Rethink Commerce Blog

GDPR Compliance for Software & SaaS Companies – Part 2

Posted on April 10th, 2018 by

Welcome back!

We hope you enjoyed Part 1 of our GDPR Compliance Webinar wrap-up. If you haven’t already, make sure to read it for an overview of the GDPR regulation and your obligations under it. Then, come back for answers to these common (and some uncommon) GDPR questions. We’ve divided them into a few categories: consent, data, general and Gray Areas (there are a lot of those!).

Consent

Do you need to ask for consent again from paying recurring customers?

Consent obtained will be valid and may be processed under GDPR only if provisions of the regulations are observed. Varieties include opt-in, informed consent and granular consent. Generally, a refresh of consent is a good idea.

BUT, if it’s personal data that’s processed in relation to a contract you already have in place, then consent is not needed again. Consent is as lawful as the contract you have in place. What you do with the data is another matter – that falls under “data” below.

 

Do we need to reconfirm mailing list subscribers?

Keep in mind that you could get fined for spamming everyone on your list to ask for consent. You do need to get consent again, say for a newsletter. But there are creative ways of doing this. Creative, compliant ways. For example, part of your current newsletter could say, “We are reinventing this newsletter with much better premium content: click here to opt-in/subscribe,” and then you have fresh consent. Don’t just ask, “Do you want to stay?” That could already be a breach.

 

Could you send a Terms of service update email and ask for consent there?

The ePrivacy directive allows opt-out for existing customers. If you have a database with emails and send them a newsletter based on opt-out, that’s okay under current law. As mentioned, if you have an opt-out but you don’t have relationships and the person is not a customer, sending any type of mass marketing communication is punishable even under current laws.

 

Do we need consent for generic emails that are not personally identifiable, like info@company.com?

These emails would not be considered personal, but keep in mind that if someone replies to one of these email addresses and you gather their name, that would be personal data. Pay attention to what happens at different points in the chain and how the information you hold gets updated.

 

What about an email list for both EU and non-EU citizens?

It’s correct that you need to get consent only for EU citizens, but be careful: Australia, China, and other countries have similar legislation. Also, the meaning of data subjects “from the EU” is interpretable: Is it citizens, residents? This requires clarity, so it’s best to get consent from everyone and it’s easier to handle too.

 

If you collect just email addresses, how do you distinguish EU citizens?

Similar to age verification, where someone certifies “I’m at least 18 years old”, you could add something along the lines of “I’m an EU citizen”.

 

There is a lot of ambiguity around the legal basis of legitimate interest. To what extent does an organization have a legitimate interest in measuring, reporting, testing and optimizing the performance of its website?

Processing “online identifier” personal data but in aggregate, and for the purpose of measuring, say, the completion rate on a form, or buttons clicked on a landing page does not profile or otherwise “directly” impact the user as long as the data is actually anonymized, in which case you are fine. The grey area here comes from inbound marketing tools that by definition profile users’ behavior on a website and need to identify them with a cookie. These tools would require consent for compliance.

 

If we use a third-party service to manage email newsletter, do we need to mention the name of that company in the opt-in? Or, in a Learn More link?

Yes, if you are going to share a citizen’s data with a third party such as a marketing or mailing agency, then you need to have named them on the opt-in so that the citizen knows their data may be shared with that specific third party. Going further, you’ll need to check that your supplier is also GDPR compliant.

 

How should email signatures be handled in emails stored in the system? How can you get consent to store this if the signatures are automatically stored once an email is received?

As an email with signature is sent voluntarily by the user with that data attached, with a good understanding that emails are kept and stored and forwarded, the user has given implied consent to that data for that specific use/purpose (i.e., being stored with the email). The user has NOT, however, given consent to now be marketed to or be added to a marketing database.

 

How do you record consent?

This area is slightly gray, but to comply you need to demonstrate that you have consent from an individual. Therefore you should maintain the following records:

  1. Who consented — the name of the individual or another identifier.
  2. When they consented — a copy of a dated document or online records that include a timestamp.
  3. What they were told at the time — a master copy of the document or data capture form containing the consent statement in use at that time, along with any separate privacy policy, including version numbers and dates matching the date consent was given. If consent was given orally, your records should include a copy of the script used at that time.
  4. How they consented — for written consent, keep a copy of the relevant document or data capture form. If consent was given online, for example via a form, your records should include the data submitted as well as a timestamp to link it to the relevant version of the data capture form. If consent was given orally, you should keep a note of this made at the time of the conversation. It doesn’t need to be a full record of the conversation.
  5. Whether they have withdrawn consent — and if so, for what and when.

 

What about fraudulent consent, or cases when a customer will deny that he has given consent?

If you can show consent and the required details, you cannot be held as noncompliant if someone fraudulently signed someone else up. In this instance, you would simply remove that data on request to be forgotten. The regulators are NOT going to fine companies for such singular small issues. They do not have the time or resources. GDPR in this case simply protects the citizen by putting the law behind them to fix any such instances.

We will also likely see flaunting of laws from foreign entities as we see today with phishing emails, scam phone calls from abroad etc. The GDPR game is to do what you can and follow best practices so that your house is in shape and you can prove it if asked.

 

Data

Are there specific requirements for data portability?

When it comes to data portability, you have to be able to give all the data that was provided by or observed from the data subject.

 

Do the data properties of someone’s computer, like login/logout, fall under profiling and require opt-in?

As an individual, I’d want to know in what situation the logs are being recorded. Again, consent is not the only thing that allows you to process personal data. There’s also legitimate interest. If the logs are done because the data subject is a customer or you have another reason that qualifies as “legitimate interest”, then consent is not needed. If the login is to develop a profile and if you keep a classification of login/logout and send push notifications based on that, then that’s profiling. So why are you tracking logins?

 

Profiling has two parts: 1) automated processing that puts the user in a classification and 2) what the automated processing will be used for. Being able to see data subject interest or behavior will allow you to see the next behavior.

 

We’re a U.S.-based SaaS company that has a membership database for organizations. What if our customers capture personal data independent of us, but it’s stored in our systems?

Cloud providers are usually considered data processors regardless of whether they can see or enter personal data. You’ll have to look into the case law and guidelines to see if you’re a data processor or controller, but most cases show that any cloud service provider is a data processor.

 

If we get consent to transfer data to a partner, but the partner breaches GDPR, are we responsible?

It depends who’s the data controller. If at the time of the processing, you were not under the orders of the person to which you transferred, this could be a relationship between data controllers. In this case, you would not be liable. However, if you are the data processor or controller, as you would be if the partner asked you for the data and you collected it for the partner, you would be jointly liable under GDPR.

 

Is geolocation data considered personal if anonymized?

Not if you do anonymization that can’t be reversed. If you are holding indexes that can link the geolocation data back to personal information, it’s personal data. If the personal data is deleted, then it’s actually anonymized and compliant.

  

General and Administrative

Is there a certificate for compliance? Our customers are asking for this.

There is no GDPR certificate. There are some guidelines that will allow some quality standards, like an ISO. Likewise, there is no certificate available at this point for a product or a cloud service. While there is no current GDPR certification, there are plans to include it in other certifications.

There is an alternative way to look at this, which is PCI compliance for payment providers. It isn’t exactly GDPR but has – at its foundation – the same mechanisms. It proves the partner is compliant as far as payment data is concerned and that the partner has a solid base for GDPR compliance.

 

Regarding existing employees’ contracts, does the HR department need to update them or add an appendix with clauses about GDPR requirements?

It is key that HR reviews the employee handbook for any changes needed. Often much will already be covered due to prior data protection law needs anyway. Ideally, this is not in employee contracts, but you will have contracts that refer to the employee handbook, so simply updating the handbook and alerting employees to the central update would be enough. It is recommended, though, that all staff go through a training session on GDPR and their obligations and sign a form to go on file that they attended training, so as a business you have ticked that box.

 

Do you have guidance on how to structure a GDPR statement of compliance or Boilerplate?

There are some good online examples such as at Econsultancy AND reading at ICO.  This article may help as well.

 

Does GDPR only relate to electronic data or does it apply to paper records too?

GDPR mostly talks about electronic examples; however, it applies to all citizen or individually held data in any format. It is true that GDPR is harder to do with paper records, e.g., if someone asks to be forgotten, you need to find that data in files of paper records.

 

One question on the maximum fine for small companies. We’ve heard 10-20 million Euro, and also 2-4% of annual global turnover. For a small company (less than 20 million Euro annual turnover), is the maximum fine the smaller or larger of these two?

The maximum fine is defined as the larger of the two. If you are able to show a documented GDPR effort that you have done all you feasibly could to comply and protect data, then in the case of a breach, the authorities will look more favorably in the fine they apply. If you are negligent, have done nothing and hence caused the breach—i.e., the worst possible scenario—then the fine applied is likely to be on the higher side.

Don’t forget that under the new laws, citizens whose data has been affected can also take civil action for damages, which was not easy to do before!

 

Gray Areas

Profiling also covers behavioral advertising. If I use AdRoll or another program to target ads on my site, that’s profiling. Do I have to get consent before doing this?

That’s a gray area. What determines the use of data isn’t just consent—you have to have a good reason for using data. You have to be able to say, “I did the right thing based on everything I could have known to do. I didn’t knowingly breach anything”. As long as you can say that, you may be safe.

 

Where in GDPR is it written that you have to notify the DPA about your DPO?

See section 2.5 (page 12) of the DPO guidelines. It may be that in different regions this varies as the GDPR is a legal foundation, and different countries are adding slight nuances to it. Also related to DPOs, a good example outline is here. Many smaller firms are using consultancy DPOs as external specialists, for example www.assuredata.eu.

 

Conclusion

In general, remember that showing that you have done all you possibly could to be GDPR compliant and applied best practices is the key. As mentioned in the webinar, no one can be perfect on GDPR. The goal is to have done what is feasibly possible and to have put processes and policies in place, so that anyone checking would say “makes sense” and “good enough”: you did what you could and what we would ask you to do.

 

We hope that the GDPR webinar and the answers to these questions have helped you understand GDPR a bit better as you journey toward compliance! If you still have questions, ask us in the comments.

GDPR compliantes for software and saas

0.00 avg. rating (0% score) - 0 votes
Vote:
0.00 avg. rating (0% score) - 0 votes

Delia Ene

Communications & AR Senior Manager

Please note: Comment moderation is enabled and may delay your comment. There is no need to resubmit your comment.