The EU's GDPR has led to a debate between those who feel it is advantageous to move to an on-premise solution to best meet the requirements of the GDPR, and those who feel that achieving compliance is independent of the hosting model.
On May 18 of this year, the European Union enacted the EU General Data Protection Regulation (GDPR). The GDPR provides strict guidelines for protecting, managing, and purging personal data for EU citizens. The guidelines apply to any company that processes data from EU citizens regardless of that company's location, so it affects most SaaS companies due to their global reach.
Of the many requirements within the GDPR, two in particular are noteworthy in terms of reviewing how you store and process data: data portability and right to access. Data portability refers to a user's right to receive all personal data concerning them that the company holds. Right to access allows users to enquire for which purpose a company is storing and processing their personal data and any subservices it may use.
Taylor Wakefield, COO of Gravitational, believes these two portions of the GDPR are especially debilitating to SaaS companies. Multi-tenant architectures especially may incur additional costs in identifying all user data. As Wakefield states,
You need to know what data you have on each user and produce it upon request in an electronic format for free… managing needles in a haystack. Gone are the days of just throwing everything in a data lake and figuring out how to process it later.
Chris Churilo, director of technical product marketing for InfluxData, agrees with Wakefield's view,
The costs for this implementation could be significant and may warrant offering an on-prem version to EU customers to keep the data collected within the EU and within the protection of the customer's own data center or private cloud.
As Churilo notes, "building an on-prem version of a SaaS solution has traditionally been difficult and cost-prohibitive". She and Wakefield both feel the additional constraints the GDPR places on user data are most cost-effectively handled by an on-premise solution. However, it's unclear from either post they both neglect to explain how an on-premise solution simplifies the data regulations provided by GDPR.
A commenter on Wakefield's post expands on this notion that on-premise may not help with meeting the GDPR constraints by bringing up the concept of controllers and processors. In the GDPR a controller is an entity that determines the purpose or the means of processing data. A processor processes data on behalf of a controller by following the controller's instructions.
If you are a SaaS provider that has the option of selling your software as on-premises, you are almost certainly a processor, not a controller. Bringing that SaaS software on-premise doesn't change much. If I'm a controller purchasing some big SaaS-like product to run myself, I'm going to insist it have GDPR features built-in. The third-party SaaS vendor will have to write GDPR feature whether they sell it as SaaS or on-prem.
Regardless of where you host your software, if you process or store user data you will need to be able to handle the requirements of the GDPR. As a provider of software, you will need to be able to identify all services in your ecosystem that store or process user data.
As Ann Marie Fred, senior software engineering manager with IBM, recently shared,
It takes time to document all of these things and it takes a lot of manual effort the first time you do it.
Unless you make an effort, you may not know what all of the services are in your organization.
John L. Myers, an analyst for Enterprise Management Associates (EMA) agrees with Fred:
Without an inventory of all the 'wheres' of customer, partner or supplier data that might be listed in the various data platforms, it will be difficult to automate out of the gate…
This will need to be done regardless of if you are SaaS or on-premise, and the move to be on-premise probably won't make this any easier. If you are wading through identifying all the services that are part of your ecosystem and are unsure where to start, Fred has some closing advice:
I would say don't be afraid to start. It's better to do the best you can then to be completely overwhelmed and say I can't even think about it. Basic IT security processes will cover you for quite a lot of [GDPR]. Decide how you are going to handle data subject access requests, because they are going to come in fast and furious.
If you work for a SaaS company with EU clients, what has been the approach taken by your company? Share with the community in the comments below.