How to Comply with GDPR as a SaaS Business
A few years ago, GDPR compliance took not only Europe but the world by storm. You couldn’t go to any site or app without the popup. It’s amazing how laws in one part of the world can affect companies far away, but a huge privilege of SaaS is that your clients can be anywhere! With great privilege comes great responsibility. SaaS companies have big responsibility to handle customer data properly and laws are catching up to enforce that more explicitly.
Because SaaS companies work so closely with customer data, it’s imperative legally that they comply with GDPR laws and go through the steps necessary on their sites and apps to make sure problems don’t come up later.
It sounds a bit overwhelming but with a few easy boxes checked, you can make sure you’re protected against data law infringement for your clients worldwide.
Here’s a quick easy guide to GDPR compliance for SaaS companies specifically:
Read the law.
We all rely on the cliff notes, but for something so important, it’s probably for the best. GDPR is not just about adding the pop up to your site and moving on. Anyone within your organization that handles customer data needs to know and understand the law to make the best, safest decisions in the future. This is particularly important with SaaS companies because customer data management is so much more intricate and integral than a basic website. Apart from legal, other roles that need to understand what GDPR covers are: developers, marketers, sales teams, and leadership positions. Making decisions on what third parties to use and other tools to integrate into processes could affect GDPR compliance. Roles have to work together to make sure customer data is handled and protected properly and the right approvals are taking place.
Cliff notes (because we know you’re busy).
- Rights of data subject (the user): Chapter 3
- Responsibility of controller (you): Chapter 4-24
- Conditions for consent (pop ups): Chapter 2-7
Update your policies.
Map out where you take personal data.
You should also add the right for users to be forgotten / have data erased. We added an easy way for admins to search for any Beamer user by email or ID and have their data deleted.
Have a DPA (Data Processing Agreement) signed.
Another part of the new regulations that come with GDPR is to have a Data Processing Agreement signed with all your data processors. All businesses and products use third party tools that have to come in contact with customer data like an encryption service, an emailing service, etc. As a SaaS providing services in the EU you must ensure you have signed a Data Processing Agreement with your vendors who may have access to your users’ data. In addition, if your SaaS product is also a sub-processor you must have your own DPA signed by your clients. The DPA lets users know what third party tools have access to their data and how.
Here’s what your Data Processing Agreement needs to include:
- You need to let users know that anyone who has access to data is sworn to confidentiality.
- All technical and organizational measures are taken to protect data.
- Clarification on what personal data we collect and its purpose
- There will be no sub-processors without further DPAs signed.
- The processor will help the controller uphold their obligations under the GDPR.
- The processor will help the controller maintain GDPR compliance with regard to the security of processing and consulting with the data protection authority before undertaking high-risk processing.
- The processor agrees to delete all data upon the termination of services.
- The processor must allow the user to conduct an audit and provide whatever information necessary.
Now, there might be some confusion about who the players are and with whom you should have a DPA in place. Here there’s an example with Beamer as a data processor of other businesses data:
Add the pop up.
Make a clear plan to get in touch with users in the case of a data breach.