.
Image

A story of account deactivation email from HubSpot

We got an account deactivation email from HubSpot. It brought a total change to the whole privacy paradigm we had. In order to comply with new California and EU privacy laws, we are now required to remove or anonymize personal data for expired trials, customers who no longer require our services, and nonactive free accounts. We are obligated to do it even without customer (data subject) requests.

Let’s start from the beginning.

PrivacyBunker SaaS is about privacy automation. We are constantly developing plugins for popular SaaS and DB products. The system uses these plugins in order to fetch customer personal records, change record values (i.e. email, etc…), delete or anonymize personal data. We developed management tools for Data Privacy Officers (DPO) to execute data subject requests. We also have a self-service that allows end-customers to see their personal data from all SaaS services and from all connected databases (MySQL, PostgreSQL, SQL Server, Oracle, MongoDB, etc…).

So, we made this plugin for HubSpot. When it was ready, we opened a test account at hubspot.com to test the plugin. When the tests were finished successfully our team added HubSpot to our list of supported SaaS products and kept on working in order to provide other services and features.

After a while, we received an account deactivation email from HubSpot.

At first glance, it may seem something simple. In the reality, it was sent because of the regulations that every company with customer personal data has to comply with. Not complying with this privacy regulation requirement (data minimization) can lead to a multi-million euro lawsuit that only the giants of the industry can afford to pay without being bankrupt.

What is this data minimization?

Data minimization stands that organizations should keep customer data at a minimum only sufficient to provide a service.

If you look in the official GDPR Article 5 you will find the following. Personal data shall be (c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed and (e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.

What about CCPA?

Data minimization is not mandated by the CCPA. But California Privacy Rights Act of 2020 (CPRA) approved on November 3, 2020, has data minimization.

Similar to HIPAA’s minimum necessary rule and the GDPR’s data minimization principle, the CPRA codifies data minimization principles: The collection, use, retention, and sharing of personal information must be “reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed”. The new law also requires notice of retention periods, and those retention periods must be “no longer than reasonably necessary” for each disclosed purpose.

What about SOC 2

Developed by the American Institute of CPAs (AICPA), SOC 2 defines criteria for managing customer data based on five “trust service principles”—security, availability, processing integrity, confidentiality and privacy.

Trust Services Criteria document, section P4.2 has the following definition:

Retains Personal Information — Personal information is retained for no longer than necessary to fulfill the stated purposes, unless a law or regulation specifically requires otherwise.

So, the above is similar to data minimization retention period.

Now let’s talk numbers.

In the SaaS business converting 60% of the trial accounts to customers is considered a big success. It leaves even the most successful companies with a lot of personal info they have to get rid of or convert to anonymous.

This is a lot of nonprofitable work and work is costly.

This work needs avoiding because it will not move your business ahead, but it has to be done in order to comply with privacy regulations and avoid lawsuits that can hurt your business.

The same problem exists not only for SaaS companies but for most Data Controllers and partially for Data Providers for their online business leads.

Our services will allow you to do the important things and not waste time (and time is money) because of the regulations.

Let’s talk about your need and how our system can serve you: yuli@privacybunker.io