Rather than hosting and maintaining their own software, an increasing number of businesses are turning to software as a service (“SaaS”) providers who centrally host software and make it available to customers over the internet, usually for a subscription fee. The SaaS model often requires the customer to send personal data relating to its employees and clients to the SaaS provider. This can pose a significant data protection risk for both the customer and the provider. Below we provide 5 top tips on how SaaS providers can limit their liability whilst offering the customer comfort that their data is secure.
Almost any business operating in the UK which holds information about individuals is subject to the Data Protection Act 1998 (the “DPA”) and lack of compliance can result in significant fines or even criminal sanctions. The vast majority of the obligations under the DPA fall on the data controller i.e. the party which determines the purpose for which the data is processed. When a customer transfers its data to a SaaS provider, it will usually be the data controller, however both the customer and the SaaS provider can be deemed to be the controller in certain circumstances. The SaaS provider is normally a data processor and savvy customers will therefore want optimal protection in their contracts with SaaS providers for breaches of the DPA.
Here are our five top tips for SaaS providers:
1. Ensure your customers have the right to provide you with the data to be processed.
According to the DPA, an individual’s personal data must be processed fairly and lawfully. Data controllers will normally rely on consent from data subjects to meet this requirement. If ‘sensitive personal data’ (such as information relating to the subject’s race, health, religion or political opinions) is being processed, the data subject must give explicit opt-in consent. From a practical perspective, a SaaS provider is unlikely to have any means of verifying whether its customers have received such consent from each relevant data subject.
SaaS providers should therefore seek protection in the form of a warranty from the customer. Preferably, the warranty should be drafted broadly and state that the customer has complied with all applicable data protection laws and regulations and is able to lawfully transfer its data to the SaaS provider to be processed as set out in the service agreement between the parties. In the absence of such a provision, the SaaS provider may be liable for a customer’s breach of the DPA should it later be classified as a data controller.
2. Cap your liability.
Whilst SaaS providers should seek to limit their liability as far as possible, a customer will not want to be left to foot the bill should things go wrong. Therefore, a balance must be struck. Sharp customers will usually require an indemnity for any fines or damages for which they become liable because of a breach of the DPA by the provider. Such a clause is likely to be non-negotiable. However, providers should seek to reduce their exposure by capping their liability appropriately. The cap could be linked to either: (i) the amount spent by the customer under the contract over a specified period; or (ii) the cap on the SaaS provider’s professional indemnity insurance coverage.
3. Make sure you have the right to subcontract.
The ability to subcontract is a vital tool for many SaaS providers who are likely to use third parties for hardware, storage or network capacity. Ideally, a provider will have the ability to transfer data to sub-contractors without restriction. However, customers may wish to retain some control over the data and the involvement of third parties is likely to be a cause for concern. As a compromise, a SaaS provider can provide comfort to a customer by being contractually bound to ensure that the terms of its agreements with subcontractors contain data protection provisions as stringent as those in its contract with the customer. Where a customer is particularly concerned about subcontractors, it may insist upon the provision of its consent before a new sub-contractor may be appointed. Particular care is required where the customer data is to be processed outside the European Economic Area, a common occurrence when SaaS providers have data centres located in many different jurisdictions. If this is the case, a SaaS provider should ensure that the customer provides its written consent for such processing, in order to comply with the DPA.
4. Only process data in accordance with your customer’s instructions.
Under the DPA, an agreement between a SaaS provider and its customer must be in writing and provide that the processor may only act on the data controller’s instructions. The customer may wish to include detailed instructions as a schedule to the agreement to provide more control over how the data is processed. On the other hand, a provider may seek to avoid its obligations being listed in detail. In any case, a provider should include a provision that excludes any liability in respect of claims arising from processing within the scope of the customer’s instructions.
5. Put in practical measures to prevent loss, destruction of damage of data.
The seventh data protection principle states that organisations must take “appropriate technical and organisational measures” to prevent loss, destruction or damage to personal data. This obligation is usually contractually restated as part of the service agreement between SaaS providers and customers. Some customers will also require their provider to comply with their own security policy. Providers should therefore ensure that they have appropriate practical measures in place. To ease compliance, providers may prefer to have the specific technological or organisational measures required by the customer to be clearly defined.
There is also a growing trend for customers to perform audits of their providers to check their compliance with both the DPA and the service agreement. In order to provide an audit trail, providers should maintain detailed records of any personal data processing they carry out.
Whilst the tips above deal with the here and now, SaaS providers should also start turning their attention to the EU General Data Protection Regulation which will succeed the DPA in May 2018. Expect a follow-up blog in the near future to assist SaaS providers in their preparation for the new regime.