Life after Schrems II: The SaaS advantage for managing regulatory change
Data security has become table stakes for doing business online. Privacy regulation is strengthening globally, and customers are becoming increasingly informed about the data protection practices of the companies they choose to engage with.
If the seismic shift to remote working practices in the post-COVID world was the acceleration point for many companies to focus on their external data flows, then the aftermath of the Schrems II decision issued by the Court of Justice of the European Union (CJEU) represents the inflection point when the secure passage and storage of data became more than a compliance checkbox. Stated simply, on July 16, 2020 Europe’s top court invalidated the EU-U.S. data transfer mechanism called ‘Privacy Shield’. The ruling became effective immediately, leaving U.S. companies scrambling to explore other legal data transfer options from the EU.
The impact of Schrems II
Like most regulatory decisions, commentators have different opinions about the implications of the ruling. While some data security professionals have reacted as if the sky is falling in, at Crownpeak we adopt a more measured approach (view my detailed legal perspective on Schrems II for the Cloud Software Association). Transatlantic data will continue to flow, but companies need to examine their data practices and select vendors with increased care to ensure their data protection processes are secure and legally-compliant.
In the wake of the ruling, a key point of focus for organizations should be their Digital Experience Platform (DXP) or Content Management System (CMS). A company’s DXP provides the foundation for their online customer experience and needs to be strategically positioned to manage and adapt to regulatory change.
How SaaS providers can help
This is one area where Software-as-a-Service (SaaS) providers, like Crownpeak, shine. Indeed, one of the key benefits of SaaS is that responsibility for managing the complexities of global regulations falls to the provider. At Crownpeak, we make compliance easy for our customers by assuming accountability for handling all the regulatory, privacy, and security risks associated with the website infrastructure. In comparison, companies with on-premises solutions, are faced with a major headache as they are left to negotiate complex legal territory themselves.
In addition, SaaS providers are uniquely qualified to deliver convenient end-to-end encryption and transparency around data storage in a manner that enhances, rather than interferes, with the user experience. At Crownpeak, our content delivery services are powered by Amazon Web Services (AWS), the gold standard in web hosting, providing seamless, best-in-class data protection and security in the cloud.
What about martech?
Of course, no modern website is a walled garden. So, what about a company’s wider ecosystem of martech integrations? Martech tags necessarily access your website data to provide the required services to you. The problem is they often contain hidden code, or ‘piggyback tags’ that open the door to third-parties too. Post-Schrems II it is imperative for organizations to know exactly what martech vendor tags are on their sites and how data may be shared (or leaked) without authorization. Tools like Crownpeak TagControl with Trackermap; should be an essential part of any marketer’s Privacy UX toolset, providing visibility and control of all the upstream and downstream tags and trackers present on your website, and alerting you to potential risks and vulnerabilities. Combined with our Universal Consent Platform it delivers a seamless, ironclad solution for managing user consent and permissions.
Mitigating risk and seizing opportunity
The Schrems II ruling is part of a rising tide of global regulations, and comes in the wake of GDPR, CCPA and LGPD. While some companies will view it as yet another regulatory hurdle to overcome, savvy businesses will embrace it as an opportunity to create strategic advantage by honing their privacy experiences and building greater trust and loyalty with their customers.
To learn more about the implications of Schrems II for your organization and how to implement a robust data privacy program that will deliver for both the business and your customers, register for our two-part Data Privacy & Marketing series webinar: