General Data Protection Regulation (GDPR) is a data privacy law enacted by the European Union (EU). The new standards set for data protection went into full effect on May 25, 2018. The legislation stimulated a new interest in privacy laws in countries around the world  — and it changed the Internet forever. 

GDPR's Global Reach

Although designed for protecting people within the European Union, GDPR has had a global effect on the business world because the mandate applies to any organization that keeps or uses the personal data of citizens of the European Union. This means that it will still affect the UK, regardless of what happens with Brexit, if a British online company has processed or stored personal data in its servers on EU customers. 

Does GDPR Impact SaaS Companies?

GDPR impacts all companies that process or store personal information related to people in the European Union. The mandate does not exempt any business model or industry.  

So, if your user from an EU country uses your SaaS services, they have the following rights:  

• GDPR entitles them to know how, where, and when you are collecting and using their data. 

• GDPR entitles them to know if there are mistakes in their personal data and can ask you to correct those mistakes. 

• GDPR entitles them to ask you to delete their personal data upon request. 

Besides taking measures to protect their data, you must also get their consent to process or store their data. You must use clear and explicit language to explain your data collection procedures, and they must consent to share their data with your company. 

GDPR, however, allows you to refuse to collect, process, or store personal data if you believe this would affect the quality of your services, brand, or marketing campaigns. 

Let us now look at why the EU considered the GDPR necessary and how it limits personal data collection to protect consumers in EU countries.

The Call for Constraints

Buying and selling personal information to marketers, public relations firms, and advertising agencies is a trillion-dollar industry. Tech giants like Google and Facebook earn massive revenue by helping their advertisers target their ideal customers, i.e. people who have shown an interest in products or services similar to those advertisers are promoting.  

Based on this bias, it is unlikely that companies profiting from selling personal data will want to compromise the quality and quantity, or their ability to collect, personal data. So, legislative entities like the European Union considered it necessary to demarcate what information companies can collect from consumers. 

Heavy Penalties for Breaches

The GDPR considers any change, destruction, theft, or loss of personal data breach, and it penalizes companies that don’t comply with their regulations by imposing heavy fines. This includes companies that unintentionally behave unethically. 

For instance, British Airways was fined $230 million for a data breach in 2018 because they did not take sufficient precautions to safeguard the personal information of 500,000 customers. Elizabeth Denham, the Information Commissioner, issued a written statement that the law was clear about protecting personal data. “When you are entrusted with personal data,” she wrote, “you must look after it.”

What Exactly is Personal Data?

Personal data is information unique to a person and that helps identify them in specific ways. 

Personal data includes, but is not limited to: 

• Name 

• Phone numbers 

• Digital addresses, such as emails or websites 

• Physical addresses, such as a residential address or place of work 

• Nationality 

• Date of birth 

• Financial information, such as bank accounts, savings accounts, credit card numbers 

• Personal interests, such as favorite sports teams, political affiliations, religion 

• Social media profiles and posts 

• Race

• Medical health records 

Personal Data Can Be Exploited for Profiteering 

While we could interpret most snippets of personal information as harmless; in an aggregate form, it’s dangerous. Since a corpus of personal data weaves a pattern to sketch out a distinct picture of a person, small groups and large organizations can use these profiles and psychographics to target individuals and profit from their interests and affiliations.  

Dylan Walsh, who authored a Stanford Business article, How Much Is Your Private Data Worth — and Who Should Own It?, details two instances of how personal data can be used to exploit people and corrupt societies. In the first instance, a data breach at Equifax, the credit reporting agency, resulted in the theft of sensitive personal information belonging to about half the population of the United States. In the second, Cambridge Analytica, a political consulting company, used the personal data from 50 million Facebook profiles to benefit Donald Trump’s 2016 presidential campaign. 

The Black Box

Because GDPR affects all kinds of companies, including SaaS companies, they are responsible for maintaining GDPR compliance as well. However, you can never know exactly how a vendor is handling your consumer's data unless you ask, or they publish a policy declaring their commitment to data and privacy protection. Should a vendor have a data breach, you could be considered liable if you had not vetted your vendor list. Compound that by the number of SaaS vendors you're using, including third party plugins for those vendors... it can get tricky to ensure you're maintaing your GDPR compliance. 

The Bottom Line

GDPR affects all kinds of companies, including SaaS companies. It also affects companies working outside the European Union but who have EU customers. If you have a SaaS business, you must ask for personal data in simple language without legal obfuscation and explain how you collect information and why you need it. Your customers have numerous rights related to their personal data, and you also may refuse their business if you believe you can’t protect their information or collecting it would compromise your business interests.

The information provided on this website does not, and is not intended to, constitute legal advice; instead, all information, content, and materials available on this site are for general informational purposes only.  Information on this website may not constitute the most up-to-date legal or other information.  This website contains links to other third-party websites.  Such links are only for the convenience of the reader, user or browser; the Zesty.io and its members do not recommend or endorse the contents of the third-party sites.

Readers of this website should contact their attorney to obtain advice with respect to any particular legal matter.  No reader, user, or browser of this site should act or refrain from acting on the basis of information on this site without first seeking legal advice from counsel in the relevant jurisdiction.  Only your individual attorney can provide assurances that the information contained herein – and your interpretation of it – is applicable or appropriate to your particular situation.  Use of, and access to, this website or any of the links or resources contained within the site do not create an attorney-client relationship between the reader, user, or browser and website authors, contributors, contributing law firms, or committee members and their respective employers. 

The views expressed at, or through, this site are those of the individual authors writing in their individual capacities only – not those of their respective employers, Zesty.io, or committee/task force as a whole.  All liability with respect to actions taken or not taken based on the contents of this site are hereby expressly disclaimed.  The content on this posting is provided "as is;" no representations are made that the content is error-free.