EU General Data Protection Regulation

and what it means for SaaS companies in 2017 and 2018

By Megan Lozicki, Niklas Skog, Diego Checa

Introduction

The new General Data Protection Regulation (GDPR) was finalized and agreed upon in 2016, and will be fully enforced on 25 May 2018. There is a lot of uncertainty of how, exactly, this new regulation will impact SaaS companies, particularly US companies with European customers and users. In this report we hope to provide you with a couple of key aspects of the regulation to help you be prepared for 2018.

Expect from the new regulation:
  1. A new safety framework (Privacy Shield Framework) that companies must certify with annually
  2. Expansion of the definition of “personal data” and an individual’s rights to their personal data
  3. Increased regulations on how personal data can be used and shared between companies (particularly companies that utilize cloud computing)
  4. Some companies may require a Data Protection Officer
  5. Companies can be fined a maximum of 4% of their global turnover of the previous financial year for violating the GDPR (or €20 million)

To learn more about what Planhat has done to ensure compliance, you can visit our Planhat Commitment to GDPR page here.

Exhibit 1

A Brief History

timeline of gdpr
Timeline info: European Union: ECJ Invalidates Data Retention Directive. (n.d.). Retrieved January 26, 2017, from https://www.loc.gov/law/help/eu-data-retention-directive/eu.php#Introduction

The General Data Protection Regulation

The GDPR will replace the 1995 directive, and is accompanied by the Privacy Shield Framework which is intended to replace the Safe Harbor Framework from 2000. Even though companies can already start certifying with the Privacy Shield since it was decided and agreed upon in 2016, the date of official enforcement will be in May 2018 and all businesses that are not in compliance with the new regulations are subject to fines and penalties.

The overall goal of the GDPR is to ensure that individuals have more control over the use of their personal data, and to have more oversight on the processing of that data by companies. The right of an individual to have their information deleted by a company, and the requirement of a company to reply to complaints of safety violations within 45 days are probably the two biggest changes in the regulations for individuals.

The regulation also intended to help unify the safety requirements among the EU member states - putting all of the EU states under the same regulations and requirements and making data transfers easier in the EU as well as internationally. So, instead of having to deal with 28 different protection authorities, companies will only have to deal with one.

For more information you can find the official GDPR documentation here


Privacy Shield Framework

The Privacy Shield is supplementary documentation that lets the regulatory bodies in the EU and US, as well as private citizens, know which companies comply with the new regulation standards. It also contains a list of companies that have been intentionally excluded from the Privacy Shield.

It contains seven principles that companies must demonstrate that they comply with in order to be approved.

The European Commission provides a fact sheet that you can find here. You can also visit the Privacy Shield Framework site directly to find out about all of the new principles and regulations.


What the new regulation could mean for SaaS companies

The new regulation certainly requires companies to be more aware and in control of the personal data they are requesting from individuals, where it is going, and how it is being processed. It also gives the individual whose data it is more control over their information.

There are a couple of areas that a SaaS company will need to look at and be familiar with when the GDPR takes full effect in 2018.


Penalties for non-compliance

The penalties and fines outlined in the regulation are not a small slap on the wrist; the maximum amount a company or responsible party (e.g. a processor) can be fined is 4% of their global turnover from the previous fiscal year, or €20 Million--whichever is higher.

That is for the most serious infringements. For less serious violations, the fine is 2% of global turnover from the previous fiscal year, or €10 million--again, whichever is higher.

The GDPR provides specifications for violations outlined in the regulation that should be penalized within each of those 2 tiers. However, anything outside of those defined violations seems to be up for interpretation.

The regulation offers some suggestions on what to consider when determining the severity of the violation, and how to determine an appropriate penalty or fine. The regulation gives the supervisory authority (assuming the EU member state authority) the ability to determine the appropriate fine.

So not being in compliance with the new regulation is anything but cheap. It is important to make sure that your company, and any other company you use to help you manage personal data (customer data) is also following the rules. 


Location of data

An important thing to keep in mind is the location of servers, or a company’s cloud service provider. If a company’s servers, or their third party cloud service provider is located in the EU then they are required to be and are, arguably, more prepared for the enforcement of these regulations. This can be attributed to the fact that they have been subject to the previous directives before and are already more aligned in their privacy and security policies.

Other companies (particularly US companies) have not invested in servers in the EU, therefore they could be facing some unexpected and unwanted interruptions, as well as potential violations in the way they are processing their data.

This also comes at a time when the European Commission is unsure if the Privacy Shield will still be enforced or acknowledged under President Trump. He has recently signed an executive order that removes the protections put in place by the Obama administration for EU citizens data, and could potentially threaten the Privacy Shield agreement.

EU based companies are at an advantage because they are already held to stricter standards than companies based in the US, therefore they are less likely to experience any interruptions. They are also removed from the uncertainty of Trump’s presidency. 


Certifying with the Privacy Shield

Companies are now required to re-certify annually to ensure their security standards are still in line with the Privacy Shield Principles. With this, there is a fee that Privacy Shield organizations must pay that contributes to a fund for legal fees and actions that could be incurred. It is not stated what that fee will be, or if it is scaled based on the size of the company, but it will certainly be an additional annual cost.

What if a company does not certify?

It isn’t required to certify with the Privacy Shield, but if a company does not it can prevent them from doing business as usual; additional oversight and approval could be required for data transfer to a company that is not certified under the Privacy Shield that could interrupt the regular flow of data transfer and business, and those businesses are still subject to penalties.

Collecting personal data

Asking for a name and an email address has become so typically, not only in SaaS but in pretty much all online transactions.

So it is helpful to be aware of what rights the individual has over their personal data that has been collected. 

Personal data defined under the GDPR

In the official documentation, in the definitions section in Article 4, personal data is defined by the GDPR as:


“...an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person...” 

Under this definition it appears that every time a new user or subscriber is asked to provide the basic name and email address they are providing a piece of personal data and are now subject to the rules and regulations of the GDPR.

The individual’s rights to their personal data

The two biggest, as mentioned before, are the individual’s right to have all of their personal data deleted completely, as well as their right to file a complaint of a violation of the use or safety of their personal data and have the company respond within 45 days.

It is very clear, under the GDPR, that each individual owns their personal data and that the company collecting it does not have a right to use it in unspecified ways, or in ways that were not explicitly agreed upon by the individual.

Along with the requirement of time, the company must also look into and resolve the complaint at no additional cost to the individual. Adding this as a potential cost to the company.

The Privacy Shield Framework requires that companies contribute to a fund for legal fees, but it is unclear if this fund goes to the government regulation of GDPR violations or to the individual companies who need to handle complaints. It could be that the individual company will be required to pay the bill for this.

Being able to prove that you comply with the safety standards will be another challenge that we will have to see how it plays out. If an individual chooses to challenge a company on the use or the safety of their personal data, the company should have a way to prove that they do indeed comply (e.g. they received consent from the individual to use their information in a certain way). 


Appointing a Data Protection Officer

A Data Protection Officer (DPO) is required of companies that:

  1. Employ more than 250 people
  2. A public authority or body that processes personal data (courts acting in a judicial capacity are exempt)
  3. The core activities are processing, regularly “require regular and systematic monitoring of data subjects on a large scale”, or
  4. The core activities are processing what is defined as “sensitive data” under the GDPR

Look to Article 37 in the official documentation for more information on requirements for a DPO.

The purpose of the DPO is to provide one person to oversee anything that relates to the processing of personal data, and to be the one person who is an absolute expert on the new regulation.

Companies have the option of hiring a full time DPO, or contracting one out.


Recommendations

  1. Certify with the Privacy Shield to ensure business as usual
  2. If you are a SaaS company that uses a third party (cloud computing company) to process your data make sure they also comply with the Privacy Shield Framework principles.
  3. Partner up with CRM and Customer Success companies that comply with the new safety standard
  4. Assess the data you request/collect and the relevancy of it
  5. Review and update your current privacy policies to align with the Privacy Shield Framework
  6. Assess how your data is being processed (if it is currently used for additional purposes other than for you and your company (e.g. your processor could be using the data for other things). Under the GDPR both the “controllers” (the party requesting and collecting the data) and the “processors” (the party processing the data) can be held liable for issues regarding individuals personal data.
  7. Know the location of data you are processing, and have a method of complete deletion of that data
  8. Determine whether or not you need a DPO (additional resources provided below)


Additional Resources

GDPR

Official documentation

Reform of EU data protection rules

Privacy Shield Framework

EU-U.S. Privacy Shield

Privacy Shield Framework

Data Protection Officer information:

THE WEB PAGE OF THE EDPS DATA PROTECTION OFFICER

The Data Protection Officer 

Get started today

Drop your email and let us show you how it works