If you provide SaaS products or services to your clients as part of your business, this guide is for you. We’ll cover what you need to know if you handle end-user personal information, and what to consider when contracting for these services.
Handling and storing end-user data for your clients, especially personal information, comes with a unique set of risks. If you are a supplier of tech products or services (such as creating an app that you licence to a client) and your client is using it to store the personal information of their customers, you must have consent to handle personal information, and your customers will seek appropriate safeguards against potential loss or destruction of data.
How this is managed will depend on the subject of your contract, but in this guide we’ll cover some common considerations that will help you mitigate risks and ensure you and your clients are on the same page.
things to consider when you’re potentially handling personal information for your clients:
- Know your data: your contract should clearly set out:
- what the data is – data is often broader and more valuable than you think. E.g., data can include personal information, commercially sensitive numbers or calculations, or analytical data about products or services. It is essential that data is clearly defined within the contract
- who owns it – as a supplier, you generally won’t own the data. It is commonplace for clients to supply their data to you, to enable you to provide products and services
- what rights the non-owning party has – consider what rights you need to use it for the duration of the contract, and after termination or expiry. Ensure your rights to use the data to perform your obligations are clearly set out. Is the data something you can get value from? If so, ensure you can use the data (or any resulting insights) to improve your own products and services.
- Understand your rights and obligations: ensure that contractual requirements for storing or handling data are clear and that you have the processes in place to comply. Clients increasingly expect minimum requirements around storage and handling of data, so it is important to ensure that any obligation is reasonable and achievable.
- Limit your liability: you should ensure that your client is responsible for obtaining all consents required for you to use the data. Ideally, you would be able to exclude all liability or risks in your contract. However, many clients expect high liability caps or unlimited liability, as they are concerned about protecting the data that they have gathered. In this case, include clear obligations in the contract to ensure you can comply.
- Know your regulatory regime: if the data contains personal information, you will be subject to a privacy regime, which will change depending where you are contracting, and where you that personal information was collected. For New Zealand companies who are handling information that was collected in New Zealand, this usually means understanding your obligations under the Privacy Act. However, if you’re handling data that was collected overseas, you may need to understand your obligations under other laws.
For instance, we have seen an increased focus on privacy compliance in recent years, particularly with the General Data Protection Regulation coming into effect in 2018. While compliance can seem daunting, well–constructed privacy policies add value, and increasingly are seen as a source of competitive advantage as it allows you to use data effectively in your business. Also, clear, and well thought–out, privacy policies can be a great way to enhance the value of shared information and build the trust of data partners, customers and regulators.
- Have an exit strategy: Your contract should address what happens to data when the contract ends. E.g. do you need ongoing rights to use it; what must be returned or destroyed. The other party may be engaging with your competitors for a replacement service, so it is important that you address what happens when the relationship ends.
- Be future proof: will your needs change over the contract? If so, you could consider annual review periods to discuss fees and the scope of services provided. Or for longer term contacts, you could consider including off ramps like no fault termination rights, after an initial term.
Being responsible and proactive when dealing with data in contracts can minimize risk to your business, maintain trust with clients, and ensure you receive value as you provide tech products and services. If this is something that you’d like to discuss with us, get in touch.
by georgina leslie, 6 September 2019