It’s a complex world for personal data. How many times does a person voluntarily give their personally identifiable information (PII information) when making a purchase online or even when acting on behalf of an employer (such as downloading gated information)? That data may ultimately move digitally between countries with a quick click.
This would not be important in any way if data breaches didn’t exist. But they do, and customer and user information are stolen, leaked, lost or mishandled in spectacular ways. Just past the midpoint in 2024, already one billion data records containing personal information, billing information, government records and health records have been stolen, according to TechCrunch.
The theft of citizen data coupled with the knowledge that data is often stored in multiple locations outside a country’s control has led to scrutiny of how businesses handle data. In a bid to protect citizen data, new rules regarding how PII is gathered and processed have expanded in the last ten years. Now rules exist in many countries and regions that include restrictions on moving and collecting data, for what purpose and for how long.
All these new rules and regulations fit under the concept of data sovereignty compliance. Data sovereignty is the idea that data are subject to the laws and governance structures of the nation where they are collected. This idea can be expanded to include other government structures, such as individual states in the United Sates. Many US states have enacted or plan to enact new data privacy laws in the next few years.
This raises some questions—especially in the more-complex cloud and SaaS era. How does this affect data that’s in the cloud, or more specifically, what does this mean for companies using SaaS applications and services?
At first glance, this may seem to be a complex issue. Data collected from an Irish user is subject to the laws and rules of both Ireland and the EU and its General Data Protection Rules (GDPR). Likewise, data gathered from Australia would be subject to the Australian Privacy Principles. Data collected in California, similarly, must meet requirements of the California Consumer Privacy Act (CCPA).
Many SaaS providers operate in different regions of the world and servers can be in several locations. So how can this web of ownership and origin be sorted out? Fortunately, for SaaS users, determining who is responsible for data is simpler than many may think.
SaaS providers and applications all operate under what is known as the Shared Responsibility Model. Under this model, SaaS companies agree to secure and maintain the cloud infrastructure (servers, software, hardware, etc.), within which the SaaS application operates. The customer, however, is responsible for the accounts they create and all the data they generate. Even in their own terms and conditions, SaaS providers make it clear that the customer is responsible for this data, and for its storage and protection. Some even specifically recommend SaaS customers use third-party SaaS backup solutions to back up this data.
Most of today’s data privacy rules and regulations are concerned with consumer/customer data privacy. The point of these rules is to give citizens access to a way to redress grievances and give them some control over how their data is used. The focus is on keeping PII information safe, secure, and only gathered under certain terms and conditions (the most important being user approval).
This simplifies matters for SaaS customers: It’s not that all data gleaned from any location falls under privacy rules – it’s primarily about the PII data that is gathered. Most data privacy rules focus on a common core of elements. Indeed, the CCPA closely follows the privacy focus of the European Union’s GDPR. The CCPA has, in turn, influenced new data privacy laws in many US states. Here are the main areas of overlap between GDPR and CCPA:
Fortunately, many of these requirements can be addressed by clear approvals and terms and conditions and other legal language. More concrete processes must be put in place, for instance, to ensure that opt-outs are tracked, recorded, and acted upon.
For many reasons, SaaS providers don’t want to become the focus of data rules and responsibilities. Indeed, this explains the explicit nature of terms and conditions informing users that they are responsible for the data they create in user accounts. The burden of complying with aims of data sovereignty doesn’t have to lay heavy on SaaS users’ shoulders.
SaaS data backup solutions such as SaaSAssure, a new application powered by ultra-secure data backup leader Asigra, automate the process of exporting data from many SaaS apps. SaaSAssure uses preconfigured connectors to simplify this process with many of today’s most popular SaaS apps. This removes the backup burden from admins and data managers, freeing them for productive work. Automation also helps remove human error – another key cause of accidental data loss in the cloud.
Using SaaSAssure, organizations using SaaS services can create timely backups of their SaaS data to meet RTO or RPO deadlines, or granular restore to capture new data. These backups are a critical step in ensuring SaaS data is safely protected and available for quick restores. SaaSAssure uses the highest encryption standards to encrypt data both at rest and in transit (AES 256-bit).
Users of SaaSAssure strengthen the protection of sensitive customer data by requiring additional security measures such as MFA on accounts. A first-of-its-kind authorization feature called MultiPerson authentication (MPA) adds yet another layer to data privacy protection. With MPA, actions that could potentially harm databases (like deletions or changing location) require the approval of up to three other admins. SaaSAssure helps strengthen MSP SaaS protection for their clients.
In addition, the process of identifying where all PII data resides, within which SaaS apps, can help organizations map out data, giving them a better picture of what kind of data exists where. This is crucial to finding data that may be out of sight from managers’ control or oversight. This is also a good exercise to prepare for any regulatory scrutiny or even internal compliance and security audits.
Having access to a library of automated SaaS backup allows organizations to take in and more easily organize customer data. Rather than relying on SaaS provider backups, which may be disorganized (and unencrypted) series of .CSV files, an organized SaaS backup solution of customer data allows organizations to define this data in any way they wish.
Having access to this data at any time also makes it possible to react to customer requests in a timely manner. Common requests to change customer data include requests to opt-out of email campaigns or ask for data to be deleted or even changed or updated. Organizations that can access a daily updated record of customer data can make these requests in a timely manner, removing any concerns of not complying with current or future rules.
Every business large and small wants to help keep customer and consumer data as restricted as possible from prying eyes. This is data usually exists in customer-facing departments such as marketing or ecommerce. Internally, it can exist in payroll and HR departments. Customer data can be very fluid in many organizations. Different departments may want access to different databases containing sensitive customer data to more effectively market or just communicate with them.
Controlling access to SaaS data backup databases guarantees that “oversharing” is restricted. SaaSAssure allows admins to set role-based access to these databases to ensure only approved employees get access to sensitive. Extending role-based access also helps managed service providers share out the workload to qualified staff. This access control coupled with credential authentication though MFA and MPA ensures access is restricted, controlled and organized. Making SaaSAssure a reliable SaaS backup solution that will ensure clients experience less SaaS data loss.
Data sovereignty is likely to expand, with evolving privacy rules and breach reporting laws addressing new concerns. To comply with privacy regulations, organizations need control over their SaaS data through backups. To comply with data privacy regulations, organizations need control over their SaaS data management through cloud data backup and recovery solutions. This is the only way to ensure the data scattered among dozens of SaaS providers falls under the control of those who create the data. A cost-effective SaaS backup solution, like SaaSAssure, can help organizations achieve that now – and in the future.