If your software-as-a-service business handles the personal data of people in countries, you should get familiar with data privacy laws across the world – because you’re likely bound to them and your customers will require that you comply accordingly. If you violate the laws, you may be liable for hefty fines (or worse).
This goes for the personal data of people in the European Union, United Kingdom, Brazil, Israel, Argentina, Russia, or countless other countries. So – what steps do you take to make sure you are compliant?
1. Verify the Data Privacy Laws of the Country
It all starts with research. If you’re handling the data of a person in Italy, get your team to research the data privacy laws of the European Union, specifically the GDPR, and make sure your entire organization is following the rules set forth.
More countries are releasing more stringent rules around data privacy regulation every day, and it can be daunting to stay on top of. Consider assigning a member of your team to be the point person for all things data privacy – and stay on top of new regulations and legislations as they go through the process in their respective countries.
2. Verify if you have to Register your Business with a Government Entity
Some countries require businesses to register with a central database managed by a government entity – informing the entity that the business is handling the personal data of their people. Understand what entity this is, and what you have to do to register.
Some countries may require you to register using a form in their own language. It may be a good idea to get local consultant or counsel, located in the country, to guide you through the process – as you are likely not the first, nor the last, that needs help with this.
3. Verify if you have to Host Data on their Land
Certain jurisdictions require you to host the data of people located on their land domestically, before you transfer the data out into your jurisdiction.
Review the data privacy standards carefully to understand if this applies to you. It may be that the data is first collected and hosted on databases hosted in the country, before you export to your databases in the United States – which brings us to our next point.
4. Verify if there are Regulations to follow if you are Exporting Data to the United States
There may be extra steps to this process, especially if the country your business is headquartered in is not considered as a country that follows “appropriate” data privacy standards.
Fun fact: the United States is on the list of countries NOT following “appropriate” data privacy standards for many countries. Make sure you’re on top of this.
5. Implement Proper Information Security Policies and Procedures
After you’ve done your research, it’s time to look inside your organization to ensure that you are employing appropriate information security policies and procedures to meet the requirements of international jurisdictions.
Just drafting policies will not be enough – you must make sure that your organization, as a whole, is doing it all correctly.
This will also involve having deep discussions with your engineering team to understand the cost benefit analysis of implementing international data privacy requirements.
6. Audit your Vendors
Most SaaS businesses utilize other SaaS providers to provide services to their customers. If you are handling personal data, that means your vendors are also handling personal data. It’s important that you ensure that your vendors are conducting the same level of research and diligence in data privacy laws and regulations. Audit your vendors accordingly.
7. Enter into Appropriate Agreements with your Customers
Your Customers will likely require a Data Privacy Addendum/Agreement in addition to your standard sales contract. This will cover specific legal requirements for handling the personal data of people located in other countries, as well as within the United States (to follow other state data privacy laws and regulations). Make sure you review these agreements, understand your responsibilities therein, and enter into similar agreements with your vendors.
Let us Help
This is a very high level overview of how to approach handling the personal data of people in other countries. Kader Law can help you understand your requirements, and refer you to data privacy consultants, applications, and attorneys if and when necessary. Let’s connect.
This post is not legal advice, and does not establish any attorney client privilege between Law Office of K.S. Kader, PLLC and you, the reader.