GDPR for SaaS Product Teams

The European Union’s General Data Protection Regulation (GDPR) goes into effect on May 25, 2018. It recognizes and codifies EU residents’ broad rights and freedoms in relation to the processing of their personal data. A primary goal of the regulation is to preserve individuals’ right to privacy and to protect them from the data breaches that have become increasingly prevalent in our data-driven world.

Even if a business is located outside the EU, GDPR applies to the company if they offer goods or services (even for free) to, or monitor the behavior of, EU residents, or if they process and hold those residents’ personal data. While the 28 EU member states already have data privacy laws, the GDPR’s goal is to create one consistent set of rules across those countries.

We’ve written before about GDPR’s impact on email senders. But GDPR has major implications for any SaaS (Software as a Service) provider that has users in the EU—or more precisely, users who are EU citizens (regardless of where they live) and/or users who are residents of the EU (citizens or not).

Given the global nature of today’s economy and the Internet, GDPR is something few SaaS businesses can ignore. It’s a complex topic, but here are five things every product team should know.

1. GDPR defines personal data in very broad terms

Just about every piece of information you collect about your users is considered personal data under GDPR. The regulation broadly defines personal data as “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”

That’s a mouthful, but it means that, beyond obvious things like names, ages, email addresses, and identifiers like driver’s license or other ID numbers, you also need to consider location data, IP addresses, mobile device IDs, web browser cookies, and even genetic and biometric data, such as fingerprints, facial recognition, and retinal scans. For example, if your app allows someone to use their fingerprint, rather than an access code, to access their account, you should understand how you’re handling that fingerprint data.

2. SaaS teams must take care in how they obtain consent to process users’ data

Consent has long been an important part of how SaaS businesses obtain and handle data from users, but GDPR is very clear about five aspects of consent that you must adhere to if you want to be compliant with the new law. Consent must be:

  • Freely given: Users must be able to give consent without feeling intimidated or misled. For example, you can’t require that users provide specific information before they can use a service, as long as that information isn’t required to perform the service.
  • Specific: GDPR frowns on blanket consent agreements that are meant to cover everything a business may want to do, now or in the future, with their users’ data.
  • Informed: Users need to understand who they’re giving consent to, which information they’re giving consent to use, and how it will be processed. The agreement must also stand alone, instead of being enclosed in a terms and conditions agreement, so that the user can more easily read and understand it.
  • Unambiguous: The method for obtaining consent should not leave any doubt about the intentions of the user nor the company. It’s also vital that businesses keep records of their users’ consent agreements so they can be presented for verification.
  • Indicated by a statement or clear affirmative action: Users can give consent verbally, in writing, or by clicking a box. Silence or a pre-clicked box do not equate with consent. GDPR prefers that users be able to withdraw consent as easily as they give it.

3. SaaS users have broad and specific rights about the use of their data

GDPR explicitly states that personal data as belonging to the user, not the company. In fact, it defines the right to privacy and control of this personal data as a fundamental human right. GDPR lists several ways in which individuals have control over how, where, when, and why their data is used, including, but not limited to:

  • Right of access: Users can ask why and where their data is being processed, who their data is shared with, how long their data is being stored, and other information. Access requests must be fulfilled free of charge within one month.
  • Right to be forgotten: Users can withdraw the consent they’ve previously given, in which case their data must be erased, rather than disabled in case the user decides to reactivate their account. There are exceptions, but the business’s reason for not complying must fall under one of the lawful purposes described by GDPR.
  • Right to rectification: Users can insist that companies fix any errors with their data.
  • Right to restrict processing: Users can restrict the processing of their data while errors are being fixed, and they can also do so instead of demanding erasure of their information, among other reasons.
  • Right of data portability: Users can ask for a copy of their data in a readily accessible format (for example, as a CSV file) and may ask for their data to be transferred from one company to another.
  • Right of third party notification: If data is shared with third parties, those companies must also be informed if a user asks to be forgotten, for mistakes to be fixed, or for restricted processing of their information. Users are also entitled to ask about the identities of those third parties.

4. SaaS businesses must act swiftly in the event of a data breach

If you suffer a data breach, you have 72 hours to notify the relevant authorities. Failure to do so can result in a penalty of up to 2% of your company’s annual worldwide revenue or €10 million, whichever is more.
If the data breach is likely to affect the rights and freedoms of your users, you must also inform them “without undue delay.” There are exceptions to that, such as:

  • The data has been encrypted or otherwise made unintelligible.
  • The breach is unlikely to affect your users.
  • Notifying your users would require “disproportionate effort,” in which case you can make a public announcement.

5. SaaS teams probably need a Data Protection Officer and documentation of collected data

GDPR requires the designation of a Data Protection Officer (DPO) if your business conducts “large scale” monitoring of your users in a regular and systematic way. The law says that the DPO should be someone well-versed in the subject matter, as opposed to, for example, asking someone in marketing to take on the responsibility in name only.

While the DPO requirement is aimed at larger companies, with the goal of giving that function a seat at the C-suite table, it’s a good idea to have a DPO even if your employee count is in the single digits.

In addition, if your company has more than 250 employees, you need to keep documentation regarding:

  • Why you’re collecting and processing people’s data
  • A description of what data you retain (remember that while you don’t need to worry about emails you send, you should be careful about unique identifiers that appear in returned message data)
  • How long you retain data
  • What security measures you have in place to protect against breaches

And one more thing…

The penalty for violating GDPR can be steep: up to 4% of your company’s annual worldwide revenue or €20 million, whichever is more. If you’re based in the U.S. and handle the data of users in the EU, you should look into being certified under Privacy Shield, a framework designed by the US Dept. of Commerce, the European Commission, and the Swiss Administration.

These five points are just a quick look at some of GDPR’s ramifications for SaaS products. It’s a complex topic that most product teams will want to discuss with their business and legal counterparts.

Want to learn more?

On April 26th, SparkPost’s own Data Protection Officer and GDPR expert, Jason Soni, will be joined by 250ok’s Director of Privacy & Industry Relations, Matthew Vernhout, in a webinar discussing GDPR’s worldwide impact on email. I highly recommend product managers check it out. Until then, these additional resources are worth bookmarking: