Data Security and Niche Software

By Anna P. Murray

The Nexus  |  Monday, 10 June 2019

Inside a large corporation, it is sometimes easy to forget that not everyone’s life revolves around SAP, Salesforce, Adobe Experience Manager or Microsoft Azure. Squadrons of software categories exist to help small and mid-size businesses operate in niche markets that do not align with (and, frankly, could not afford) the offerings of the larger players.

In the past 24 months, I have been involved in software selection and rollout in the following niche categories:

  • Camp management
  • Foundations
  • Nonprofit membership
  • Nonprofit association management
  • Nonprofit donation
  • Residential building management

Niche software package selection and development is its own special kind of beast in many ways. On the pro side, these products generally fit their sectors nicely. For example, a small camp that would be overwhelmed by an Adobe implementation can instead be up and running in 6 weeks using one of the products in its vertical. On the con side, you sometimes have to deal with internecine battles among small vendors and software packages that are nowhere near modern-day standards. “Responsive design? That is on the roadmap for 2021.”

“To niche software or not to niche software?” has been a battle waged in tech for at least the last 15 years. Generally, in my consulting practice I have found that niche packages usually serve a small business much more appropriately than wrangling Salesforce into submission.

But data regulation and privacy have added a new wrinkle, and it has to do with the EU General Data Protection Regulation (GDPR) and the transfer of data responsibility. A brief review of the regulatory context: GDPR affects all organizations, even those solely based in the United States, that offer goods or services to EU citizens. It even applies to US charities and nonprofits that collect information from people in the European Union.

A majority of the sectors previously mentioned must consider EU citizens in their databases. I am talking about camps, schools, associations, foundations and apartment buildings. In my experience, it is common for such entities to serve EU citizens. Schools, especially—but not limited to—those on both US coasts, often admit EU citizens. Students might be children of people employed by multinational organizations who have been transferred to the United States as well as children of diplomats. Of course, both the parents’ and the children’s data would be contained in a school database. The same dynamics affect residential buildings. Further, most nonprofits of any size have extensive databases of donors and potential donors from all corners of the planet. As for associations, they often publish valuable content relevant outside of the United States. Those who wish to access such content must at least register and often pay before proceeding. It is only the rare exception, “The American Association of Blah Blah Blah,” that can make a credible argument that only Americans are appropriate for their activities and proactively restrict data collection accordingly.

It is becoming common in click-through software license agreements for the maker of the software to transfer the data security responsibility to the licensee.

For both large software companies and those with niche products, it is becoming common in click-through software license agreements for the maker of the software to transfer the data security responsibility to the licensee. In GDPR terms, the license agreements aver that the licensee is the “data controller,” while the software maker is the “data processor.”

As data controller, you are subject to a number of requirements under EU law. For example, you must:

  • Notify the relevant national authority before engaging in data processing
  • Comply with EU data protection principles to process data lawfully
  • Inform individuals whose data you hold as to what the data is and for what it is used Implement technical and organizational measures to protect data against accidental loss or unauthorized breach.
  • Have appropriate written agreements with your data processors in compliance with GDPR

It may sound reasonable that a large multinational corporation—say, Nestlé —understands and takes ownership of the responsibilities listed above as it executes software contracts.

But, let’s be serious. The co-op board of the average New York City, USA, apartment building is typically made up of 4 retired bankers who left business long before phishing, cyberattacks and malware were part of daily life. The board of a small school has the same retired bankers, joined by 3 priests, a nun, 3 full-time moms and 2 retired judges.

If you surveyed the individuals on these boards (which I have done), virtually none of them would understand their duty-of-care responsibilities or the personal liability to which they would be exposed after a significant data breach.

Yet these boards govern institutions that may have individuals of both high net worth and high international profile in their databases.

This all begs the question: Is it right or appropriate for a software company, even a small player, to transfer risk to people who have little or no capacity to shoulder the risk responsibilities?

In some ways, the question is parallel to whether Facebook can call itself a “platform” or must be accountable for the same responsibilities as a “publisher.”

Courts and litigation have not yet caught up to this pressing issue. It needs to be settled whether, and under what conditions, it is appropriate for the maker of a software-as-a-service (SaaS) product to transfer all data controller responsibilities to its licensee.

Anna Murray

Is a nationally recognized technology consultant, writer and the author of the critically acclaimed The Complete Software Project Manager (Wiley, USA, 2016). A frequent speaker, she has presented for numerous industry organizations including CSX North America, The Digital Experience Summit and the ISACA Women’s Day of Advocacy. She is also a member of the Women’s Leadership Council of SheLeadsTech, which advocates for greater representation of women in technology. Murray is a 2-time recipient of the Stevie Award for Women in Business, a recipient of a Mobile Marketing Association award for mobile app development, a Folio's Top Women in Media Award and has received several Kellogg top agency awards.