Key Actions for GDPR compliance for SaaS Providers

I run a SaaS product - https://linkgage.com and have some customers based in the EU. Now the new EU law called GDPR (General Data Protection Regulation) will come into effect as from May 25th. I really want to know what are the key actions that SaaS providers need to do within their application to make them complaint.

E.g

1. Give users ability to delete their profile
2. Give users ability to export their profile or transactional details

I will really need your input as regard specific things my application needs to do to make it GDPR complaint.

Regards

Your best bet is to talk to a lawyer because it’s pretty darn complex, but short of that, this guide by Cennydd Bowles is a great place to start to wrap your head around it a bit.

I haven’t been directly involved with the work we’ve been doing for Postmark, but my interactions with the product manager who has been leading the charge seem to indicate that there’s pretty widespread confusion across the industry. There’s a spectrum of compliance, and a lot of it is focused on your ability to comply when customers make requests.

For Postmark, we’ve added a whole section to the site dedicated to EU Data Protection, GDPR, and a DPA. We’ve invested quite a bit of effort into making sure we get this right because our customers have been asking for it. So, if you’re not seeing a lot of requests from customers, you may be better off keeping it simple and processing more stuff manually.

As a quick summary, GDPR would mean many things to most SaaS apps.

(But if your app is the data processor for another business, you may also want to look into requiring your customers to comply with GDPR.)

1. Identify if you collect Personal Information and/or Sensitive Personal Information. The later may require you to have a DPO.
2. Users must give you consent for you to collect personal data (ie. look into clickwrap methods)
3. Users must be able to view, update, erase their data they have with you. Users should also be able to export their personal data they have with you in an electronic format.
4. There are some additional requirements for data breaches (ie. you must notify within 72 hours) especially for data processors.

Thank you for the feedback and the guide. I will look into it and also do more research on what others are working on.

Q. When you ( @termsfeed ) say ‘users’ are “the employees of the company that bought and use my software” counted as Users? I am confused about this as I don’t think the managers/executives that buy my software will want users to simply ‘erase their data’ and not participate.

I’m a bit confused about the overall employees part. It may be helpful to go through our presentation for a GDPR Compliance Plan (it’s on our SlideShare official account, @termsfeed). Starting at Slide 17, we have 4 examples of data controllers vs. data processors.

Whether the individuals for which you have collected personal data are users of the system or not is irrelevant. The individual still has the right to have their data erased. Whether the people who buy and/or use your software like that or not is also irrelevant.

GDPR does not only apply to software systems, but to organizations/companies as a whole and how they collect, process and store data about individuals. For example, if someone calls your company on the phone and you write down their name on a piece of paper, the laws now apply to that piece of paper in the same manner they apply to any personal user data you store in a database.

The core principle behind GDPR is quite simple: as an individual I have certain rights regarding how my personal data is collected, stored and used. It’s the company’s responsibilty to ensure that my rights are not violated.

In essence: don’t collect data you don’t need, give (justified) reasons for needing the data you do collect, don’t use an indivudal’s data for anything they did not explicitly consent to, give them acces to their data and delete (or anonymize) their data if they ask you to.

If you’re a U.S-based IaaS/PaaS/SaaS provider, you should at least make sure you are Privacy Shield-certified, or other companies in the EU/EEA simply cannot use your services unless you have a separate agreement with them. As I understand it, you can self-certify on the Privacy Shield web site.

After talking to our product manager at Postmark, he went ahead and wrote up a detailed summary about our decisions and what we’re doing for GDPR in a way that should be useful to other smaller businesses.

GDPR: How small companies can get ready for it (and why you can’t just ignore it)

That’s awesome! Nice “content marketing” for you guys.

I also recommend people to read the actual GDPR text itself. One should at least be familiar with Chapter 2 - Principles and Chapter 3 - Rights of the data subject. It’s a fairly quick read in (close to) plain English.

Thanks a lot for providing more details. There has been a lot I have been grinning from online resources. I want to ask, how long did it take your to implement those changes on the technical side.

The lawyer part was generally the more difficult and time-consuming work in the process. This was overall timelines rather dedicated work during the respective periods. And some of it was somewhat easier since we already had Privacy Shield in place. That’s normally a 3-4 month process with an external 3rd party for certification. (eTRUST in our case.)

Privacy policy: lawyer work 4 weeks, implementation 1 hour
DPA: lawyer work 3 months, implementation in the app 2-3 weeks
Check box changes: implementation 2-3 days

just posted these over on the MegaMaker forums but as GDPR is such a pain I thought i’d post here for everyone to see

Privacy by Design Framework used by GDPR (thank the Canadians for this one )

GDPR for developers

So is it mandatory to have a 3rd party certify your compliance? I’m just wondering if startups can be able to pay for such certification fee.

Thanks a lot for providing more details on this

I don’t believe there are any official certification fees. The lawyer fees may still be fairly cost-prohibitive, though.

I’ve talked with a lot of startups about this. Those with funding hire expensive lawyers who spend days or weeks and bill you 5 figures, others(mostly bootstrappers) implement top requirements themselves to show at least good faith

These are 2 links that I find very helpful and probably I’ll base my compliance on:

I’m far from being an expert, but my personal opinion if you are a bootstrapped, one-man show with not so much data about EU citizens, and you implement the points in the links above, I don’t think there are many reasons to worry about.

@stanwarri The thing witth GDPR compliance and your SaaS is that you act both as a data processor and as a data controler. You are a data controler for your own clients, and probably it is relatively straight forward to apply the GDPR regulations.

When you place retargeting pixels etc, you probably handle personal data in the EU sense, and the people you retarget must have given consent. This seems quite hard for me to ensure. I think your clients must have asked for consent from the users before using linkgage on their users.

Related to that is the branded call to actions you add to links. I think this is illegal in some countries, especially Germany. This does not mean that linkgage is illegal, as I understand this means a German company is not allowed to use linkgage and can run into trouble if prosecuted.

About customer consent when making an inquiry:
I’ve always required the “I agree…” checkbox for a customer to create an account to use our SaaS product; however, I’ve never required it for users to submit a question.

When a user submits a question on our site, their email is never used for marketing purposes. But, does GDPR require consent when a user from the EU sends in a question which includes their name and email address? Please pardon my ignorance on this subject

My own take, and the usual caveat IANAL, is no. Just state somewhere in your privacy policy something about what you do and don’t do. You can also state on the form that the name/email is only used for this communication and any responses etc. Be upfront and honest etc.

However if you later parse your inbox/help system and email them about new stuff etc then you become eligible for trouble.

It’ll take a while for some precedence and lawsuits to take shape