The new GDPR (General Data Protection Regulation) – is a general regulation on data protection which will control collection, standardization, and usage of personal information in EU countries starting from 25 May 2018. The provisions of this regulation are also applicable to companies outside the EU. Thus, companies conducting activities on the EU territory or those collecting data about the EU citizens within the framework of their operations should comply with GDPR standards as well.

Observation of new rules is particularly important for SaaS companies working with the data of customers from all over the world.

Violations of the Regulation’s provisions may result in penalties of up to 20 million EUR or 4% of the annual revenue.

Not everyone is prepared for new rules

GDPR regulates work with personal data stored on electronic devices and in other formats. According to the Regulation, personal data is any information related to a particular person which can be used for his/her identification, such as name, IP address, e-mail address, etc.  

Entering of this Regulation into force creates a complicated problem for companies – nobody has experience in the application of its rules and provisions. Thus, big companies will have to recruit teams of lawyers. Others will learn from their experience and expect that they will somehow omit the inspection on compliance with GDPR standards.   

Europeans will receive not only the right for the protection of data but for the work with it as well

In the GDPR rules, it’s stated that the collection of private information is possible only when the person gives clear and substantiated consent for it. The user should also be provided with access to his/her personal data which he can delete or receive in electronic form for its further provision to third parties, for instance, for the transfer of personal medical records from one medical establishment to another.

The Regulation divides those who work with data for the information collectors and processors. As a rule, SaaS companies only process the information, but sometimes they also perform some functions of controllers. For example, they collect data during the registration of users. According to GDPR rules, companies are allowed to collect and store data which is crucial for their business, after the thorough consideration of involved stakeholders’ interests.  

What should a company do to comply with GDPR?

1. Inform all staff members about the GDPR.

2. Work with the available information – review the data inflows you already have. There’s no sense in collecting useless data, outdated information should be deleted. Your counterparts should also be ready for the GDPR introduction and comply with its standards.

3. Update your privacy policy – it’s better to make it easy and understandable.

4. Ensure that you provide users with the possibility to review, alter, and delete information. When users erase their data, you have to ensure that it was also deleted by those to whom you transferred it or who had access to it.

5. Elaborate the procedure of feedback provision to users’ queries related to personal data.

6. Substantiate your position on personal data – indicate in the privacy policy which data and for what purposes are collected.

7. You have to receive a clear consent for the data collection from users. Register when and under which circumstances such consent was obtained.

8. Prohibit EU children under 16 years old to use your service.

9. Create the procedure which will regulate the provision of information on violations to users as well as relevant EU agencies.

10. Protect the data from theft.

11. Designate an employee who will be responsible for data protection and omission of the conflict of interests.

12. Be prepared to the potential need to respond to users’ queries on all official EU languages.