What GDPR Means for SaaS Companies (and What do to About it)

With an implementation deadline looming on May 25 2018, the EU’s latest effort to replace the current patchwork of national laws into a single set of rules across the EU, called the General Data Protection Regulation (GDPR), is leaving more than one SaaS company scratching their heads.

The GDPR, adopted in April 2016 by the European Parliament, is used as a guideline that the governing body leaves on organizations to determine the appropriate course of action. This applies to EU companies and non-EU companies that sell to EU residents. The provisions are consistent across all 28 EU member states, which means that companies have just one standard to meet within the EU. It is expected that GDPR will set a new standard for consumer rights regarding their data, however, companies will be challenged as they put systems and processes in place to comply.

GDPR comes down to three key principles:

Security: Preventing unauthorized access
Accountability: Be transparent and take ownership
Individual Rights: Preserve individual privacy while delivering products and services

Compliance Obligations:

The GDPR requires organizations to implement appropriate policies and security protocols, conduct privacy impact assessments, keep detailed records on data activities and enter into written agreements with vendors.

Data Breach Notification and Security:

The GDPR requires organizations to report certain data breaches to data protection authorities, and under certain circumstances, to the affected data subjects. It places additional security requirements on organizations.

Organizations must clearly state what type of information they are collecting, how they plan to use that data and where the data is being stored.

Right to be forgotten/Right to erasure: It is unnecessary to delete user information, however, companies would have to null personal information to the point where it is impossible to identify who that person is. This only applies to the data controller on behalf of the data subject.

Right to restrict processing: This is the ability to say to a process provider, that is if there’s a money dispute, they would not be allowed to use a customer’s data. This would require to export data out, delete it from the system and then import it back once the dispute is resolved. As with most items in GDPR, this regulation states that this issue would occur between a data subject and a data controller.

How Cien Strives to Achieve the Highest Standards in Personal Data Privacy and Security

Cien has abides by the privacy laws under United States and the European Union and will continue to do so in the future. We have an ongoing partnership with our customers, and will ensure that the security of their personal information and data storage are taken care of in the appropriate manner. Cien is pleased to make the GDPR requirements a priority in our organization. Protecting the privacy of our customers’ data is firmly established in Cien’s culture and operations.

9 Action Items to tackle GDPR in your organization:

Establish a program that addresses the construction of inventory of your processes that relate to personal data
Perform data impact assessments when necessary with a data map
Ensure data impact assessments when necessary with a data map
Include rights of access, rights of correction, rights of erasure and rights if data portability in your outline plan for compliance
Risk-assess your own data
Have an understanding of how you share personal information with third parties
Assess your information security program as it relates to personal data
Establish a protocol to identify if or when any breach may occur, and how you will handle it
Update your contract language to state your compliance with GDPR