Not long ago I had an eye-opening conversation...
I was speaking with the customer service rep of a SaaS company about a support ticket I had raised, and she sent through a screen recording of the settings I needed to solve the problem. That should have been it.
But, in this video, it was clear that the support team for this company had full access to every area of my account - including data that contained personal information about all of our employees.
Me: “Do you have unrestricted access to our data?”
Rep: ”Yes. But We Take Privacy Very Seriously.”
Me: “That’s great to hear ... I’d like to cancel my account.”
This true story from YouCanBook.me CEO and co-founder Bridget Harris could probably happen with hundreds of other companies that you use every day. It was a lightbulb moment for her.
“Just saying "Privacy is very important to us" doesn’t mean your systems are safe. It’s totally meaningless if you don’t back it up with internal practices to ensure that data is secure,” she says.
“You can say all you want that you care about security and data. What really matters is: Who's got access to your data? How do you protect data?”
It was a timely interaction for Bridget who, as the CEO of a SaaS tool with customers around the world, was working through some big decisions about how best to implement data security practices and ensure compliance with global standards.
“A couple of different factors came together to push SaaS Security quickly up to the top of our agenda,” says Bridget.
“The first thing that really brought us to awareness of how we treated data was GDPR in 2018. We had to make a couple of changes there, like allowing customers to delete data, things we hadn't really thought through before — we were moving so fast and it was easy to say, ‘we’ll deal with that later’. GDPR forced us to say, ‘No, we're going to deal with that now.”
In case you weren’t paying attention back in May 2018, the EU’s General Data Protection Regulation (GDPR) had a huge impact on businesses of every size, in almost every country around the world. Any organization that dealt with European data had to have procedures to protect data and give customers and employees control over their own personally identifiable information (PII).
“GDPR had a huge impact. All of a sudden, we had a deadline to comply with some of the strictest privacy laws ever. You could no longer just say data privacy is really important to us. It's either a yes or no: you either secure it or you don't secure it. People either have access to it or they don't have access to it.”