In just over a year (25 May 2018), the EU General Data Protection Regulation (the “Regulation”) will replace the Data Protection Act 1998 (“the DPA”) and come into force in the UK. This will be just under a year before Brexit. In any event, the Regulation would still apply to all companies who intend to do business with the EU and handle the personal information of European citizens.
Unlike the DPA, the Regulation imposes a raft of direct statutory obligations upon data processors. Any SaaS provider processing personal data on behalf of its customers will be considered a data processor under the Regulation. Therefore, as a follow-up to our previous blog, we can assist in the process of preparing for the new regime.
Have you reviewed your contracts with customers?
As part of a push for the increased accountability of data processors under the Regulation, the legislation imposes an obligation for the contract between a data controller and a data processor to be written and for it to include certain specific terms, including those set out below. Where the relevant contract is between a SaaS provider and its customer, please note the following:
- The provider shall only process personal data in accordance with the documented instructions of the customer.
- All provider personnel authorised to process personal data must be subject to obligations of confidentiality in relation to that processing.
- Providers must ensure the security of the personal data that they process.
- Providers must agree to abide by the provisions in the Regulation regarding the appointment of sub-processors (see below).
- Processes must be put in place by the provider to assist the customer in complying with the rights of data subjects.
- The provider must (in accordance with the customer’s preference) either delete or return the customer’s personal data upon the expiry or termination of the contract.
- The provider must allow the customer to carry out audits in relation to its processing of customer data.
SaaS providers will therefore not only need to consider whether their existing customer contracts are GDPR-compliant, but will also need to review their standard terms and conditions to make them GDPR-compliant. Practical procedures and internal policies will also need to be implemented or updated by SaaS providers to ensure that they are capable of fulfilling their additional responsibilities to their customers e.g. further to a request for an audit or in order to provide details of all processing carrying out in respect of specific individual.
Do you have permission for sub-contracting?
Under the new Regulation, SaaS providers will be unable to engage (or replace) a sub-contractor to carry out data processing on their behalf, e.g. a server hosting provider, without prior written authorisation from their customer. The obligations of SaaS providers to their customers must be reflected in their contracts with sub-contractors, particularly given that SaaS providers will remain liable to their customers for the actions or inactions of any sub-contractor.
Do you need to appoint a Data Protection Officer?
The Regulation imposes an obligation upon data processors to designate a specific Data Protection Officer (DPO) within the organisation as part of their accountability programme. Whether this is necessary for a SaaS provider will depend on whether its core activities mainly concern either: (i) the regular and systematic monitoring of individuals on a large scale; or (ii) processing special categories of data on a large scale (e.g. data relating to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sex life or sexual orientation, or criminal convictions or offences). If a DPO is required they will need sufficient expert knowledge to adequately fulfil the role.
Are you under an obligation to notify the controller of any personal data breaches?
Under the new Regulation, data processors must notify data breaches to the Information Commissioner’s Office (ICO) without undue delay and, where feasible, within 72 hours. In some cases, the data processor must also notify the affected data subjects without undue delay.
SaaS providers must either adopt, or refine existing, internal procedures for handling data breaches. Clear policies need to be put in place and internal personnel need to be trained to ensure they are aware as to what constitutes a data breach and to allow them to react promptly should one occur.
Are you aware of the increased penalties for non-compliance?
The Regulation establishes a two-tiered approach to penalties for breach, depending on the nature, gravity and duration of the breach. The ICO has the right to impose fines of up to the higher of 4% of the annual worldwide turnover of the company and €20m for severe breaches, whereas lesser/specified breaches may incur fines of up to the higher of 2% of annual worldwide turnover and €10m.
Of equal concern to a fine is the potential for data subjects to bring claims directly against data processors, such as SaaS providers, for breaches of the Regulation.
The Regulation represents a radical shift in the law for SaaS providers in terms of their accountability for the processing they carry out on behalf of their customers. SaaS providers processing large volumes of personal data on behalf of their customers are particularly at risk of falling foul of the new legislation. If you fall into that category, now is the time to start preparing for the new regime in advance of the May 2018 deadline.