Enrico Schaefer - March 2, 2023 - GDPR Data Privacy, SaaS Legal Issues, Software
This is a primer on GDPR compliance (General Data Protection Regulation). I will cover some definitions, practical considerations, and background you need to know as you navigate your world.
Every employee and department in your SaaS company interacts with different personal data and vendors with which you share personal data. If you’re in the web development department, you’re gonna have a set of specific issues. If you’re doing application development, another set of issues. You will have different issues if you’re involved in prospecting or customer relations management.
In this video (below), we will cover the general things every software as a service (SaaS) company needs to be aware of to increase and improve our compliance and security of personal data.
I will first go through some key definitions: personal data, sensitive personal data—and then some practical considerations: monitoring cookies; using consent mechanisms; using encryption; and finally, some background information: privacy by design and by default; breach notification; accountability, and governance.
The GDPR has created data privacy rights for all EU citizens and others in the EU to own and control their own personal data. If personal data is captured, stored, or processed by one of your systems, and you have users or customers in the EU, you must meet your GDPR obligation. So what is personal data?
Personal data is a broad category of data that will identify a real person, the data subject. Any data that will identify a real person: an email address, phone number, physical address, and IP address is personal data. If information involves the identity as a physical person by any means (including location), it is personal data.
Some questions you want to consider:
Do I have access to personal information?
Do our partner data processors have access to personal information?
A data processor under the GDPR is a person or a company that processes personal data on behalf of the controller (see definition below).
Processing means an operation or set of operations performed on personal data. It’s basically anything uploading, storing, recording, collecting, organizing, adapting, altering, retrieving, and using personal information. So data processor means anyone who does anything with personal data.
Controller means the person or company which determines the purpose and means of processing personal data. The controller has different obligations than the processors. The controller, the data processor, and the sub-processor must ensure they protect that personal data. They know where that data lives. They can account for that data. They’re identifying and telling you who it’s being shared with. So as a software-as-a-service business, you are a controller when you decide the purposes and means of the process. And you’re a processor when you act under the customer’s instructions.
A sub-processor is a third-party data processor engaged by the data processors with the approval of the data controller, which has or will have access to or process personal data. If you have a vendor, which processes personal data, that vendor would be a sub-processor.
When dealing with personal data, you have to comply with GDPR, which means you have contracts with everyone upstream and downstream who are GDPR compliant, which sets forth all of their rights. The General Data Protection Regulation (GDPR) is a new set of rules designed to protect the privacy of European citizens. It gives individuals eight rights regarding their private information. These rights apply to any data a controller collects, whether a person or an organization.
Information about these rights must be provided by the controller before any data collection takes place. This means that theaters must let their users know they’re collecting personal information and give them information about these rights.
GDPR data rights involve the right to be informed who has your data, access it, have it corrected if there’s a problem, erase it, have all of your personal data erased when you want it erased, know where that specific person’s data lives and export it so you can take it with you, object and prevent processing that is likely to cause damage or distress.
Data privacy compliance is a key part of GDPR compliance and an area you can’t overlook. To provide these rights to individuals, you must know who has the data. Data processors need to sign data processing agreements (DPA) with the data controllers they work with. The DPA should contain a description of the adequate safeguards that are put in place for the processing. Drafting and mplementing a DPA will help ensure that you’re compliant with GDPR and that any third parties you are dealing with are also compliant.