business stores, processes, or impacts the financial or sensitive information of your user organizations or customers, you need SOC reports.
Independent third-party auditors prepare and attest SOC reports.
There are three main types of SOC reports: SOC 1, SOC 2, and SOC 3. These get even more granular, as there are different types of SOC2 reports, for example, but here we’ll look at a high-level difference between them.
| Focus | Who needs one? | Why relevant for a business role | Who’s in charge internally | |
| SOC 1 (previously known as SSAE 18) |
Financial controls and reporting | Organizations that provide a service that impacts the financial statements oftheir customers, such as payroll or payment processing providers. |
Useful if your customers need to comply with financial laws and regulations, improve corporate responsibility, and combat corporate and accounting fraud. For example, if they are a publicly traded company, they will need to comply with SOX and require a SOC 1 from their suppliers. |
Finance or accounting |
| SOC 2 | Operations and compliance (availability, security, processing integrity, confidentiality, and privacy) | All service organizations, including cloud service providers, i.e., SaaS companies. |
SaaS providers are often asked by prospects’ and customers’ legal, security, a copy of their SOC 2 audit report. |
The infosec and compliance team, in collaboration with IT. |
| SOC 3 | It’s a simplified SOC 2 packaged for public consumption | All service organizations, including cloud service providers, i.e., SaaS companies. | Used as a marketing tool to assure existing and prospective customers that the service provider has implemented appropriate controls to protect their data |
Marketing and sales, in collaboration with the compliance team. |
Example of how to demonstrate compliance and security standards.
Source: Hubspot.com
Financial & Payment processing compliance
IFRS & GAAP
IFRS, or International Financial Reporting Standards, are a set of accounting rules for how information should be collected and presented in financial reports. The standards ensure that information is consistent, comparable and credible throughout the world by using a common accounting language.
GAAP is a framework based on legal authority, while IFRS is based on a principles-based approach. GAAP is more detailed and prescriptive, while IFRS is more high-level and flexible.
Who should know about these standards, and which one applies to your SaaS business? Your CFO and finance team, of course.
PCI DSS – Payment Card Industry Data Security Standard
PCI DSS is one of the most important payment compliance standards, especially for organizations that process credit card transactions.
While there are other important compliance standards in the payments industry, such as EMV (Europay, Mastercard and Visa) for card-present transactions and PSD2 (Payment Services Directive 2) for online payments in the European Union, PCI DSS is widely recognized and enforced globally.
PCI DSS compliance is mandatory for any organization that processes, stores or transmits credit card data, making it a critical standard for ensuring the security of payment card information and preventing data breaches.
PCI DSS is enforced by payment card brands such as Visa, Mastercard and American Express. Failure to comply with PCI DSS can result in fines, penalties, and loss of business.
As a SaaS company that essentially is selling services online, you need to implement secure payment methods and encryption protocols to protect customers’ financial transactions from fraud and unauthorized access.
If this sounds daunting, what can you do to reduce the complexity of PCI DSS compliance? Well, it depends on the payment model you’re using and the type of payment processing provider you use. Your chosen payment processing partner can help tremendously!
Other standards that help keep online commerce a safe space include:
- Anti-money laundering programs that prohibit the movement of illegally obtained funds through online transactions.
- Know Your Customer processes, which take the form of customer identification programs used by merchants, banks, and even government agencies.
Follow the training programs suggested and required by your compliance and information security team, and you’ll be in the know!
Legal Compliance
Then there’s what has become “classic” legal compliance, which covers a lot of ground: ensuring that the company’s activities comply with legal requirements, providing legal support for internal processes, protecting trade secrets and confidential information, vetting counterparties before entering into business relationships, employment contracts, codes of ethical conduct for employees, and so on.
The legal team is also responsible for drafting an End-User License Agreement (EULA), a legally binding contract between the application or software owner and the end user. On the other hand, Terms of Service (ToS) typically govern the relationship between a company, its services, and its users or consumers. They cover a wide range of issues, including copyright and licensing, consumer rights, return policies, and governing law.
While both EULAs and ToS serve similar functions, EULAs focus primarily on the licensing aspect of the relationship. It’s worth noting that denominators such as “terms and conditions,” “terms of use,” and “EULA” are often used interchangeably in the context of software and applications.
Example: Provide a dedicated page with easy-to-find information on all the legal and compliance issues your customers or partners need.
Source: 2Checkout (now Verifone)
Other Types of Compliance
The list of compliance regulations doesn’t end there.
For instance, there’s accessibility compliance. When it comes to WCAG (Web Content Accessibility Guidelines), we’re talking about an impact on the website and other digital assets – clearly the domain of the marketing team, but also apps and SaaS products where developers play a key role.
Finally, as we wrap up our in-depth look at SaaS compliance, it’s worth mentioning the importance of keeping consumer protection on your radar.
While SaaS compliance is primarily concerned with regulatory requirements related to data security, privacy, and industry-specific standards, consumer protection overlaps with these issues in certain respects, particularly with respect to consumer data, privacy policies, transparent pricing and billing practices, secure transactions, dispute resolution mechanisms, and customer support best practices.
Even a small example can illustrate the depth and specificity required to comply with consumer protection laws in different jurisdictions. For example, in Germany, you must provide a one-click subscription cancellation feature.
Business roles involved in SaaS operations are particularly interested in knowing this, as it underscores the importance of addressing consumer rights and interests in the context of compliance efforts and the geographies you target.
In the fast-paced world of SaaS and digital business in general, ensuring transparency, respecting privacy, and being fair in your pricing and problem-solving can make a world of difference to your customers.
Final Remarks
I hope this article has given you a good understanding of what SaaS compliance is and what it means to your customers and your role in the organization.
It’s important to recognize that compliance offers numerous benefits that warrant your attention. It helps build trust with customers by showing them that we’re serious about keeping their information secure and doing things the right way. Compliance also serves to mitigate legal risks and potentially hefty fines, protecting the organization’s financial health and reputation.
Example of how you can demonstrate your commitment to compliance.
Source: Verifone
In addition, it’s critical to remain vigilant about the impact of AI on your work and compliance practices. As AI technologies continue to evolve, they present both opportunities and challenges. By staying informed and proactively using AI responsibly, we can more effectively navigate the complexities of compliance and maintain our commitment to ethical business practices.
So, as you navigate the compliance landscape, please remember that your responsibility doesn’t end with complying with regulations. It’s about balancing compliance with doing the right thing by your customers.
Finally, I hope it’s clear by now that incorporating “privacy by design” principles into your compliance efforts is essential. By doing so at the outset, you can more effectively address privacy concerns proactively and minimize the risk of non-compliance. And we all need to do our part, even if we are not part of the compliance or information security team.
