“In the next three years, the value of data will increase, making it even more valuable than it is today. The more efficiently you store your data, the more benefits your business will see.” (Thomas Harrer, Chief Technology Officer IBM).
In the age of the consumer loyalty, Reward management systems have accelerated globally mostly through Cloud-based SaaS deployed business models due to its cost and time-saving features.
With growing use of SaaS solutions, many businesses don’t take cognizance of the volume of data flowing through the systems. A proliferation of endpoints poses a real threat and security risk in SaaS solutions.
In the past decade, we have seen some of the leading tech giants such as Apple, Facebook, and Google amongst others faced stiff government-imposed penalties of hundreds of millions of dollars (Facebook was fined $5billion) for various security breaches in consumer data and privacy rights
Who is responsible for protecting customer data security and privacy rights?
In a proactive approach to transparency and protecting consumer privacy, Apple released a video, “A Day in the Life of Your Data,” to give consumers deeper insight into how their data travels through the “app-mosphere” to reach third-party service providers. It also gave consumers better understanding of how their information is used.
A host of the top brands followed suit by becoming transparent in how they use consumer data, with Amazon and Dell Technologies striving to give customers greater control over their data.
While it’s a fact that hackers are becoming increasingly brazen in using more sophisticated methods in committing cybercrimes, most attacks can be avoided and thwarted by companies (Both SaaS solution providers & buyers of the product) putting practical, proactive checks in place to protect their customers’ personal information and privacy.
In short, data protection is everyone’s responsibility!
Data Security Due Diligence Checklist.
What to look out for while selecting a Reward Management System?
1. Ensure SaaS Data Security to Meet Compliance Standards (of your country)
As a data onwer (collector of customer data) it is important for you to know and understand the data protection laws & best practices of your country.
Below are a few data protection laws.
European Union General Data Protection Act (GDPR)
On May 25, 2018, The European General Data Protection Regulation permanently changed how businesses collect, store & use consumer data. These laws are deemed to be the toughest privacy and security regulations and affect companies anywhere in the world that deal with personal data collected and processed from EU citizens.
Personal data is defined as information about a real, identifiable person. It includes general information such as name, surname, gender, address, etc. In some instances, it can contain sensitive information such as credit cards and social security numbers.
Data processing refers to collecting or recording personal information, how, where, and why it’s stored, transferred, and for what purposes it’s analysed.
Singapore’s Data Protection Trust Mark (DPTM) Certification
Singapore launched its Data protection Trust Mark Certification as a motivation for organisations to operate in a spirit of transparency, accountability, and responsible data protection practices.
Developed by Singapore Infocomm Media Development Authority, the certification is meant to replicate various elements of Singapore’s Personal Data Protection Act of 2012
The DPTM is supported by 4 comprehensive principles aligned to the GDPR, i.e.:
- Governance and transparency
- Management of personal data
- Care of personal data
- Individuals’ rights
To obtain DPTM certification, organisations will go through an assessment process and have to be acquainted with the protocols around data management, data protection, and management of personal data.
Companies will also need to demonstrate understanding of data security measures, retention, and handling individuals’ rights pertaining to personal data.
In addition, organisations would need to be audited in 2 stages by external auditors approved by the IMDA.
The Californian Consumer Privacy Act (CCPA)
The CCPA came into effect on June 28, 2018. Though it comprises of five consumer rights and access to their personal information, the compliance requirements for companies are mostly in line with the general EU GDPR.
There are a few differences between the CCPA and the GDPR in that the Californian Privacy Act is more specific in its presentation of the regulations. It only covers information that was directly provided by the consumer and provides for the consumer to withdraw consent to have their information sold to a third party.
2. Ensure the SaaS Rewards Management System has Role-Based Access control
While shortlisting your SaaS provider, ensure that the system has robust role-based access control features.
One of the best practices when it comes to data protection is to make sure that the data is only accessible by users who need it. Any other user roles who do not need the data to fulfill their roles, should not have access to customer’s personal data in system.
In short, access control should ensure that access to assets is authorized and restricted based on business and security requirements
3. Review the SaaS provider’s data protection policy & retention policy
Your Rewards Management System SaaS provider, should have a data protection policy in place clearly outlining their security best practices, especially when it comes to data protection & retention.
Review your SaaS solution providers policy to check on the controls in place that will safeguard your data from unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks.
Additionally, review the Retention policy to ensure that your personal data is only retained for as long as it is necessary to fulfil the purpose for which it was collected.
A comprehensive data protection & retention policy helps to mitigate and eliminate threats, risks, and vulnerabilities and enhances data security. A security policy should ideally include :
- data protection policies and practices on managing of personal data (including employee data) by the Company and external parties engaged by the Company, e.g. service providers, data intermediaries, throughout the data lifecycle from collection, storage, use, disclosure, archival to disposal
- Queries, complaints and dispute resolution handling process
- Process to identify, assess and address data protection risks
- Data breach management plan
Your SaaS provider should define how they store and delete customers’ data as per legal requirements. Deletion needs to be accurate, timeous, and relevant logs should be generated and maintained.
At the same time, evaluate the company’s exit policy in terms of transferring all your data.
4. Establish where the SaaS provider stores customers’ data
With Cloud computing data storage can be stored in large Clouds that span multiple locations and servers over a broad area.
In Singapore, According to the guidelines, issued on 9 October 2019 by PDPA, Cloud service providers (SaaS solution providers) that process personal data on behalf of their customers are considered data intermediaries and subject to the protection and retention limitation obligations under the PDPA.
One of the things you can check is that the SaaS vendor (who is your data intermediary) stores its data locally & with a corporate cloud service provider that adheres to the ISO/IEC 27001 standard for information security management.
Greater data transparency, data security, and protection of privacy is needed today in any systems you choose to use. At the infrastructure and Cloud services level, confidential computing has become the ‘buzz’ word due to the volume of personal and sensitive information travelling across the ‘app-mosphere’.
With growing use of SaaS solutions within a company, you must do in-depth research before appointing a SaaS vendor to whose system you will be using to store/collect or process your customer data, which is a company’s most valuable asset.