Planhat is modular so you can focus on what really helps you drive value and forget about the rest.
Segments, 360 Profiles, Overviews and User Insights
Forecasting, KPIs, Renewal Management and much more
No more surprises when you know where to focus
Beautiful Playbooks for structure and best practices
All your conversations in one place.
Collaboration and CS team overview
Stay on top of the latest news relateded to SaaS Churn, up-sell, renewals. Customer Success compensation, upcoming events, and a lot more.
This article will provide you with some of the key areas and aspects to help you prepare for the GDPR.
Planhat reached out to Customer Success professionals in the Nordic region and asked questions pertaining to job title and seniority level, compensation models, salary, maturity of the customer success team and so forth.
and what it means for SaaS companies in 2017 and 2018
By Megan Lozicki, Niklas Skog, Diego Checa
The new General Data Protection Regulation (GDPR) was finalized and agreed upon in 2016, and will be fully enforced on 25 May 2018. There is a lot of uncertainty of how, exactly, this new regulation will impact SaaS companies, particularly US companies with European customers and users. In this report we hope to provide you with a couple of key aspects of the regulation to help you be prepared for 2018.
To learn more about what Planhat has done to ensure compliance, you can visit our Planhat Commitment to GDPR page here.
The GDPR will replace the 1995 directive, and is accompanied by the Privacy Shield Framework which is intended to replace the Safe Harbor Framework from 2000.
Even though companies can already start certifying with the Privacy Shield since it was decided and agreed upon in 2016,
the date of official enforcement will be in May 2018 and all businesses that are not in compliance with the new regulations are subject to fines and penalties.
The overall goal of the GDPR is to ensure that individuals have more control over the use of their personal data, and to have more oversight on the processing
of that data by companies. The right of an individual to have their information deleted by a company, and the requirement of a company to reply to complaints
of safety violations within 45 days are probably the two biggest changes in the regulations for individuals.
The regulation also intended to help unify the safety requirements among the EU member states - putting all of the EU states under the same regulations
and requirements and making data transfers easier in the EU as well as internationally. So, instead of having to deal with 28 different protection authorities,
companies will only have to deal with one.
For more information you can find the official GDPR documentation here.
Privacy Shield Framework
The Privacy Shield is supplementary documentation that lets the regulatory bodies in the EU and US, as well as private citizens, know which companies comply with the new regulation standards. It also contains a list of companies that have been intentionally excluded from the Privacy Shield.
It contains seven principles that companies must demonstrate that they comply with in order to be approved.
The European Commission provides a fact sheet that you can find here. You can also visit the Privacy Shield Framework site directly to find out about all of the new principles and regulations.
The new regulation certainly requires companies to be more aware and in control of the personal data they are requesting from individuals, where it is going, and how it is being processed. It also gives the individual whose data it is more control over their information.
There are a couple of areas that a SaaS company will need to look at and be familiar with when the GDPR takes full effect in 2018.
Penalties for non-compliance
The penalties and fines outlined in the regulation are not a small slap on the wrist; the maximum amount a company or responsible party (e.g. a processor) can be fined is 4% of their global turnover from the previous fiscal year, or €20 Million--whichever is higher.
That is for the most serious infringements. For less serious violations, the fine is 2% of global turnover from the previous fiscal year, or €10 million--again, whichever is higher.
The GDPR provides specifications for violations outlined in the regulation that should be penalized within each of those 2 tiers. However, anything outside of those defined violations seems to be up for interpretation.
The regulation offers some suggestions on what to consider when determining the severity of the violation, and how to determine an appropriate penalty or fine. The regulation gives the supervisory authority (assuming the EU member state authority) the ability to determine the appropriate fine.
So not being in compliance with the new regulation is anything but cheap. It is important to make sure that your company, and any other company you use to help you manage personal data (customer data) is also following the rules.
Location of data
An important thing to keep in mind is the location of servers, or a company’s cloud service provider. If a company’s servers, or their third party cloud service provider is located in the EU then they are required to be and are, arguably, more prepared for the enforcement of these regulations. This can be attributed to the fact that they have been subject to the previous directives before and are already more aligned in their privacy and security policies.
Other companies (particularly US companies) have not invested in servers in the EU, therefore they could be facing some unexpected and unwanted interruptions, as well as potential violations in the way they are processing their data.
This also comes at a time when the European Commission is unsure if the Privacy Shield will still be enforced or acknowledged under President Trump. He has recently signed an executive order that removes the protections put in place by the Obama administration for EU citizens data, and could potentially threaten the Privacy Shield agreement.
EU based companies are at an advantage because they are already held to stricter standards than companies based in the US, therefore they are less likely to experience any interruptions. They are also removed from the uncertainty of Trump’s presidency.
Certifying with the Privacy Shield
Companies are now required to re-certify annually to ensure their security standards are still in line with the Privacy Shield Principles. With this, there is a fee that Privacy Shield organizations must pay that contributes to a fund for legal fees and actions that could be incurred. It is not stated what that fee will be, or if it is scaled based on the size of the company, but it will certainly be an additional annual cost.
What if a company does not certify?
It isn’t required to certify with the Privacy Shield, but if a company does not it can prevent them from doing business as usual; additional oversight and approval could be required for data transfer to a company that is not certified under the Privacy Shield that could interrupt the regular flow of data transfer and business, and those businesses are still subject to penalties.
Collecting personal data
Asking for a name and an email address has become so typically, not only in SaaS but in pretty much all online transactions.
So it is helpful to be aware of what rights the individual has over their personal data that has been collected.
Personal data defined under the GDPR
In the official documentation, in the definitions section in Article 4, personal data is defined by the GDPR as:
“...an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person...”
Under this definition it appears that every time a new user or subscriber is asked to provide the basic name and email address they are providing a piece of personal data and are now subject to the rules and regulations of the GDPR.
The individual’s rights to their personal data
The two biggest, as mentioned before, are the individual’s right to have all of their personal data deleted completely, as well as their right to file a complaint of a violation of the use or safety of their personal data and have the company respond within 45 days.
It is very clear, under the GDPR, that each individual owns their personal data and that the company collecting it does not have a right to use it in unspecified ways, or in ways that were not explicitly agreed upon by the individual.
Along with the requirement of time, the company must also look into and resolve the complaint at no additional cost to the individual. Adding this as a potential cost to the company.
The Privacy Shield Framework requires that companies contribute to a fund for legal fees, but it is unclear if this fund goes to the government regulation of GDPR violations or to the individual companies who need to handle complaints. It could be that the individual company will be required to pay the bill for this.
Being able to prove that you comply with the safety standards will be another challenge that we will have to see how it plays out. If an individual chooses to challenge a company on the use or the safety of their personal data, the company should have a way to prove that they do indeed comply (e.g. they received consent from the individual to use their information in a certain way).
Appointing a Data Protection Officer
A Data Protection Officer (DPO) is required of companies that:
Look to Article 37 in the official documentation for more information on requirements for a DPO.
The purpose of the DPO is to provide one person to oversee anything that relates to the processing of personal data, and to be the one person who is an absolute expert on the new regulation.
Companies have the option of hiring a full time DPO, or contracting one out.
Reform of EU data protection rules
EU-U.S. Privacy Shield
Data Protection Officer information:
THE WEB PAGE OF THE EDPS DATA PROTECTION OFFICER
The Data Protection Officer
Findings from the Nordic CS Survey
What to expect from the new EU regulations
Drop your email and let us show you how it works