When it comes to laws and regulations regarding data privacy and retention, it’s a changing landscape, and only getting more complex.
2023 saw five U.S. states enact or expand data privacy laws, the largest of which was California with the California Privacy Rights Act. In 2024, at least four states will enact new consumer privacy laws: Texas, Oregon, Florida, and Montana. New health privacy and amendments to existing privacy laws are also expected from Washington, Nevada, California, Colorado, and Connecticut.
So, what does all this have to do with SaaS data? All these changes are bound to make any business that uses SaaS applications ask: Does SaaS data need to be compliant too? Is compliance the responsibility of the SaaS vendor?
The answer may be surprising: It doesn’t matter what SaaS vendors do or don’t do. They are not the ones responsible for securing and retaining customers’ SaaS data. Due to the Shared Responsibility Model, which SaaS vendors operate under, the customer is responsible for all the data they create.
The “shared” part of the model can be explained this way: The vendor is responsible for the security of the cloud infrastructure (such as servers, hardware, software, etc.). The customer is responsible for the security and storage of data within the cloud. That’s all accounts and access to accounts as well as all the data they create, whether that data is lists of customers, mountains of code, or copyrighted images and art.
Retention, Audits, and Privacy Concerns
There’s no doubt these are heady times for the creation of new consumer or customer privacy laws. These are layered on top of existing rules and regulations, some of which originate from other regions, such as the EU’s General Data Protection Regulation (GDPR). Canada is considering a privacy law, Bill C-27, too, and Australia is expected to modernize its privacy laws this year as well.
Data compliance now covers a long list of regulatory and legal requirements to preserve and store data securely. Some regulations mandate specific data retention periods. For companies that rely on SaaS apps and vendors, these laws all point to the same cure: SaaS customers need to practice comprehensive data backup.
Without backups, companies risk non-compliance. Even if an organization is in an industry not affected by data retention rules, complete backups of all SaaS data ensure easier reporting in the case of regulatory scrutiny and audits resulting from legal action.
Backups ensure that all that historical data is kept safe for future use. Many of these new consumer privacy laws are about giving consumers or customers control over their data. This may result in requests for data to be deleted or the status of an opt-in approval to be changed. This request may happen at any time, including long-after the customer data was created. How, then, can any business comply with that unless it has complete records of all its data?
Complying with privacy regulations may mean altering or removing data held in many locations. These days, data often exists in many locations, even in the smallest company. Good SaaS backup solutions make it easy to map backup locations, giving the organization better insight into all locations where data is located.
SaaS Vendor Problems
Relying on SaaS vendors to provide backups of sensitive information is courting disaster. Data retention periods vary across vendors, making it very problematic if data is deleted and not backed up before retention periods end. In addition, SaaS vendor outages still occur, as well as ransomware attacks. Although many people think of ransomware when they think of SaaS data loss, accidental deletions and human error account for much data loss, too.
In a study released last year, the Enterprise Strategy Group, an IT market research and analysis company, asked IT managers responsible for SaaS data protection about their experiences with data loss. Vendor outages and ransomware attacks were the number one and two most-cited reasons for data loss. However, 33 percent of data loss incidents were due to accidental deletions. Nearly as many (29 percent) of these incidents were caused by improper account shutdowns due to a failure to transfer data to other accounts.
Vendors who do provide some form of backups don’t always make them easy to export or may even export them in formats that may not suit the needs of the customer. They may not even provide secure encryption for backups, making security in transit an issue.
Beyond Compliance: SaaS Backup Benefits
The idea of securely backing up all the SaaS data an enterprise uses may sound like a daunting task. However, given the inherit dangers of running afoul of expanding privacy and data security laws, it’s becoming clear comprehensive backups need to become standard practice. Of course, that’s easier said than done.
Luckily, the backup solutions market has stepped up to fill the void. Businesses of any size now have options to make SaaS backup easier. The best of these solutions are easy to install and use single-console control. They should also provide an additional layer of security such as encryption to ensure data is safe whether it’s in transit or at rest. Given the constant rise in adoption of SaaS apps, an application should cover the broadest number of apps, or function like a platform to which new apps can be added.
Other benefits to using SaaS backup software include: the ability to restore data or recover quickly from attacks or outages. While prevention of malicious attacks is a top concern, the best defense is fast recovery and restoration from uncontaminated data. Also, having backups of all SaaS application data makes it much easier to switch SaaS vendors.
Summing Up
Organizations shouldn't rely solely on their SaaS vendor for data security, as cloud-based data can still be lost due to outages, attacks, or human error. With evolving data privacy laws and secure data mandates, companies must be more diligent in securing their data.
The best solution is to take complete ownership and backup all its data, whether within the company or scattered across the many SaaS apps in use. SaaS backup solutions make it far easier to stay compliant with new or existing data rules and laws.