Countdown to GDPR #8: What is the GDPR Impact on SaaS Providers?
In our GDPR series to date we’ve analyzed the important directives and ways for you to be compliant with them. In our final three blogs, we examine the impact of GDPR on your organization, Spanning and SaaS providers in general.
One of the key changes in the GDPR, from its predecessor — the Data Protection Directive — is that the onus of accountability for data protection is shared between controller (direct service providers) and processor (third-party service providers like SaaS companies).
Here are some key GDPR facts to keep in mind, particularly for SaaS companies:
- Under Article 82 of the GDPR, data processors have joint liability with the data controllers for lack of compliance with GDPR.
- The GDPR applies not only to EU-based SaaS providers, but also to non-EU SaaS ones who offer products or services to data subjects in the EU.
- Legal firms that are interpreting the implications of GDPR also emphasize “in particular SaaS suppliers should be aware that some of the GDPR applies directly to data processors who will be subject to compliance requirements and sanctions for non-compliance.”
- Fines for violation of the GDPR can vary from 2-4% of the company’s global annual revenue or EUR 20-40 million.
- Remember your notification obligations in light of a validated data breach, see Articles 33 and 34 for information on alerting your controller data-owners with “undue delay” and the 72hr deadline if you are actually the controller of the data.
Getting SaaSy with GDPR
Time is ticking. Here are my five tips for SaaS providers grappling with the GDPR.
- Parse your data workflows through GDPR. Map and review your data processes under the scanner of key GDPR articles such as the Right to be Forgotten and Privacy by Design and by Default.
- Be transparent and proactive about customer and vendor communication. The GDPR puts customer rights, front and center. Ask customers what they need for compliance. Review customer communication and ensure that customer consent is affirmatively collected every step of the way. Partner with your data controllers, vendors and third-party organizations to guarantee coordination compliance.
- Engage external help or hire for roles such as a Data Protection Officer.
- Check your Data Policies. Update/modify your Data Security and Privacy Policies to comply with the GDPR.
- Revise your data breach notification process. Ensure you understand what role you play and how it affects your responsibilities.
What are your concerns about the GDPR? Tweet me @scarabeetle using #CountdowntoGDPR, or add a comment below. Listen to my discussion on GDPR on The Hot Aisle #73 podcast here where I talk about these issues and more.
Read the entire Countdown to GDPR series to date:
Part 1: Right to Be Forgotten
Part 2: Privacy by Design and by Default
Part 3: Designating Data a Protection Officer (DPO)
Part 4: Customer Communication and Experience
Part 5: Data Security and Privacy Policies
Part 6: Data Transfers
Part 7: Data Protection Impact Statement (DPIA)