October 26, 2020
The European Union’s GDPR (General Data Protection Regulation) officially came into effect on May 25, 2018 to provide greater data protection rights to individuals in the EU.
The GDPR has changed the way that data is collected, processed and stored across countless industries, including software as a service (or SaaS for short). When it comes to the GDPR and SaaS providers, companies should know that the GDPR applies to B2B relationships just as much as it does to business-to-customer (or B2C) relationships.
What does your SaaS business have to do to be compliant with the GDPR?
Keep reading to find out more about the GDPR and the SaaS industry, the GDPR and non-EU companies, and what you need to know about compliance with the GDPR.
The GDPR For The SaaS Industry
The GDPR is especially important in the SaaS industry because software services are delivered through the internet and many SaaS businesses oversee large amounts of data.
Under the GDPR, businesses need to be able to explain what data is being processed, what the purpose of processing this data is, and where the data will eventually be transferred. Organizations must ensure that they process the data on a lawful basis. This often means that they must obtain valid consent from the individuals concerned before processing their data. Robust protection practices and safeguards must also be implemented for the processing.
As a SaaS business, you also need to know if you are a data controller or a data processor, and what is expected of you in that role. SaaS vendors/cloud providers are usually both controllers and processors. They are controllers when they decide the purposes and the means of the processing (e.g. when it comes to their website, user databases, newsletters, marketing, payment data, etc.) and processors when they act under the instructions of their customers (e.g. in B2B activities when they process the personal data of their clients’ customers). Saas customers/purchasers are usually controllers because they decide what you should do with the data. Both controllers and processors will have their own responsibilities to uphold.
Ultimately, the GDPR means that data processors and data controllers in the SaaS industry will need to update their policies, practices and the way that they handle data. What should a SaaS company watch out for when trying to become compliant with the GDPR?
What SaaS Companies Need To Know About The GDPR
Becoming fully compliant with the GDPR is no easy task and mistakes can happen. There are many things to consider when combining the GDPR and the SaaS industry.
Here are a few things that SaaS businesses should be watchful of and include in their SaaS GDPR checklist:
Data Processing Agreements (DPAs)
For starters, data processors will need to sign data processing agreements with the data controllers they work with. A data processing agreement is a legally binding agreement (i.e., a contract) that clearly states the responsibilities and expectations of each client. Moreover, it should contain a description of the adequate safeguards that are put in place for the processing of the data. Having a data processing agreement will not only ensure that you are compliant with the GDPR but also ensures that any third parties you are collaborating with are also compliant.
Third-Party Vendor Compliance
Check in with any third-party vendors or processors to see if they are compliant with the GDPR themselves. If they are not compliant, it is crucial to ask them to become so. If they are not interested in doing so, then you should strongly reconsider collaborating with them. Your best bet to ensure that you are fully GDPR compliant at all times is to only work with third parties that are compliant themselves or that are working towards achieving compliance.
Today, cyber-attacks, data breaches, and the mishandling of personal data are more common than ever before. One small data breach can lead to big fines, so having top-level security is more important than ever.
Yet, keeping personal data safe is not only a regulatory concern. It’s also good business sense. Following information security best practices can help your customers know their data is safe with you. However, Saas businesses should not assume that just because they have adequate security measures in place or because they are ISO/IEC 27001 certified that they are also in compliance with the GDPR. Extra steps need to be taken to ensure that your SaaS business is handling and processing personal data correctly.
The GDPR And Non-Eu Companies
The GDPR was enacted to grant specific rights and protections to individuals in the EU when it comes to the way that businesses and organizations process, manage, and share their data.
However, while the GDPR may be limited to the data of individuals in the EU, it is not limited to European companies. Non-EU companies must act in accordance with the GDPR just as much as European-based organizations.
If your SaaS business processes or handles the data of individuals in the EU, you will need to take the proper steps to ensure compliance with the GDPR.
Non-EU SaaS Businesses And The GDPR: Two Specific Attention Points
First, you will probably have to appoint a GDPR EU representative in order to satisfy Article 27. This section of the GDPR states that non-EU companies that offer goods or services to individuals in the EU and/or monitor the behaviour of individuals in the EU must designate an EU representative to act on their behalf.
Your GDPR EU representative must be clearly designated in writing and must be established in one of the member states from which the individuals whose data you are processing are located. If you process personal data of individuals who are located in more than one EU country, you only need to appoint one GDPR EU representative and you can choose to appoint the representative in any one of those EU countries.
Your EU representative will be tasked with representing your organization in the EU for GDPR matters. Your EU Representative will assist you with the handling of data subject access requests from individuals in the EU and requests from the EU data protection authorities, and will also keep a copy of your record of processing activities. Make sure to choose a GDPR EU representative who will keep your record in a highly secure place and who will also be able to assist you with data breach notifications to the EU data protection authorities.
Secondly, don’t confuse the GDPR EU representative with other types of representatives. A very common mistake made by SaaS companies when it comes to appointing an EU representative is confusing the GDPR EU representative – appointed pursuant to Article 27 of the GDPR – with the data protection officer (DPO) – appointed pursuant to Article 37 of the GDPR. It’s not possible to appoint your DPO as your GDPR EU representative because its role and responsibilities are not compatible with those of an EU representative. So make sure that you appoint the right representative(s) for the right purpose(s) in order to avoid facing heavy penalties.
Becoming compliant with the GDPR is crucial if you handle or process the data of individuals in the EU. Moreover, the GDPR and SaaS industry is a complicated mix. Earlier this year, Google was fined over €55 million for its failure to comply with the legislation.
If you want to avoid costly financial penalties and a negative reputation, then you need to take the proper steps to ensure that your SaaS business is compliant with the GDPR.
Want to learn more about the GDPR and non-EU companies? Are you looking for an EU representative that can help you become compliant with Article 27 of the GDPR? Contact us to find out how we can help your SaaS business become GDPR compliant today!