Even if your business is not located in the EU, as long as you offer your services to users within the borders of the EU, you must comply with the rules of the GDPR. Failure to do so can lead to massive fines. And since data handling and processing is a core activity for many SaaS companies, compliance is thus a must for those.
Meanwhile, becoming compliant with the GDPR is no small task and it can be difficult to determine where one should begin to boot. On May 25, 2018, the GDPR went into effect in the EU and since that day, SaaS companies doing business with customers in the EU have been required to follow strict rules for personal data processing.
That is where this article comes in handy as it contains a GDPR checklist for SaaS companies.
The GDPR checklist should be seen as an inspiration as to how to get started with compliance and not as a definitive guide. If you want professional and legal advice on this matter, you should instead ally with a data protection lawyer.
But first, here is a short overview of what SaaS and the GDPR actually mean – for the readers who are unfamiliar with both terms – before we delve further into the checklist.
What is SaaS?
SaaS is an abbreviation of “software as a service”. SaaS services are cloud-based software solutions, and the gist of this type of service is that you can quickly get started with an online application without having to invest a great amount of money and/or time.
This contrasts with earlier times when one had to buy the entire software either as a digital or physical copy. In addition, one was also responsible for ensuring that software and hardware were compatible.
As a SaaS user, you do not have to deal with hardware, software, middleware, etc., because it is the SaaS vendor who manages all these issues. And instead of paying a huge lump sum, you pay for subscription access when working with SaaS solutions.
Most often, you do not need much more than a web browser and internet access to use a SaaS service. This means that as soon as you have paid for access, you can immediately start using the program.
When you use a SaaS service, all your work is stored in the cloud. This decentralized type of storage makes it possible to mobilize the workflow in your company, as you can freely access your work material just by logging into the online software. Some famous examples of SaaS services include Microsoft Office 365, MailChimp, ZenDesk, Google Apps, Slack, and Dropbox.
Since many SaaS services revolve around data processing in one way or another, SaaS companies are thus obligated to become GDPR compliant, if they are doing business with citizens of the EU. This leads us to the next section where we will point out the essentials of the GDPR.
What is the GDPR?
The GDPR, an abbreviation for General Data Protection Regulation, is a data law that was introduced in the EU on 25 May 2018. The purpose of the GDPR is to provide data protection to citizens in EU countries and to provide them with more control over their personal data. In practice, this will be done by controlling how companies and organizations handle personal data.
Organizations are therefore required to register and monitor data processing activities. The GDPR requires that organizations must have a complete overview of how data is processed within the organization’s boundaries.
This applies both internally to the organization in question, and externally, in case the organization collaborates with third parties. According to the GDPR, the organizations, as well as the third parties, must be able to explain what data is being processed, what the purpose of the data processing is, and to which the data is transferred. Data can be transferred to other organizations, but only if they are compliant with the requirements of the GDPR.
In addition, organizations must register all consents to prove that users have given their explicit consent. With the introduction of the GDPR, it is forbidden to process personal data unless the user has explicitly agreed to this.
The consent must be given voluntarily and it must be given on the basis of a clear statement of which data is collected and what the data will be used for. The user must have given his or her consent before the data processing can begin.
Moreover, users can now access the data that an organization has collected about them, and they also have the right to withdraw their consent and have their data deleted. Should a data leak occur, the organizations are obliged to notify the data authorities and the affected persons within 72 hours.
Companies that fail to become compliant with the GDPR risk huge fines up to €20 million or 4% of the organization’s global annual turnover, whichever is higher.
Though the GDPR is still a relatively new regulation, enormous fines have already been levied to non-compliant organizations. At the beginning of 2019, tech giant Google was fined €50 million in France for violating the requirements of the GDPR.
Now, let us continue with the GDPR checklist.
GDPR checklist for SaaS companies
1. Appoint an internal Data Protection Officer (DPO)
According to the GDPR, you must appoint a DPO must if you are:
– A public authority
– An organization that systematically monitors large amounts of data
– An organization that processes large amounts of personal data[ii]
As mentioned earlier, many SaaS companies fall into both the second and third categories, since data monitoring and personal data processing are core activities for many of them. If this is also the case for your SaaS business, you must appoint an internal DPO to become GDPR compliant.
Anyone in your company can become the DPO. However, some training is required for the newly appointed DPO so that he or she can gain a proper understanding of GDPR and the responsibilities that the title of DPO entails.
– How you collect personal data
– Why you collect personal data
– What you are using the personal data for
– How long you will keep the personal data
– Which rights the user has
Furthermore, the GDPR states that you must use a clear and easy-to-understand language in your policies. This is to ensure that your users fully comprehend the scope of the data processing so that they can give informed consent. Gone are the days where companies could get away with cluttered and confusing policies (well, at least they can’t, in a GDPR context).
4. Update your cookie consent banner
According to the GDPR, the cookie consent banners are required to have an opt-out button for those who are not interested in giving their consent. The previously mentioned tool, Cookiebot allows you to create customized user consents.
5. Create a record of data processing flows
This is an incredibly tedious task, but as a SaaS business, it is your responsibility to know exactly how your customers’ data travels in and out of your company.
By recording how every single piece of data flows through your business, you can create concrete evidence of your effort to achieve compliance with the GDPR. This is priceless in case the Data Protection Authorities request documentation of your GDPR measurements.
To create the overview, you need to write down information such as:
– The names of all the departments in your company
– What kind of personal data is processed in each department
– How each department processes personal data
– Who in each department is responsible for the processes etc.
When you have gathered all the information, you have to put them together into a coherent document. The task doesn’t end here though, because compliance is an ongoing effort. This means you have to maintain and update the records to ensure that they are always up to date with your current data handling processes.
6. Inquire whether your third-party vendors are compliant or not
Your third-party vendors, i.e. suppliers and subcontractors, may not necessarily be compliant with GDPR. In order to find out whether they are or aren’t, you have to do some detective work. This is actually a straightforward task. All you have to do is reach out to them and ask them directly.
If they aren’t compliant, ask them to become one, not only for your own or their sake but for the users’. If they refuse your request, your best bet for progress and compliance is to find a new business partner that is either already compliant or working towards becoming compliant. This is because, if your third-party vendors aren’t compliant with GDPR, then you aren’t compliant with GDPR either.
7. Arrange for data processing agreements with your third-party vendors
Do remember that a verbal or written confirmation of GDPR compliance from your third-party vendors is not enough. You also need to have data processing agreements with each of your suppliers and subcontractors in order to fully achieve compliance.
8. Implement technical measures for IT
First of all, the data in your system(s) should always be encrypted. A best practice is to use either anonymization or pseudonymization as these two methods are recommended by the GDPR regulation. Furthermore, data that is no longer being used or needed, should be deleted to minimize the amount of data that you are protecting. This also includes deleting the obsolete data in the backup if possible.
Other relevant IT measures include double authentication for employees and a TLS certificate. SSL will also do the job for you, however, TLS is the updated version of SSL, and thus more desirable.
You should also make sure that your data centers are located in areas with a high level of data security, i.e. Europe or the US. The passwords of your systems should be encrypted as well to maximize data security. If your staff bring their own devices to work, then these devices should also be protected and secured.
Regular vulnerability scans on systems, devices, and networks will also help identify potential security gaps.
9. Implement organizational measures
Ensuring compliance with GDPR is not a task that is restricted to the management level or the DPO. Instead, a holistic approach should be taken, where all employees are included in the compliance work. By involving employees from all organizational layers and creating awareness about security and data protection, you can instill a sense of responsibility and obligation in your staff.
Other organizational measures include providing physical security to your office and the devices that your staff carry. Also, you can look into providing only certain employees access to certain data. It is a fact that by creating a hierarchy, you can limit the number of exit points.
Note: This article is a guest blog post by Nadine Kohlbrenner on Cloudways Blog
** Editor’s Note: This article is edited for clarity.