The EU's GDPR has led to a debate between those who feel it is advantageous to move to an on-premise solution to best meet the requirements of the GDPR, and those who feel that achieving compliance is independent of the hosting model.
On May 18 of this year, the European Union enacted the EU General Data Protection Regulation (GDPR). The GDPR provides strict guidelines for protecting, managing, and purging personal data for EU citizens. The guidelines apply to any company that processes data from EU citizens regardless of that company's location, so it affects most SaaS companies due to their global reach.
Of the many requirements within the GDPR, two in particular are noteworthy in terms of reviewing how you store and process data: data portability and right to access. Data portability refers to a user's right to receive all personal data concerning them that the company holds. Right to access allows users to enquire for which purpose a company is storing and processing their personal data and any subservices it may use.
Taylor Wakefield, COO of Gravitational, believes these two portions of the GDPR are especially debilitating to SaaS companies. Multi-tenant architectures especially may incur additional costs in identifying all user data. As Wakefield states,
You need to know what data you have on each user and produce it upon request in an electronic format for free… managing needles in a haystack. Gone are the days of just throwing everything in a data lake and figuring out how to process it later.
Chris Churilo, director of technical product marketing for InfluxData, agrees with Wakefield's view,
The costs for this implementation could be significant and may warrant offering an on-prem version to EU customers to keep the data collected within the EU and within the protection of the customer's own data center or private cloud.
As Churilo notes, "building an on-prem version of a SaaS solution has traditionally been difficult and cost-prohibitive". She and Wakefield both feel the additional constraints the GDPR places on user data are most cost-effectively handled by an on-premise solution. However, it's unclear from either post they both neglect to explain how an on-premise solution simplifies the data regulations provided by GDPR.
A commenter on Wakefield's post expands on this notion that on-premise may not help with meeting the GDPR constraints by bringing up the concept of controllers and processors. In the GDPR a controller is an entity that determines the purpose or the means of processing data. A processor processes data on behalf of a controller by following the controller's instructions.
If you are a SaaS provider that has the option of selling your software as on-premises, you are almost certainly a processor, not a controller. Bringing that SaaS software on-premise doesn't change much. If I'm a controller purchasing some big SaaS-like product to run myself, I'm going to insist it have GDPR features built-in. The third-party SaaS vendor will have to write GDPR feature whether they sell it as SaaS or on-prem.
Regardless of where you host your software, if you process or store user data you will need to be able to handle the requirements of the GDPR. As a provider of software, you will need to be able to identify all services in your ecosystem that store or process user data.
As Ann Marie Fred, senior software engineering manager with IBM, recently shared,
It takes time to document all of these things and it takes a lot of manual effort the first time you do it.
Unless you make an effort, you may not know what all of the services are in your organization.
John L. Myers, an analyst for Enterprise Management Associates (EMA) agrees with Fred:
Without an inventory of all the 'wheres' of customer, partner or supplier data that might be listed in the various data platforms, it will be difficult to automate out of the gate…
This will need to be done regardless of if you are SaaS or on-premise, and the move to be on-premise probably won't make this any easier. If you are wading through identifying all the services that are part of your ecosystem and are unsure where to start, Fred has some closing advice:
I would say don't be afraid to start. It's better to do the best you can then to be completely overwhelmed and say I can't even think about it. Basic IT security processes will cover you for quite a lot of [GDPR]. Decide how you are going to handle data subject access requests, because they are going to come in fast and furious.
If you work for a SaaS company with EU clients, what has been the approach taken by your company? Share with the community in the comments below.
/filters:no_upscale()/sponsorship/topic/2c0d72d2-1768-47c2-8f5b-24f3ef0ae0e0/QconNYrsb-1679560094156.png)
/articles/saas-career-opportunities/en/smallimage/logo-1669399046804.jpg){kind=logo}
/articles/infoq-software-trends-report-2022/en/smallimage/InfoQ-Trend-Report-logo-small-1672911593669.jpg){kind=logo}
/articles/dynamoDB-data-transformation-safety/en/smallimage/logo-1669045832728.jpg){kind=logo}
/articles/transatlantic-data-privacy-2022-virtual-panel/en/smallimage/virtual-panel-the-new-US-EU-data-privacy-framework-small-image-1663768696087.jpg)
/articles/cognitive-load-platform-engineering/en/smallimage/logo-1668609260559.jpg){kind=logo}
/presentations/infrastructure-control-plane/en/smallimage/Daniel Mangum-s-1665739290818.jpg)
/presentations/empathy-software-development/en/smallimage/qcon-plus-s-1680292453897.jpeg)
/presentations/operationalizing-ai/en/smallimage/qcon-plus-s-1680292123806.jpeg)
/articles/culture-trends-2023/en/smallimage/InfoQ-Trend-Report-logo-1680287660356.jpeg){kind=logo}
/articles/finops-systems-thinking-lens/en/smallimage/12-places-to-intervene-rethink-FinOps-using-a-systems-thinking-lens-small-1679995317220.jpg)
/articles/secure-software-development-gitops/en/smallimage/accelerating-secure-software-delivery-lifecycle-with-GitOps-small-1679658720410.jpg)
Community comments
words matter
by jason poley,
Re: words matter
by Daniel Bryant,
Re: words matter
by jason poley,
words matter
by jason poley,
Your message is awaiting moderation. Thank you for participating in the discussion.
use on-premises, and not on-premise.
they mean different things. a premise is not a building or data, thats a premises.
Re: words matter
by Daniel Bryant,
Your message is awaiting moderation. Thank you for participating in the discussion.
Words do indeed matter, as does focusing on the important things...
Thanks for the feedback Jason. I believe that while you may be technically correct, the industry has generally accepted the term "on-premise". There is an interesting and balanced discussion about this here: www.adamfowlerit.com/2017/04/premise-vs-premise...
I'm not going to make any changes to this article because of these arguments, but please do reply if you want to add anything. We are also always looking out for interesting article contributions that further the important conversations in IT, and so please do also get in touch if you would like to submit anything.
Best wishes,
Daniel
InfoQ News Manager
Re: words matter
by jason poley,
Your message is awaiting moderation. Thank you for participating in the discussion.
agree its a good article and your site is incredible. but i do disagree with just because so many people say it, this does not make it correct (or acceptable). I don't mean to detract from the overall content. just trying to help fix an error.. of which it is.
being accurate matters, especially in IT.