“Data is a precious thing and will last longer than the systems themselves.”
Tim Berners-Lee, inventor of the World Wide Web
Data is Gold. And as the world crusades towards harnessing data in multiple ways (both ethical and unethical), enters GDPR to the rescue.
The impact of new legislation from the EU – General Data Protection Regulation (GDPR) on business is proving to be one of the most crucial global regulations today as it is related to data governance and data privacy. Many people are unsure about what GDPR is, how it could impact their businesses, or whether they should even be worried about it at all.
GDPR- or General Data Protection Regulation was enforced on May 25, 2018. The European Union (EU) has been at the lead of regulatory developments in data privacy and protection for the past two decades. Breaching GDPR can result in fines of up to 4% of your annual global turnover or a whopping 20 million Euros – whichever is higher. GDPR is for protecting the data privacy rights of the EU citizens but it applies to almost every company with a global footprint including SaaS.
In this article, we will be discussing the GDPR compliance for SaaS and implications of the same.
What is the need for GDPR?
There are two reasons why GDPR has come into form. First is, the EU wants to have more command over the personal data of its residents and control how it is used. By this, it hopes to improve trust in the digital economy.
Secondly, the EU is facilitating a simple and transparent environment for operating businesses, making it almost uniform throughout the EU.
Will GDPR impact you even if you are not based in the EU?
Yes, if you –
- Sell goods or services to EU citizens or that monitor their behavior.
- Process the personal data of EU individuals on behalf of other businesses.
- Operate a website that uses technologies like cookies to monitor people based in the EU
- Employ any residents of the EU
- Collect any sort of data that may include information about EU citizens
In a nutshell, GDPR is applicable to SaaS providers that have European clients or consumers, irrespective of the geographic location of the organization.
GDPR for SaaS: Role of a Data Controller
Are you a Data Controller?
A data controller is an individual or organization who controls and is responsible for the keeping and use of personal information. Being a data controller carries with it serious legal responsibilities, records of personal data and processing activities are to be maintained.
- If your organization controls and is responsible for the personal data which it holds, then your organization is a data controller. on the other hand, you hold the personal data, but some other organization decides and is responsible for what happens to the data, then the latter organization is the data controller, and your organization is a data processor.
- Data controllers can be either individuals or companies, government departments and voluntary organizations. Individuals like general practitioners, pharmacists, politicians and sole traders, where they keep personal information about their patients, clients, constituents, etc.
- It will be the data controller’s responsibility to ensure that the contracts with processor comply with the GDPR.
GDPR for SaaS Organizations: Role of a Data Processor
Are you a Data Processor?
A processor is responsible for processing personal data on behalf of the controller. Examples of data processors include payroll companies, accountants, and market research companies, all of which holds or processes personal information on behalf of someone else. Cloud providers are also generally data processors.
Data processors are required to maintain records of personal data and processing activities. They will have legal liability if they are responsible for a breach.
One company or person can be both- a data controller and a data processor for distinct sets of personal data. For example, a payroll company would be the data controller in respect of the data about its own staff, but would also be the data processor in respect of the staff payroll data it is processing for its client companies.
Before understanding how SaaS companies need to start preparing for GDPR, let us first understand the types of data which GDPR applies to.
GDPR for SaaS organizations- Which data is it applied for?
- Personal data
Any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier like name, identification number, location data or online identifiers which are the result of the changes in technology. It applies to both automated personal data and the manual filing systems. Pseudonymized personal data i.e. for an example a name is replaced with a unique number, depending on how difficult it is to characterize the pseudonym to an individual.
- Sensitive personal data
The sensitive personal data under GDPR umbrella is considered as special categories of personal data which is more sensitive information about an individual and hence need more protection like race, ethnic origin, political views, religion,trade union membership, genetic data like DNA sequence, biometric fingerprints or retina scans used for identification purposes, etc.
GDPR compliance for SaaS companies: How to prepare?
It is important that SaaS customers and SaaS suppliers are prepared and operational for GDPR compliance. If you haven’t done it already, here’s how you can do it:
- Have Awareness
Organization’s decision-makers and key people should have awareness about GDPR and analyze what impact will it have and identify the risks involved and include it in their risk management process.
- Proper Documentation
In order to be accountable, you should document what personal data you hold, where it came from and whom you share it with. You may even require to audit it regularly. It is important, not only because it is a legal requirement, but also because it can support good data governance and help you demonstrate your compliance with other aspects of the GDPR.
- Communicating privacy information
Before gathering any personal data, current legislation requires that you notify your customers of your identity, your reasons for gathering the data, the use(s) it will be put to, who it will be disclosed to, and if it’s going to be transferred outside the EU. Under the GDPR, additional information must be communicated to individuals in advance of processing.
- Individuals’ rights
Organizations will need to provide personal data in a structure commonly used or in an e-format, free of charge. And, will also need to check their procedures to ensure they cover all the rights individuals have. For example, how you would react if someone asks to have their personal data deleted? Would your systems help you to locate and delete the data? And who will take that decision?
Keep records to evidence consent – who consented, when, how, and what they were told. Make it easy for people to withdraw consent at any time they choose. Include regular consent reviews into your business processes because the GDPR is clear that controllers must be able to clearly show that consent was given. Therefore review the systems you have for recording consent to ensure you have an effective audit trail.
GDPR and SaaS: How will Subject Access Requests (SAR) change?
Under GDPR, Organisations will have to deal with the Subject Access Request (SAR) more quickly, as well as providing additional information. Individuals already have a right to access their personal data through a SAR. However, it will generally be free to make those requests and individuals will be entitled to receive the information in an electronic format.
If an organization handles a large number of SARs, the impact of the changes could be considerable. Therefore, taking steps to organize the approach to SARs will help organizations to comply with the GDPR.
- Data Breaches
You should make sure you have the right procedures are in place to detect, report without undue delay If possible within 72 hours of becoming aware and investigate, a personal data breach.
- Appoint Data Protection Officers
An organization needs to designate someone to take responsibility for data protection compliance, you can either appoint from outside or someone from the organization itself. You may have to bring some changes in your organization structure.
- Data regulation and future projects
A (Data Privacy Impact Decision) DPIA is the process of systematically considering the potential impact that a project or initiative might have on the privacy of individuals. It allows organizations to identify potential privacy issues before they arise, and come up with a way to mitigate them. A DPIA can involve discussions with relevant parties/stakeholders. Ultimately such an assessment may prove invaluable in determining the viability of future projects and initiatives. The GDPR has mandated DPIAs for those organizations involved in high-risk processing; for example where new technology is being deployed, where a profiling operation is likely to significantly affect individuals, or where there is large-scale monitoring of a publicly accessible area.
GDPR may seem an additional arena to work on for SaaS companies, but in the long run, it makes perfect sense to acknowledge the concern of data privacy, given the amount of data that is being generated.