Applicable Regulations, Standards, and Compliance
The GDPR is a landmark personal data protection law for all European Union (EU) residents. It holds organizations that handle customer data accountable and grants EU residents control over their data. Under GDPR, EU residents can view their data, erase their data, object to the processing of their data, or export it. This law applies to all organizations that handle the personal data of EU residents regardless of the place the business operates from. Organizations that breach the law are subject to significant disciplinary action.
The California Consumer Privacy Act (CCPA) is a state statute that enhances data protection and consumer privacy for California residents. Under CCPA, a California resident has a right to know the personal information that a business collects about them, the right to delete that information, the right to opt-out of the sale of their personal information, and the right to non-discrimination for exercising their CCPA rights. The complete compliance checklist for your SaaS applications depends on the markets you operate in and the kind of data you handle. It may be a sub-section of the list we’ve covered here or may include some industry-specific ones we may have missed.
Health Insurance Portability and Accountability Act (HIPAA) is a federal law that protects sensitive patient information from being shared without their consent or knowledge. This law issued by the US Department of Health and Human Services gives patients more control over their sensitive data like health records and sets safeguards that healthcare providers must achieve to ensure the privacy of health information.
New York State Department of Financial Services (NYDFS) has used its authority under state law to protect consumers and to "ensure the safety and soundness of the institution on behalf of their clients," to create new regulations around cybersecurity. These apply to any registered entity providing financial services including insurance companies, banks, as well as financial services institutions. The 23 NYCRR 500 is part 500 of the NYDFS’s overall body of regulation. In short, 23 NYCRR 500 requires supervised entities to assess their cybersecurity risk profiles and implement a comprehensive plan that recognizes and mitigates that risk.
SMS, Email, Messaging
The Telephone Consumer Protection Act (TCPA) regulates telemarketing calls, autodialed calls, prerecorded calls, text messages and unsolicited faxes. The national do-not-call list was also created under the TCPA, and the Federal Communications Commission (FCC) is empowered to issue rules and regulations implementing the TCPA.
The Messaging Principles and Best Practices (Principles and Best Practices) is a set of voluntary best practices developed by CTIA’s member companies throughout the wireless messaging ecosystem. These Principles and Best Practices identify parameters for facilitating the exchange via transmission, storage, and retrieval (exchange) of Consumer (Person-to-Person (P2P)) and Non-Consumer (Application-to-Person (A2P)) messages via Wireless Provider messaging networks while protecting Consumers from Unwanted Messages.
The Controlling the Assault of Non-Solicited Pornography And Marketing Act of 2003 is a law passed in 2003 establishing the United States' first national standards for the sending of commercial e-mail. The law requires the Federal Trade Commission to enforce its provisions.
Payment Card Industry (PCI) and Data Security Standard (DSS) together are a set of security protocols for companies involved in the payment process of accepting, transferring or even storing card information. PCI DSS compliance ensures that companies that handle payments, card information or authentication operate in a safe and secure environment. PCI DSS applies to companies who handle payments, regardless of the geographic location you operate in, the payment methods you process, or the number of transactions you handle.
The International Organization for Standardization (ISO) provides a family of regulations for information security management systems (ISMS). ISMS provides a framework that identifies, analyzes, and mitigates security risks. ISO 27001 acts as a guideline for SaaS businesses to manage risk assessment and security measures. According to ISO, the ISO 27001 "enables organizations of any kind to manage the security of assets such as financial information, intellectual property, employee details or information entrusted by third parties."
Developed by the American Institute of CPAs (AICPA), the Security Organization Control 2 (SOC 2) is a voluntary compliance standard for service organizations that define the criteria for managing customer information. SOC 2 guidelines are reflected in the everyday handling of customer data. So being SOC 2 compliant means that the business has established strict information security processes that guarantee oversight across the organization.
Set by Financial Accounting Standards Board (FASB), Generally Accepted Accounting Principles (GAAP or US GAAP) is a collection of commonly-followed accounting rules and practices. It encompasses the details and complexities of business and corporate accounting. U.S law mandates that companies releasing public financial statements or companies publicly traded on the stock exchange should follow GAAP guidelines. GAAP compliance ensures that the company's financial reporting is transparent and that it follows standard terminologies and methods.
Jointly developed by the Financial Accounting Standards Board (FASB) and the International Accounting Standards Board (IASB), ASC 606 provides a 5 step process for recognizing revenue efficiently. This robust and flexible framework takes into account all the revenue recognition scenarios that a SaaS solution typically encounters. ASC 606 accounts for all the costs incurred by customers of SaaS businesses at all the stages of their lifecycle and provides a guideline for businesses to recognize revenue from all revenue streams (recurring revenue, expansion revenue, consulting services) painlessly.
International Financial Reporting Standards (IFRS) are a set of globally accepted accounting rules for financial statements of public companies to ensure their reporting remains transparent, consistent, and easily comparable around the world. IFRS standards are required in more than 140 jurisdictions and are permitted in many parts of the world including South Korea, Brazil, India, and the European Union.