May 25th 2018, also known as "GDPR Day" in the tech industry, has long passed.
Many SaaS companies don't realize how many necessary changes and updates they might still need to make to their Privacy Policies in order to be GDPR-compliant.
We'll take a look at a few of the key sections your policy needs if you fall under the scope of the GDPR.
Article 12 of the GDPR states that privacy notices must be "concise, transparent, intelligible and easily accessible, using clear and plain language."
- Be transparent and detailed in your presentation of which personal data you collect, how you collect it, how you use it and who you share it with.
- Disclose your legal basis for collecting personal data (e.g. consent).
- State the contact information of your Data Protection Officer (DPO) if applicable, or of the person in your organization who handles data privacy issues.
- List the rights of EU residents as they are presented in the GDPR and let users know how you plan to uphold these rights.
- Disclose your data retention practices.
- Describe your international data transfer policies, if applicable.
Transparency in Data Collection and Sharing
- What personal data you collect
- Why you collect the data
- How you use the data
- Who you share the data with
Amazon Web Services (AWS) is a great example of how these sections can be covered in a detailed fashion that is also concise and clear:
To keep this section short and easy to follow, AWS includes each category of information it collects with links to more detailed lists. When a viewer clicks to see more examples of a category, they are taken to a long and detailed account of every type of data that AWS collects:
AWS also follows suit with an itemized list of how the company shares personal data with third parties and why it is necessary to do so:
Please notice that AWS mentions data collected via cookies several times throughout these sections and includes links to its Cookies Notice. It is important to denote which information you collect with cookies and have a Cookie Consent notice on your SaaS app's website.
Legal Basis for Collecting Personal Information
If your SaaS is B2B, on the other hand, your legal basis may either be:
- The fulfillment of a legal contract, or
- As a legitimate interest (the fulfillment of a requested service)
If the client you are working with requests that you process their customer data, you (the data processor) will need to make sure that your client (the data controller) has a valid legal basis for collecting the data that they transfer to you.
For example, if your legal basis is a contract or legitimate interest, you will need a written contract or agreement on record for any personal data you process on those grounds.
If your legal basis is consent, the situation may be a little more complex. The GDPR dictates that consent will not be deemed valid unless it is informed, unambiguous, explicit, and freely-given.
In other words, you must give users full disclosure as to what information you are collecting from them before you collect it and request their explicit consent via a decisive action on their part.
This goes for all personal information, including IP addresses and geolocation data collected with cookies.
Here's how Mailchimp does it by presenting users with a cookies banner upon their arrival at the website for the first time:
Within this interface, users are informed about what types of information are collected via cookies and how to adjust these cookies consent settings. The Cookies Statement (or Cookies Policy) is also linked here:
Contact forms that request consent for direct marketing must also be compliant with the GDPR, without implementing any pre-ticked checkboxes. Your users must take a decisive action to provide their consent for direct marketing.
Since Mailchimp provides email marketing services to businesses, their website includes detailed information on setting up contact forms with GDPR-compliant consent methods.
This is how Oracle presents the contact information for their Data Protection Officer:
EU Consumer Rights
Any company dealing with EU consumer data is expected to uphold their rights as stated by the GDPR and communicate those rights in a clear, easy-to-understand format.
This means that you will need to explain to users which rights they are granted under the GDPR and how you will honor the following individual rights:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling
- The right to lodge a complaint with EU supervisory authorities
Here is an example of how you can list out these rights and your processes for upholding them:
As you can see, Mailchimp covers each individual right and provides users with instructions or contact information to make such requests. The company also go above and beyond by providing a link directly to EU data protection authorities in case a user feels the need to lodge a complaint.
As a SaaS app owner, you may need to make significant changes in how log data, backups, uploads, and diagnostics data are recorded and stored.
The GDPR lays out two main points on data retention:
- Personal information may only be retained for as long as is necessary to fulfill the purpose it was collected for.
- Users must be informed of data retention policies.
The GDPR is clear that once personal data is no longer necessary, it must be anonymized or deleted so that any information you have on file can no longer be connected to an individual.
The GDPR is not clear, however, on the exact amount of time personal data may be retained without penalty. Each company has its own definition of what constitutes a "necessary" period of time.
Here's how Oracle details the exact amounts of time they retain customer data for different situations. This is a great example of transparent communication that will leave customers with little doubt about how their own personal information will be retained:
International Data Transfers
The GDPR requires international data transfers of EU user data to comply with EU-U.S. Privacy Shield or similar certified transfer procedures, as well as EU Model Contractual Clauses.
AWS lists their international transfer policy like this:
It begins by trying to establish a clear and easily understood format with this explanatory introduction:
The policy includes a linked Table of Contents to help users navigate:
The policy goes on to describe which information is collected or received about users:
Next, users are informed about how the collected data is used. Slack states its legal basis for processing data as a legitimate interest in this section:
The policy also goes into great detail as to why Slack shares personal information and with whom:
Slack describes how it handles international data transfers and includes resource links:
Here's the Data Retention clause that's short but thorough:
Users can find short and to-the-point instructions for contacting the DPO:
Slack takes a rather condensed approach to stating EU consumer rights, but since they provide instructions on how to evoke those rights, they are still being compliant with the GDPR:
You may note that Slack did not include 'the right to lodge a complaint' in this section. That's because they cover it in more detail within another section: