The Global Impact of GDPR

The EU General Data Protection Regulation (GDPR) is fast-approaching with less than a year remaining for data controllers and processors to comply.  Non-compliance could result in legal action or large fines (up to 4 percent of an organization’s global turnover or €20 Million).

As the deadline looms, companies around the globe who interact in any way with privacy data about citizens in the EU will need to bolster their compliance posture by requiring their vendors, including SaaS providers, to prove upstream compliance.

GDPR impact on business is proving to be one of the most talked about global regulations to date, related to data governance and data privacy. And yet, according to a recent survey, only one-quarter of firms affected by GDPR are planning for it. For those remaining, the one-year deadline serves as a ticking clock to what could be an expensive scramble.

Global Impact of GDPR

For SaaS providers, it’s important to understand the following three explicit areas of GDPR that will require the closest attention:

  1. The Right to Be Forgotten
    The right to be forgotten is a EU provision where subjects have the right to obtain erasure of personal data without delay when certain grounds apply. Complying with this requirement is likely to be one of the most challenging, as it could require a controller/processor to significantly change or redesign their solution. Even with less than one year before the regulation takes effect, it’s still not completely clear what will be required to comply with “being forgotten.” This should be a primary conversation with consumers of SaaS products to determine what makes sense for the application’s functionality and purpose, as well as legal compliance.
  2. Privacy by Design
    This requirement goes hand-in-hand with data erasure in that it will be the end-result implementation of the consensus on what it means to “be forgotten.” Ultimately, creating a product/service that is developed with the regulation in mind is key; however, this is another requirement that, while stated in broad terms seems easy to understand and comply with, but definitely needs more discussion among all stakeholders
  3. Data Protection Officer (DPO)
    A DPO may not be required for all SaaS providers, but it is incumbent on the service provider to do their due diligence in understanding when “core activities” require “regular and systematic monitoring of data subjects on a large scale” or consist of “processing on a large scale of special categories of data” both of which would require the oversight of a DPO. Further, the provider needs to understand where they fall under the “public authority or body” definition. In the “Guidelines on Data Protection Officers (DPO)” , under the Working Party 29 body, there is some guidance on what a public authority or body could mean:

    “A public task may be carried out, and public authority may be exercised not only by public authorities or bodies but also by other natural or legal persons governed by public or private law, in sectors such as, according to national regulation of each Member State, public transport services, water and energy supply, road infrastructure, public service broadcasting, public housing or disciplinary bodies for regulated professions.”
    By determining the need for a DPO now, organizations can save time, headaches and money down the road.

Important Next Steps

SaaS providers should now begin evaluating their data collection practices against the regulation itself, while at the same time working with their partners and customers to determine what policies, procedures and legal requirements should be implemented to remain compliant.

Key to these discussions is an understanding and agreement on how other controllers and processors in the data subject information chain handle their responsibilities and perform internal GDPR impact assessments.

Here’s how three of the world’s biggest SaaS providers are preparing for GDPR compliance:

Microsoft: “We are working to bring our products and services into compliance with the GDPR by May 2018. We are updating the features and functionality in all of our services to meet the GDPR requirements, and we are updating our documentation and our customer agreements to reflect the GDPR requirements.”

Google – Google recently stated at its Google Cloud Next conference that compliance to GDPR is a “shared responsibility” and that they will have “full support for that by May 2018,”  according to SVP Diane Greene. Google is continually updating their Compliance, Privacy, and Security guidelines.

Salesforce – Salesforce recently announced several resources to help customers prepare for the GDPR, including a resource website, a new trailhead module and a contractual addendum.

How is Spanning Preparing for GDPR?

We are actively working to stay ahead of the curve by collaborating closely with our customers and prospects. Our goal is to determine the best course of action to fulfill our responsibilities related to GDPR and to help our customers fulfill their responsibilities. We are also talking to other SaaS providers about what Google suggested was the “shared responsibility” of compliance to the directive.

Throughout 2017, we will continue researching regulations and working with the security community (ISSA, CSA) to understand the legal ramifications of GDPR compliance and how our upstream partners are solving the open questions surrounding the stated controls. Watch this space.

The bottom line is, don’t wait to get started. For organizations that rely on SaaS providers, proactively ensure that they are meeting the guidelines and regulations required under GDPR. For SaaS providers who have yet to implement an action plan, the clock is ticking.

An earlier version of article first appeared in IT Pro Portal.