{{item.videoDuration}}
{{item.title}}
{{item.text}}
{{item.videoDuration}}
{{item.text}}
New Zealand’s thriving Software as a Service (SaaS) sector has achieved record-breaking growth in recent years and is on track to be the biggest contributor to GDP, generating more than $20 billion for the economy. The sector is poised for even greater growth with the allocation of $20m in Budget 2022 to develop local capability and market to the rest of the world.
To fully maximise this opportunity, New Zealand SaaS businesses need to be aware of the privacy and data protection compliance requirements.
This is because many SaaS products ‘touch’ personal information in some way. When a SaaS product collects, stores, uses or processes information about identifiable individuals (‘personal information’), then privacy and data protection considerations become relevant.
New Zealand has a good reputation for data privacy, so our businesses are built on solid foundations. However, in many of the key markets that SaaS businesses might be targeting, the compliance requirements for data privacy are more prescriptive and heavily regulated. For example, in comparison to New Zealand, the United Kingdom and European Union (EU) have stringent privacy requirements, and the same can be said for an increasing number of markets, including China, some states in the USA (for instance, California) and, if current reform work continues, Australia.
For New Zealand SaaS businesses expanding globally, there are three key questions that international customers are likely to ask:
- 1. Where will our data be stored?
- 2. Will you sign our data privacy contractual clauses?
- 3. Can you provide evidence that you can be trusted with our data?
1. Where will our data be stored?
Customers, particularly those in the EU and UK, are likely to ask where (as in, ‘’which country?”) will their personal information be stored. This is because data privacy laws in the EU andUK place restrictions on transferring personal information across borders. As a general principle, EU and UK customers are likely to be comfortable if personal information is transferred to, and stored in, New Zealand. This is because New Zealand is considered ‘safe’ from a data privacy perspective, under EU and UK law (the technical term is that New Zealand is deemed ‘adequate’.) However, if a New Zealand SaaS business stores personal information outside New Zealand (for instance, in a data centre in Australia, or with a sub-contractor in India), this is not considered ‘safe’ under EU and UK law, unless additional measures are put in place. These additional measures are usually contractual (see below).
The EU and the UK are not outliers in taking this approach; there is a global trend for countries to implement data transfer restrictions, or even data localisation provisions.
If you’re a New Zealand SaaS company expanding globally, it is crucial that you have a clear picture of your personal information data flows. You must be able to articulate which countries data is coming from and where it is being transferred to, including onward transfers (for instance, if you send data to your off-shore data centres or back-office service centres). It’s also crucial to have a clear understanding as to how these data transfers are compliant, through the lens of your target buyer. Once you’ve got this picture, you can get on the front foot and publish this information alongside other product documentation, in order to address the "where will our data be stored?" conversation proactively.
2. Will you sign our data privacy contractual clauses?
If your SaaS product touches personal information, your buyers are likely to require you to sign specific data privacy contractual clauses. For EU and UK buyers, as well as buyers in some countries across Asia Pacific (such as Singapore), these data privacy contractual clauses are likely to follow a standard, approved form. If you’re taking a proactive approach, you might draft baseline terms which meet these regional forms for inclusion in your contract templates. Again, by taking a proactive approach, you might be able to avoid lengthy negotiation on data privacy contractual clauses.
However, it’s important to be aware that these contractual obligations may go beyond the existing terms that you currently have in place in New Zealand. For instance, a UK or EU contract may require you to seek consent before you pass personal information on to a sub-contractor (e.g. a third party data centre), and they may require you to maintain a list of sub-contractors that will handle the data. They may require you to notify security breaches to them within a set timeframe. Given that these obligations are likely to be governed by some hefty liability clauses, it’ss crucial they can be properly operationalised within your business; can you comply with the contractual obligations that you are signing up to, and can you provide evidence of that compliance?
3. Can you provide evidence that you can be trusted with our data?
Buyers outside New Zealand typically require SaaS providers to provide evidence that they can comply with the more stringent compliance obligations that exist in other parts of the world.
In some instances, security certifications such as ISO 270001 (the international standard on how to manage information security) go a long way to providing this evidence. However, when it comes to privacy, they aren’t the complete picture. For SaaS products that involve heavy use of personal information, additional privacy evidence might be required. Some SaaS businesses might invest in privacy certification (such as ISO27701) to sit alongside their security certification. Others might pull together a website page that centralises links to privacy notices, or other aspects of their privacy governance that they can show to overseas buyers. They might have a Privacy White Paper, describing how they comply with a set of baseline, global privacy obligations (and, in particular, specifying how they meet obligations in their key territories). There might be FAQs answering some of the key questions discussed in this article, and addressing the granular privacy and data protection questions that buyers in key markets typically ask. All of this starts to build a picture of a business that takes data privacy seriously, and can be trusted.
How can PwC Legal help?
The global expansion opportunity for SaaS businesses is an exciting one. By taking a proactive, one-to-many approach and understanding what questions buyers in key global markets are likely to ask, SaaS providers can get on the front foot when it comes to privacy.
If you’d like help with any of the questions we’ve highlighted, please get in touch. Our data privacy lawyers are experienced in working in global markets and can help anticipate the key issues in advance.
{{filterContent.facetedTitle}}
{{contentList.loadingText}}
{{contentList.loadingText}}
Contact us
Follow us
