menu x

GDPR & How SaaS companies can prepare for the regulation?

  • February 21, 2018

The impact of new legislation from EU – General Data Protection Regulation (GDPR), on business is proving to be one of the most talked about global regulations today, as it is related to data governance and data privacy. Many people are unsure about what GDPR is, and how it could impact their businesses, or whether they should even be worried about it at all.

GDPR will become enforceable on May 25, 2018. The European Union (EU) has been at the lead of regulatory developments in data privacy and protection for the past two decades. Breaching GDPR can result in fines of up to 4% of your annual global turnover or a whopping 20 million Euros – whichever is higher. GDPR is for protecting EU citizen but it applies to almost every company with a global footprint including SaaS.

What is the need for GDPR?

There are two reasons, why GDPR has come into form. First is, EU wants to have more command over their personal data and control how it is used. By this, it hopes to improve trust in the digital economy.
Secondly, EU is facilitating a simple and transparent environment for operating businesses, making it almost uniform throughout EU.

Will GDPR impact you even if you are not based in the EU?

Yes, if you –

* Sell goods or services to EU citizens or that monitor their behavior.
* Process the personal data of EU individuals on behalf of other businesses.
* Operate a website that uses technologies like cookies to monitor people based in the EU
* Employ any residents of the EU
* Collect any sort of data that may include information about EU citizens

The GDPR applies to ‘Data Controllers’ and ‘Data Processors’ –

Are you a Data Controller? – A data controller is an individual or the organization who controls and is responsible for the keeping and use of personal information. Being a data controller carries with it serious legal responsibilities, records of personal data and processing activities are to be maintained.
* If your organization controls and is responsible for the personal data which it holds, then your organization is a data controller. on the other hand, you hold the personal data, but some other organization decides and is responsible for what happens to the data, then the latter organization is the data controller, and your organization is a data processor.
* Data controllers can be either individuals or companies, government departments and voluntary organizations. Individuals like general practitioners, pharmacists, politicians and sole traders, where they keep personal information about their patients, clients, constituents etc.
* It will be data controller’s responsibility to ensure that the contracts with processor comply with the GDPR.

Are you a Data Processor? – A processor is responsible for processing personal data on behalf of a controller. Examples of data processors include payroll companies, accountants, and market research companies, all of which holds or processes personal information on behalf of someone else. Cloud providers are also generally data processors.
* Data processors are required to maintain records of personal data and processing activities. They will have legal liability if they are responsible for a breach.

It is possible for one company or person to be both a data controller and a data processor, with respect to distinct sets of personal data. For example, a payroll company would be the data controller in respect of the data about its own staff, but would also be the data processor in respect of the staff payroll data it is processing for its client companies.

Before understanding how SaaS companies need to start preparing for GDPR,

let us first understand the types of data which GDPR applies to –

Personal data

Any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier like name, identification number, location data or online identifiers which are the result of the changes in technology. It applies to both automated personal data and to manual filing systems. Pseudonymised personal data i.e. for an example a name is replaced with a unique number, depending on how difficult it is to characterize the pseudonym to an individual.

Sensitive personal data
The sensitive personal data under GDPR umbrella is considered as special categories of personal data which is more sensitive information about an individual and hence need more protection like
# race
# ethnic origin
# political views
# religion
# trade union membership
# genetic data like DNA sequence
# biometric fingerprints or retina scans (Where it is used for ID purpose)
health and few others

How do SaaS companies need to prepare?

The GDPR will not come into force until the 25th of May 2018, but it is important that SaaS customers and SaaS suppliers start to prepare for the changes now.

Have Awareness
Organization’s decision makers and key people should have awareness about GDPR and analyze what impact will it have and identify the risks involved and include it in their risk management process.

Proper Documentation
In order to be accountable, you should document what personal data you hold, where it came from and whom you share it with. You may even require to audit it regularly. It is important, not only because it is a legal requirement, but also because it can support good data governance and help you demonstrate your compliance with other aspects of the GDPR.

Communicating privacy information
Before gathering any personal data, current legislation requires that you notify your customers of your identity, your reasons for gathering the data, the use(s) it will be put to, who it will be disclosed to, and if it’s going to be transferred outside the EU. Under the GDPR, additional information must be communicated to individuals in advance of processing.

Individuals’ rights
Organizations will need to provide the personal data in a structure commonly used or in an e-format, free of charge. And, will also need to check their procedures to ensure they cover all the rights individuals have. For example, how you would react if someone asks to have their personal data deleted? Would your systems help you to locate and delete the data? And who will take that decision?

Consent
Keep records to evidence consent – who consented, when, how, and what they were told. Make it easy for people to withdraw consent at any time they choose. Include regular consent reviews into your business processes because the GDPR is clear that controllers must be able to clearly show that consent was given. Therefore review the systems you have for recording consent to ensure you have an effective audit trail.

How will Subject Access Requests (SAR) change?
Under GDPR, Organisations will have to deal with Subject Access Request (SAR) more quickly, as well as providing additional information. Individuals already have a right to access their personal data through a SAR. However, it will generally be free to make those requests and individuals will be entitled to receive the information in an electronic format.

If an organization handles a large number of SARs, the impact of the changes could be considerable. Therefore, taking steps to organize the approach to SARs will help organizations to comply with the GDPR.

Data Breaches
You should make sure you have the right procedures is in place to detect, report without undue delay If possible within 72 hours of becoming aware and investigate, a personal data breach.

Appoint Data Protection Officers
An organization needs to designate someone to take responsibility for data protection compliance, you can either appoint from outside or someone from the organization itself. You may have to bring some changes in your organization structure.

Data regulation and future projects
A (Data Privacy Impact Decision) DPIA is the process of systematically considering the potential impact that a project or initiative might have on the privacy of individuals. It allows organizations to identify potential privacy issues before they arise, and come up with a way to mitigate them. A DPIA can involve discussions with relevant parties/stakeholders. Ultimately such an assessment may prove invaluable in determining the viability of future projects and initiatives. The GDPR has mandated DPIAs for those organizations involved in high-risk processing; for example where a new technology is being deployed, where a profiling operation is likely to significantly affect individuals, or where there is large-scale monitoring of a publicly accessible area.

There is a lot more to understand GDPR and its implications on SaaS companies mainly which are outside EU. However, at the end of this article, it is apparent that every SaaS company will have to study in depth and considering their nature of a business, will have to apply it accordingly.

References:
i) http://www.wired.co.uk/article/what-is-gdpr-uk-eu-legislation-compliance-summary-fines-2018
ii) https://spanning.com/blog/the-global-impact-of-gdpr/
iii) https://www.process.st/gdpr-compliance/
iv) https://www.bodlelaw.com/saas/saas-agreements-data-protection-new-eu-data-protection-regulation
v) https://www.eugdpr.org/glossary-of-terms.html
vi) https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/
vii) https://media.squirepattonboggs.com/pdf/misc/GDPR-Implications.pdf
viii)http://www.itpro.co.uk/it-legislation/27814/what-is-gdpr-everything-you-need-to-know
ix) https://www.forbes.com/sites/ciocentral/2017/08/31/if-you-use-saas-products-you-need-to-prepare-for-gdpr-heres-how/#1f13189a29f8

About the Author

Nema Buch is a Research & Marketing professional, also writes for Scalefusion on Enterprise Mobility trends, SaaS, and different Industry Verticals.

Mobile Device Management Reimagined for a Modern Workforce

Scalefusion is a powerful Mobile Device Management Solution that allows organizations to manage iOS, Android, Windows 10 & macOS devices, Apps, and Content from a Unified Device Management dashboard.
Immediate access. No credit card required.