The General Data Protection Regulation (GDPR) goes into effect on May 25, 2018, and despite being a European Union regulation, its effects are far reaching, as we’ll explain below. Regardless of where a company is based, it is subject to GDPR if it collects “personal data” from a person physically located in an EU country, provided the collection relates to offering goods or services or monitoring their behavior. Thus virtually any website that collects data would be subject to GDPR. Many SaaS organizations may feel overwhelmed by these new regulations or unsure of how they will (or won’t) apply to them.
Despite the flood of information that’s been published about the new regulation, many SaaS companies are still unclear about what GDPR means for them, so in this post, we have provided a brief definition of the GDPR followed by five key points you should be aware of.
What is GDPR?
GDPR is an update to the data protection directive of 1995 (Directive 95/46/EC) and is designed to harmonize data privacy laws across Europe. Enacted by the European Parliament, the Council of the European Union, and the European Commission, the regulation was adopted in April 2016. The two-year transition period that ends this May has given companies time to prepare for enforcement. The mandate aims to empower individuals within the EU to regain control over their personal data and to reshape the way organizations across Europe approach data privacy, while also addressing the export and use of data by organizations outside the EU.
1. GDPR’s reach is global.
Think GDPR doesn’t apply to you since you’re not based in Europe? Think again! The mandate is applicable to any organization, regardless of location, that processes or stores the personal data of EU data subjects. This means that if you process data from a user physically located in an EU country (e.g., someone browsing your website), you’ll need to comply. The regulation only applies to processing related to offering goods or services, or monitoring a person’s behavior. Thus simply tracking a user’s browsing behavior could be subject to the rule. GDPR is vital both for maintaining the customers you already have and for gaining entry into the European market in the future.
2. Failure to comply will be costly.
One of the main reasons GDPR has garnered so much attention centers on potential liability and steep fines for non-compliance. Any individual who suffers “material or non-material damage” as a result of a violation has the right to compensation from the offending party. In addition, administrative fines can be levied, depending on the nature and severity of the breach, as follows:
- Up to €10 million, or 2% of the worldwide annual revenue of the prior financial year, whichever is higher
- Up to €20 million, or 4% of the worldwide annual revenue of the prior financial year
Either tier would be enough to scare most SaaS companies into compliance. While not every violation warrants financial penalties, other individual countries also have the ability to impose sanctions on non-compliant organizations that could include permanent or temporary bans on data processing, orders to erase data, and the suspension of data transfers to third countries.
3. Countries can create their own legislation.
While GDPR is supposed to harmonize regulation across Europe, each EU member state is awarded some degree of flexibility based on certain special conditions, such as those concerning national security, crime prevention, and economic and financial interest. Germany was the first to introduce national legislation last summer with the German Data Protection Amendment Act. Despite Brexit, the UK has come out with its own Data Protection Bill which adopts GDPR standards, will operate in tandem with GDPR until Brexit is complete, and will continue to apply GDPR standards thereafter. So, not only will it be necessary for you to keep up with GDPR itself, you will also need to familiarize yourself with the complexities of national legislation wherever you or your customers do business or where your customers are located.
4. You may have to hire a data protection officer (DPO).
Article 37 of the GDPR lays out three instances in which you must appoint a data protection officer (DPO) to oversee your organization’s GDPR compliance:
- If you are a public authority (except for courts acting in their judicial capacity);
- If you carry out large scale systematic monitoring of individuals (for example, online behavior tracking); or
- If you carry out large scale processing of special categories of data or data like that relating to criminal convictions and offences, race, ethnicity or religious beliefs.
“Large scale” is not clearly defined by the regulation, but there are, no doubt, many SaaS companies to which this rule applies. A current employee can take on the role, but he or she will have to report to the highest level of management at your organization and should have professional experience and knowledge of data protection laws.
5. Breaches must be reported quickly.
GDPR requires that personal data breaches be reported to the data subject or the supervisory authority within 72 hours, so you’ll need to have the right monitoring tools in place to be sure you catch breaches quickly. A comprehensive intrusion detection platform can monitor against GDPR-specific rule violations for your cloud infrastructure, send real-time alert notifications, and aid in the investigation of each incident with event correlation intelligence.
Help is near.
GDPR is one of the most stringent frameworks we’ve seen, and it’s easy to feel overwhelmed by its requirements. Fortunately, a comprehensive intrusion detection platform like Threat Stack can help you achieve, demonstrate, and document compliance with GDPR, as well as other compliance frameworks such as PCI, HIPAA, SOC 2, and ISO 27001. Check out our GDPR microsite to learn more about how Threat Stack can get you up to speed.
Also, free free to download the following ebooks prepared by Schellman & Company for additional information and guidance on GDPR:
Are You GDPR Ready?
GDPR requirements include reporting a breach within 72 hours; join our webinar to learn more.