Before getting into the GDPR Compliance Checklist For SaaS let’s understand why the need for it has arisen.

There is a tonne of material on the General Data Protection Regulation (GDPR) and several organizations and people claiming to be experts and throwing around advice. There is an overwhelming amount of information regarding this topic because of the foreseeable enforcement of GDPR in sight.

We want to condense all this information into a point by point checklist to help companies keep track of what they have done and what still needs to be done. So this time around, we are focusing on the Software as a Service (SaaS) industry.

First, it is important to understand that for SaaS companies a lot of these processes can be automated but it is not really necessary to do that. You need to take stock of the costs of automation or manual labor and need to decide accordingly what works for you.

Here are the rights of the Data Subjects (client/customer/user/employee in layman terms) that you need to preserve:

  • The right to erasure (the right to be forgotten/deleted from the system),
  • The right to the restriction of processing (you have to restrict the access to the data and cannot do anything with it without further consent of the user
  • The right to data portability (provide the possibility to your users to download a machine-readable, exportable file of their data you have collected and processed)
  • The right to rectify data (have an edit button for data fields)
  • The right to be informed which means you need to get rid of those long terms and conditions and provide this information in a way that is clear and concise

Here you can read the 10 Critical Steps to General Data Protection Regulation (GDPR) for SMEs that highlights the principles that you need to keep in mind.

GDPR compliance Checklist Dos:

1. Create and agree with data protection goals – Article 5

This essentially means that you need to conceptualize, write down and declare your data protection goals. You can find a pre-made template for this on ECOMPLY.io or if you are not a customer: download it here.

2. Appoint an internal DPO with no conflict of interest – Article 37

This can be anyone in the company who is aware and informed about the GDPR. The person should sign a document accepting the responsibilities and should remain impartial when it comes to questions of GDPR implementation.

3. Make a cookie policy – A perfect way of showing cookies – Article 7

Here’s the right way to go about it: https://www.cookiebot.com/en/cookie-declaration/ It has been enough till now to display that common “we use cookies” warning, however, the GDPR changes that. From the GDPR perspective, cookies essentially means you are collecting user data and need to make sure that you have legal grounds for it.

4. Add ‘cookiebot.com’ consent – Article 7

5.Update your privacy policy – Perfect Privacy Policy Article 12:

Example of short form of Privacy Policy

6. Add features list

  • Consent box and record with it the Privacy Policy version – Article 7
  • Right to edit or modify feature – Article 16
  • Right to delete or forget – Article 17
  • Right object of processing & profiling feature – Article 21 & 22
  • Right access (I want to access all my data i.e. export & import feature) – Article 15
  • Right to stop automated profiling – Article 18 & 23
  • Have double opt-in on a newsletter, lead magnets & sign up – Article 7
  • Automatic deleting or provide a timeline to delete the data feature to your users – Article 17
  • Consent checkbox on your contact form as well – Article 7

7. Create records of processing activities and maintain it:

ECOMPLY.io helps with it. You can also read our step by step blog on how to take this item off your GDPR compliance checklist.

8. Ask your third-party vendors to be compliant i.e suppliers and subcontractors:

This includes basically every software and service you are using. ECOMPLY.io helps you by giving you a list of common vendors and allowing you to add your custom ones.

9. Technical Measures for IT: 

  • Add anonymization or pseudonymization if a user is no longer using your system
  • Add encryption in your system
  • Have authentication mechanisms for modifying data
  • Double authentication or 2 step verification
  • Focus on data minimization if you don’t need it
  • Show the system has a strong backup and data can’t be lost
  • Web Application Security such TLS, SSL
  • Data Centres and its protection. It should be in Europe or US mostly (if possible)
  • Encrypted passwords for all the systems
  • Internal hard drive or cloud drive should be protected and have a different access level

10. Organizational Measures: 

  • Educate your team about the privacy and data protection
  • Physical access to your office should always be protected with keys
  • Laptop and other devices of the staff should be protected as well.

11. Sales & Marketing:

  • Take consent in all your marketing magnets and contact form and record it
  • Inform customers about your CRMs, automatic tools, and analytics tool
  • Always have an opt-out button

12. Data Processing Agreement:

As a SaaS Vendor, you should be able to provide a data processing agreement on behalf of your customers and promising technical measures to protect their data. ECOMPLY.io will help you with that.

13. Human Resources (HR):

Have different level controls for each staff. Not everybody should have access to all the system.

GDPR compliance Checklist Don’ts:

  1. Don’t assume your vendors are compliant
  2. Don’t assume that privacy shield or ISO 27001 already makes you compliant
  3. Don’t write a cold email to customers a cold email on their personal email
  4. Don’t assume, documentation will save you. Actually, do those changes
  5. Don’t keep your laptops open in an open space and people can see those data
  6. Don’t assume it is a one-time project. You need to keep making sure that your documentation is correct and updated. Also, you follow all those guidelines and check frequently.

If you are still confused about the GDPR and don’t know where to start, just book an appointment with us for an informal chat.