The General Data Protection Regulation (GDPR) imposes new obligations on data processors as well as controllers. As a software company selling hosted or SaaS (software as a service) solutions, there are things you need to think about now, to ensure you comply with GDPR.
1. Get ahead of your customers
If your hosted or SaaS solution processes personal data on behalf of your customers, then GDPR states that those customers should ensure they have a contract with you that includes specific data processing clauses. Some of those clauses go beyond what is required by the current Data Protection Act.
If you don’t get ahead of the game then you could find multiple customers presenting you with their own data processing agreement, and you’ll be spending time and effort negotiating with each customer.
Amend your standard SaaS contracts now to include compliant data processing clauses and put together a data processing variation to existing contracts that you can send out to your current customers.
2. Think about your suppliers
If you use your own sub-contractors to process some of the data in your solution, then the same applies but the other way around. You need to ensure that those sub-contractors are subject to the same processor obligations as you. If your suppliers haven’t updated their standard contracts to include this, then you might want to insist they sign up to your own data sub-processor agreement or variation.
Don’t forget that under GDPR, you must get consent from your customer to pass on any personal data to sub-contractors. This can be dealt with in your SaaS contract.
3. Review your data security
GDPR requires you to have appropriate technical and organisational measures to secure personal data. This is a good opportunity to check that your security standards are up to scratch.
4. Get your records in order
GDPR also requires you to maintain certain records relating to the personal data that you process on behalf of your customers. You should start working out how you are going to structure those records and how you will ensure they are kept up-to-date.
5. Don’t forget about your own employees
When it comes to your own employees, you are the data controller of the personal data you hold for them. This means you need to comply with the full set of obligations in GDPR in respect of your employees. You should read our article: GDPR: Time is Running Out.
How can BHW help?
We can advise you on all aspects of your contracts with customers and suppliers, as well as providing general advice in respect of GDPR compliance.
If you want to discuss any aspect of the GDPR, please contact Matt Worsnop on 0116 281 6235, or email firstname.lastname@example.org.