In our GDPR Guide for SaaS companies, we look at the key factors that SaaS businesses need to address to ensure compliance with EU and UK data protection laws. For the purposes of the guide, we use the General Data Protection Regulation (GDPR) as a collective term, but please be aware that there are certain differences between the EU GDPR and the UK GDPR, and we recommend that you consult with a privacy professional regarding any specific obligations.
The European and UK markets offer significant growth opportunities for SaaS companies looking to expand beyond their home territories. With large and diverse consumer bases these regions are home to dynamic business sectors, both B2B (business-to-business) and B2C (business-to-consumer).
- The European Commission’s 2023 Single Market Report estimates the total size of the EU consumer market is €8.6 trillion
- The UK’s Office for National Statistics latest consumer trends estimates the UK consumer market is £1.8 trillion.
However, successful expansion into the EU and UK requires more than just understanding local market dynamics and attracting customers. The need to comply with complex regulations can be a significant hurdle. This includes not only industry-specific regulations, such as those in the Life Sciences or Finance sectors, but also broad-reaching ones that encompass consumer privacy rights for all industries.
As privacy legislation is constantly evolving, it is important that you stay updated with the latest guidelines and remember that data protection and privacy compliance is not a one-time task, but an ongoing commitment.
Handling the personal data of EU and UK residents: Your responsibilities
The fundamental purpose of the GDPR is to protect individuals’ privacy and data protection rights.
What this means for SaaS platforms:
If you process the personal data of EU and/or UK residents, you must comply with the GDPR’s 7 principles.
EXAMPLE: A Canadian company provides a CRM platform for B2B companies. The company is expanding its business into the EU and UK markets and will be storing the personal data of EU and UK residents as part of the business function. Therefore, the company must be able to demonstrate compliance with the 7 principles of the GDPR.
Establishing a lawful basis
Before any personal data can be collected, you need to confirm a lawful basis. This is essentially the legal justification for processing someone’s personal data. Under the GDPR, there are 6 lawful bases.
The most appropriate lawful basis will depend on the specific purpose of the SaaS platform and can vary with the industry sector and type of processing.
Example: An automated payroll SaaS platform might use legitimate interests to process personal data (such as employee bank details, tax identification numbers and names), in order to ensure timely payment of salaries.
It’s important to make the right decision about your lawful basis from the start, as it’s difficult to swap to a different one later.
GDPR guide for SaaS companies: The key documents you will need for compliance
A vital part of demonstrating compliance with the GDPR is to have certain contracts, agreements and documents in place.
Contracts and agreements provide clarity and certainty for both businesses and customers by setting out the specific terms and conditions of processing personal data.
Here are some of the documents you should prepare, and some of the contracts you may need:
Privacy policies and notices – These documents are important for ensuring transparency. They should include your company contact details, the types of personal data collected, how the data is collected and what it will be used for, the company’s lawful basis for processing, how long the data will be stored, and any details of transfers to third parties or international organizations. You must also include a notice with the right to withdraw consent if that is your lawful basis.
Mandatory data processing clauses – These are required if you are outsourcing any data processing to a third party. If you are processing EU or UK data, you must ensure the mandatory data processing clauses are in place with any supplier that will have access to that data. These clauses are usually contained in a Data Processing Agreement (DPA), which sets out the responsibilities and obligations of each party. A DPA should include the purpose of the processing, the lawful basis, security measures, data subjects’ rights, and the duration of the agreement. Other factors may also be required, depending on the specifics of the processing.
Data sharing agreement – This agreement is used when two or more parties agree to share personal data for specific reasons. It establishes the terms for data sharing and the responsibilities and roles of each party. For example, between a company and a service provider. There is no set format for this agreement, and the details will depend on the scale and complexity of the data sharing. Generally, this agreement includes the purpose of data sharing, the types of data to be shared, the responsibilities of each party, data security, and data protection compliance measures.
Transfer Agreement (TA) – This is necessary if you plan to transfer personal data outside the EU or UK, even if it has been pseudonymised (i.e. coded data). A transfer agreement is required for most recipient countries and there are certain mechanisms you can use for exporting data (see the following section: Requirements for international data transfers)
Records of Processing Activities (RoPA) – A RoPA is a document that serves as a central record or inventory of all data processing activities within the business. Although not exactly a contract or an agreement, it is a requirement of the GDPR to maintain records of processing activities.
This list is by no means exhaustive, and there are other important documents you should have in place, including a data breach policy and a data retention policy. A data protection officer (DPO) will be able to advise you according to your business’s specific circumstances.
And don’t forget a Data Protection Impact Assessment (DPIA)
A DPIA is a process used to analyse, identify, and minimise the data protection risks of a project or data processing activity. It’s an important tool in helping to achieve GDPR compliance.
DPIAs are mandatory for any high-risk data processing activities, such as those involving special category data.
Example: A SaaS platform offers a Healthcare Management system that processes personal data such as health records and genetic data. A DPIA would be required to as this type of data is considered sensitive and high-risk. In the event of a breach, the impact to individuals could be significantly higher than other types of data due to the sensitive nature of the information.
But even when a DPIA isn’t explicitly required by the GDPR, it’s a beneficial process to undertake and can help you to identify and reduce your data protection risks. It also promotes a ‘privacy by design’ approach, embedding best-practice data protection processes into the business right from the start.
Read more about privacy by design.
Requirements for international data transfers
The GDPR imposes strict restrictions on the transfer of personal data outside the European Economic Area (EEA) and the UK. If you are exporting personal data from these territories to other countries (known as ‘third countries’), there are mandated safeguards that must be in place.
A few countries have been awarded what is called ‘adequacy’, which means their data protection laws are ‘essentially equivalent’ to those of the EU and/or UK and do not require the use of additional safeguards or permissions. This simplifies the process of international data transfers.
European Commission’s latest adequacy decisions
UK Information Commissioner’s Office adequacy regulations
Do you need a transfer impact assessment (TIA) or transfer risk assessment (TRA)? And what’s the difference?
A TIA and a TRA are similar types of data transfer risk assessment. TIAs are used for EU personal data transfers, and TRAs are the UK’s equivalent.
EU transfer impact assessment (TIA) – You need to complete this for EU personal data transfers from the European Economic Area (EEA) to certain third countries when using these mechanisms: SCCs and BCRs.
Also, organisations transferring UK personal data to third countries can choose to use a TIA. It may be the better option for transfers between the UK and EU. However, you need to check whether the personal data is being transferred within the scope of the EU GDPR or the UK GDPR and choose the most appropriate assessment.
UK transfer risk assessment (TRA) – You need to complete this for ‘restricted transfers’ of personal data from the UK to certain countries outside the UK when using these mechanisms: SCCs with UK Addendum, UK BCRs, and IDTA.
When is a TIA or TRA not required?
If a country has been awarded adequacy, a TIA or TRA is not required.
Also, Article 49 of the GDPR provides several exceptions, called derogations, that allow for the transfer of personal data to third countries without the need for a TIA or a TRA. These derogations are for specific situations and are not intended to be used regularly or as a standard method of transfer.
Here are a couple of examples of the most common derogations:
- Explicit consent – the data subject has explicitly consented to the proposed transfer
- Contract – the transfer is necessary for the fulfilment of a contract previously agreed between an organisation and a data subject
Additional considerations for SaaS platforms in EU and UK markets
In addition to the GDPR, and depending on your business activities, you may also have to comply with EU and UK regulations specific to electronic marketing communications and online tracking.
The EU’s ePrivacy Directive
This EU Directive was adopted nearly two decades ago, in 2002. Often referred to as the ‘cookie law’ (as it was the first piece of legislation to regulate the use of cookies and digital trackers), it also includes rules about marketing calls, emails, texts and faxes, and directory listings. Any businesses engaging in these marketing methods, or the digital tracking of EU customers, must comply with the ePrivacy Directive.
Example: A FinTech company based in China provides an online platform for peer-to-peer lending. Wanting to expand into EU markets, the company has various advertising campaigns and tracks the digital behaviour of potential customers. Therefore, the company must comply with both the EU GDPR and the Privacy Directive. This means the company must ensure compliance with the 7 principles of the GDPR, safeguard the confidentiality of communications for its EU users, and comply with rules about tracking and monitoring. Any non-essential cookies on the website must have an opt-in choice.
Note: At the time of writing, the European Parliament and the Council of the European Union are finalizing the negotiations on the proposed ePrivacy Regulation, which is set to replace the ePrivacy Directive. The new regulation proposes a broader scope with stricter rules for businesses, particularly those operating online.
The UK’s Privacy and Electronic Communications Regulations (PECR)
This is the UK law derived from the ePrivacy Directive. PECR gives UK residents specific privacy rights regarding marketing calls, emails, texts, and faxes, cookies and similar technologies, and electronic communication security.
Data Protection Officers (DPOs)
The best way to achieve and maintain compliance with EU and UK data protection laws is to appoint a Data Protection Officer (DPO)
DPOs have in-depth knowledge and experience of the various requirements your business needs for compliance with the GDPR and electronic communications laws.
For some businesses, having a DPO is not only advisable but also a mandatory requirement. Article 37 of the GDPR states that a DPO is required if:
- The data processing is carried out by a public authority or body
- The core activities of the business involve the regular and systematic monitoring of data subjects on a large scale
- The core activities of the business involve the processing on a large scale of special category data or personal data relating to criminal convictions and offences
However, many businesses choose to appoint a DPO even when it isn’t a legal requirement.
Outsourced Data Protection Officer (DPO) Services
A DPO can not only help ensure compliance with EU and UK data protection laws, including advice on best practice with Data Subject Rights Requests (DSARs) and notification requirements, but also manage data protection risks and rights in relation to automated decision making.
Fostering a data protection culture within your business is the best way to proactively maintain the trust of your customers and stakeholders, fortifying your reputation.
EU and UK GDPR Representatives
All businesses that fall under the scope of the GDPR and do not have a physical presence within the EU or UK must appoint a GDPR Representative. If you are looking to expand into both markets, you will need a UK GDPR Representative AND an EU GDPR Representative.
A GDPR Representative acts as point of contact for supervisory authorities such as the Information Commissioner’s Office (ICO) in the UK, the Commission Nationale de l’Informatique et des Libertés (CNIL) in France, or the Autoriteit Persoonsgegevens in the Netherlands.
GDPR Representatives are also the point of contact for data subjects wishing to exercise their rights under the GDPR. These rights include the right to access their personal data, the right to correct inaccurate data, the right to erasure, the right to restrict processing, the right to data portability, and the right to object to processing.
See here for additional information:
GDPR Representative: Do you need one?
GDPR guide for SaaS companies: Summary
Businesses planning on entering EU and UK markets must comply with the local data protection laws, including the EU GDPR, the UK GDPR, the ePrivacy Directive, and PECR.
Maintaining a strong reputation for data protection also builds trust with customers and stakeholders, which is an essential foundation for commercial success.
The best way to achieve and maintain compliance is to appoint a Data Protection Officer (DPO) with the expertise and knowledge to help you navigate the myriad of regulations and requirements. They can help you draft the necessary contracts and agreements you will need, as well as manage international data transfers, and keep you up to date on any jurisdictional changes.
____________________________________________________________________________________________________________
In case you missed it…
- Canadian privacy laws: PIPEDA and beyond
- Quebec’s Law 25: A guide to support privacy compliance
- International data transfers: Explaining EU SCCs, UK Addendum and UK ITDA
____________________________________________________________________________________________________________
For more news and insights about data protection follow The DPO Centre on LinkedIn
