As the rollout of the new EU General Data Protection Regulation looms, many product teams are both apprehensive about compliance, yet unclear about what the regulations mean for their products, and whether they will be impacted by them. Given the scope, and significant penalties for non-compliance – it’s best to assume that your product and your company will be impacted. This short guide aims to provide some background about the new regulations, how SaaS product teams can understand their exposure, and how to incorporate product changes into an organizational compliance process.
What is GDPR?
The EU General Data Protection Regulation (GDPR) is a new set of data privacy regulations that are designed to harmonize various data privacy laws across Europe, and provide a common set of regulations that protect the personal data of EU residents regardless of which companies they do business with. The new regulations are set to take effect on May 25th 2018. The 99 articles set forth in the regulation dictate what personal data can be collected, when it can be collected, and how it should be processed and secured.
The regulation is organized around a set of core principles:
- Lawfulness, Fairness, and Transparency – GDPR aims to give individuals full control and access of their personal information. As a result, any entity that aims to collect data must do so for a very specific, pre-defined purpose. Individuals must affirmatively consent to having any data collected, and they have the right to both view any information that is collected and to be ‘forgotten’ – i.e. have any specific personal information removed at their request.
- Accuracy – In addition to providing access, organizations must ensure the accuracy of any personal data they collect and that it is kept up to date. Individuals have the right to request that any inaccurate data be corrected.
- Purpose Limitation – The new regulations state that any personal data collected must only be processed for its stated purpose. Use of the data for any other purpose requires an additional affirmative approval from the individual
- Minimization of Collection and Storage – Organizations must take care to only collect personal information that is absolutely necessary for business processes and functions. Data should only be stored as long as necessary, and individuals must be informed about how long an organization will retain their data.
- Integrity and Security – Organizations must take care to protect the integrity of any personal information they collect. Wherever possible, data should be anonymized, and it must always be properly encrypted during transmission and storage. Any data breach that exposes personal data must be reported to the appropriate authorities within 72 hours. If a data data breach is likely to result in high risk to the data subjects, the affected individuals must be notified without undue delay.
- Accountability – Any organization that collects or processes personal data of EU residents must be able to give evidence that demonstrates their compliance with all of the GDPR regulations. Additionally, organizations that engage in ‘large scale’ or ‘systematic’ collection of personal information must appoint a Data Protection Officer (DPO) to oversee compliance.
These new regulations come along with significant penalties for non-compliance. Any organization found to be in violation of the regulations can be fined up to 20 million euros or 4% of a firm’s global gross revenue. For more detail about the regulations, you can visit the official EU site. Our friends at Proofpoint have also put together a very helpful GDPR playbook that provides additional background and discusses steps organizations can take to prepare for the new regulations.
Be aware that, despite the pending Brexit, the UK has adopted the same regulations as GDPR. In addition, residents of Norway, Iceland, and Liechtenstein (as members of the European Economic Area) will be covered by GDPR and data regulations in Switzerland will be very similar.
What are the Implications for SaaS Product Teams?
The new regulations may seem to be primarily business controls – why should product teams be concerned and involved with compliance? If nothing else, with the size and significance of the potential fines associated with non-compliance – all teams within an organization should be concerned, but there are specific implications in the regulations for SaaS products with European users.
First, recognize that information you’re collecting is likely to be considered personal data, which GDPR defines as ‘any information relating to an identified or identifiable natural person’. You may not be collecting information like financial account numbers or medical data, but even simple things like names and IP addresses are considered personal data. Many applications use email as a primary user ID, and many pre-built platforms (PaaS – platform as a service) collect visitor IP as a matter of course.
Product teams need to consider whether they need to continue collecting this information. If they do, then all of that data is subject to the GDPR requirements, and must be included in any organization preparation for the regulations. You will probably need to change your opt-in / acknowledgement for users who are coming into the product as well as processes for storing and removing individual user account data. In particular, disclosures of personal data collected, what it will be used for, etc must be presented in plain and clear language. Additionally, you must be able to demonstrate that the data subject has proactively consented (no pre-checked agreement boxes) and that consent was freely given (provision of a service cannot be conditioned on consent to process personal data if it is not necessary for providing the service).
Second, consider some of the other software companies that you do business with. You may not have direct European customers, but you may work with other companies that do. A unique feature of GDPR is that both data controllers – entities whose’ business purpose is fulfilled by the information collected and who set the collection / retention policies, and processors – companies that simply handle the data on behalf of the controller, are both required to demonstrate compliance
Also, many SaaS companies use third-party tools within their product. Usability tools such as session recording / playback, and product analytics tools are considered sub-processors and you must ensure they are compliant if your SaaS product is to be considered compliant.
This is the case at Pendo. Even if we didn’t have any European customers, because we work with many large SaaS companies that do, we have to ensure that all of our processes and sub-processors are in compliance with GDPR.
The Compliance Process – Bringing Product to the Table
If your organization does business at all with residents of Europe, you should have a compliance and remediation process underway. Many companies working with consulting firms and/or are hiring a DPO as the primary role to handle the process. Even as a relatively small company, at Pendo we will be adding the DPO role to our Compliance team. If your product team is affected by the GDPR regulations (and it likely is), you’ll want to connect with your DPO, and make sure that the product itself is part of the compliance process.
Remediation may not be too onerous if your organization already has some security and compliance controls in place. For example, if your company is SOC 2 or ISO 27001 compliant or registered with Privacy Shield, you likely have a foundation of good data collection and security policies in place. You’ll want to start with identifying and classifying all of the data your product collects and stores. Then compare the current opt-in, collection, and storage of that data with the GDPR controls.
From there, you can identify what needs to be changed, and more specifically, what are simply policy changes, and what will require engineering work in the product. Then you can put together the appropriate timeline to ensure your product is compliant as the regulations begin to be enforced. This is the same process we’re taking at Pendo. Having achieved both SOC 2 and Privacy Shield compliance in the past year, we’ve already gone through much of the policy and product work needed for GDPR compliance. Our team is currently identifying any areas where we need to add additional controls, and building the plan for full compliance by the time the regulations go into effect.
Privacy Shield and GDPR
With a myriad of different regulations and standards for security, product teams are often unclear about the EU-US Privacy Shield agreement, its relation to GDPR, and whether EU companies can do business with US SaaS companies that host data outside of the EU.
One of the new regulations within GDPR requires that any country that collects personal information from EU citizens must have adequate data controls in process. Currently the EU does not consider the US to have adequate data controls. The Privacy Shield process is an agreement that allows American organizations to certify that their practices are in-line with EU standards.
As a result, organizations that process data within the US can collect and store personal information from EU citizens. As the GDPR regulations roll out, organizations that participate in Privacy Shield should be able to continue offshoring EU data as long as the company and its products are in full compliance with the regulation. Remember, there are very large penalties for non-compliance.
Bringing your product in line with GDPR
The new EU privacy regulations will certainly present a challenge for SaaS companies, but definitely not an insurmountable one. By fully understanding their product’s exposure, leveraging existing privacy controls, and adjusting accordingly, you can ensure that your product can continue to support customers within the EU.
We at Pendo are actively working through this process, and will ensure that our product and policies are compliant with the new regulations before they come online. We will share updates on the process and progress of our work moving forward.