Before getting into the GDPR SaaS Checklist For Leaders, let’s understand why the need for it has arisen.
There is a tonne of material on the General Data Protection Regulation (GDPR) and several organizations and people claiming to be experts and throwing around advice. Moreover, there is an overwhelming amount of information regarding this topic because of the foreseeable enforcement of GDPR in sight.
We want to condense all this information into a specific point by point checklist. Therefore, we are focusing on the Software as a Service (SaaS) industry instead of giving a general list for all companies. This list will help SaaS companies keep track of what they have done and what still needs to be done.
First of all, it is important to understand that for SaaS companies a lot of these processes can be automated but it is not really necessary to do that. You need to take stock of the costs of automation or manual labor and need to decide accordingly what works for you.
Here are the rights of the Data Subjects (client/customer/user/employee in layman terms) that you need to preserve:
The right to erasure (the right to be forgotten/deleted from the system),
Under the GDPR, there is right to the restriction of processing (you have to restrict the access to the data and cannot do anything with it without further consent of the user
The GDPR also grants the right to data portability (provide the possibility to your users to download a machine-readable, exportable file of their data you have collected and processed)
The right to rectify data (have an edit button for data fields)
There is also the right to be informed which means you need to get rid of those long terms and conditions and provide this information in a way that is clear and concise
1. Create and agree with data protection goals – Article 5
This essentially means that you need to conceptualize, write down and declare your data protection goals. You can find a pre-made template for this on ECOMPLY.io or if you are not a customer: download it here.
2. Appoint an internal DPO with no conflict of interest – Article 37
This can be anyone in the company who is aware and informed about the GDPR. The person should sign a document accepting the responsibilities and should remain impartial when it comes to questions of GDPR implementation.
4. Add ‘cookies via any plugin’ consent – Article 7
Below is the example cookie by inc.com
8. Ask your third-party vendors to be compliant i.e suppliers and subcontractors:
This includes basically every software and service you are using. Moreover, this means that you need to take stock of all your vendors and contact them as soon as possible. ECOMPLY.io helps you by giving you a list of common vendors and allowing you to add your custom ones.
9. Technical Measures for IT:
Add anonymization or pseudonymization if a user is no longer using your system
Add encryption in your system
Have authentication mechanisms for modifying data
Double authentication or 2 step verification
Focus on data minimization if you don’t need it
Show the system has a strong backup and data can’t be lost
Web Application Security such TLS, SSL
Data Centres and its protection. It should be in Europe or US mostly (if possible)
Encrypted passwords for all the systems
Internal hard drive or cloud drive should be protected and have a different access level
ECOMPLY.io has following technical measures that you need to report. Below is a good example_
10. Organizational Measures:
While it is important to conceptualize these measures, you also need to implement them.
Educate your team about the privacy and data protection
Physical access to your office should always be protected with keys
Laptop and other devices of the staff should be protected as well.
11. Sales & Marketing:
Take consent in all your marketing magnets and contact form and record it
Inform customers about your CRMs, automatic tools, and analytics tool
Always have an opt-out button
12. Data Processing Agreement:
As a SaaS Vendor, you should be able to provide a data processing agreement on behalf of your customers and promising technical measures to protect their data. Consequently, you need to have these agreements with your vendors. ECOMPLY.io will help you with that.
13. Human Resources (HR):
Have different level controls for each staff. Not everybody should have access to all the system.
GDPR compliance Checklist Don’ts:
All your vendors might not be compliant! Don’t assume that they are
Don’t assume that privacy shield or ISO 27001 already makes you compliant
Writing a cold email to customers on their personal email is not a compliant way to reach out to them
Documentation alone will not save you. You need to actually do those changes
Don’t keep your laptops open in an open space and people can see those data
It is not a one-time project. You need to keep making sure that your documentation is correct and updated. Also, you follow all those guidelines and check frequently.