10 GDPR questions answered for SaaS Companies

In the last few days, after our product hunt launch, we have received questions from people who are curious about the process of compliance. How do you start as a SaaS company? What are some of the things to keep in mind? Since the GDPR will be enforced this coming May we see a lot of companies scrambling to comply. We thought that an example of a company that is in the final stages of GDPR compliance would help. So we caught up with Woodpecker.co to find out what they have done, how they have done it and what they think could have helped them in the process. We started with the basic GDPR questions and build our way up to all the others.

1) How did you get started with the GDPR?

We’re based in Poland, so we heard about GDPR pretty soon. We’ve tried to keep abreast with the news since the moment we heard about the changes. So, we can say that we began by keeping an eye out on the discourse around GDPR.

2) What were your first steps? Please feel free to mention your steps

First, we read the whole regulation. In my opinion, there should be one person at every company who has read the regulation from start to finish. It helps a lot. Especially since there’s a lot of panic around GDPR as well as around the implications that may follow from it. Reading the whole thing clears things out for you.

Then, we found a couple of GDPR conferences. One of our colleagues, who we appointed as Data Protection Specialist, took part in those conferences and shared what she learned with the rest of us. She prepared small presentations for every department: Office Management, Sales, Marketing, and told us how GDPR will affect our work. Her input was invaluable.

We updated our Policy and Terms of Service. We reviewed our signup forms for our newsletter, downloadable marketing content and the app itself.

Then, we researched how other companies were preparing for GDPR. We decided to let our customers know what we were doing for GDPR. That’s how we created the page. It’s made to inform our customers and subscribers how we’re handling things.

3) How did you change your email marketing for the GDPR?

The first step we took was to make sure our signup forms were clear to understand, as it is one of the requirements of GDPR. The signup forms should be free of any jargon words or windy sentences. The signees should know what they subscribe to.

The subscribers should feel their personal data is secure when they give it to us, and that they are in full control of it. Of course, they can unsubscribe from our newsletter or update their data at any point. We have made sure it’s easy for them to do that.

GDPR also calls for data limitation, collecting only the kind of personal data that’s essential. It has always been the case when it comes to our marketing communication. We don’t collect more data than necessary to send a newsletter. For instance, we’re not going to call our newsletter subscribers, thus we don’t collect phone numbers.

Next, we took care of the signatures that come at the end of our newsletter emails. We made sure there’s all the information that anyone would need. We’re working on the short notification that would inform the newsletter subscriber that they received the email, because they subscribed to the blog.

4) What are 10 simple changes & advice for a marketer who is reading this blog?

1. Don’t panic. GDPR wasn’t made to kill all of your marketing activities. It was written to protect the rights of consumers. Not to harass marketers or make their job harder.
2. Don’t trust everything you’ve read about GDPR. A lot of stuff out there is just somebody’s interpretation of the regulation. Learn to separate the wheat from the chaff.
3. Appoint one person at your company who’ll review the way personal data is being handled. Are you sure you know what happens with the data? Who has access to it? Is the process secure? If you have no idea, it’s time to come up with a plan to make it as secure as you can.
4. Review opt-in forms. All opt-in forms should be short and easy to understand. They shouldn’t be written in fine print nor should they be in hard-to-see colors.
5. Ask for the information you really need. GDPR stresses out that the personal data you collect should be adequate and relevant to the purpose of its processing. So don’t ask for the company address, if you’re not going to mail the company anything.
6. Keep your database clean. Do the major cleaning of your contact lists from time to time. If you don’t know how the subscriber ended up on your list, it’s better to either delete them or ask them whether they want to opt in for your marketing communication. Similarly, if a person unsubscribes, cross them out.
7. Be transparent - Tell your subscribers in what ways you’re going to process their personal data. GDPR calls for transparency. The customers and newsletter subscribers should understand in what ways you’re processing their personal data and what kind of data you keep.
8. Keep your word - if you say you’re processing personal data to send them a weekly newsletter, don’t send email twice a week. If you say you delete them from your list, do that. Now it’s even more important to keep your word.
9. Learn how GDPR is interpreted in your own country. EU member states differ in their interpretation when it comes to the regulation.
10. Inform your newsletter subscribers and customers about what you did to be GDPR compliant. We still receive some questions about whether we think App A or B is GDPR compliant. And we can’t say unless this company released a GDPR statement.

5) How long did it take for you guys to be GDPR compliant?

To be honest, we’re at the finishing line. We still need to polish a thing or two. We’re sure to announce it within a week or less. We’ve been working on it for a couple of months, because we process our users’ personal data and our users process personal data of prospects. We need to work our way through GDPR compliance.

6) What piece of advice - would you give to the readers who are starting now?

Don’t try to do everything at once. It might be overwhelming. Especially since there’s a lot of contradictory advice on the Internet. Start with baby steps. That’s how we came with an idea of creating a GDPR checklist available on our blog. If you don’t know what to do, take a lawyer’s advice. But I’m sure you’ll manage to take care of GDPR compliance on your own.

Start with thinking what data you collect and where from. It is not only the pillar of conducting risk assessment. It will also help you realize what kind of data security policy you need.

Change the way you think about GDPR. It isn’t a policy which covers mistakes in the current system but policy which showcases how the system works.

7) Would a step-by-step and simple to use GDPR solution make sense if people are starting now?

That would be even better. I think the compliance took so much of our time because we didn’t have everything in one place. Have we had a solution to keep our work organized, it would have taken far less time to become GDPR compliant.

8) How much did you hate using spreadsheets for the GDPR?

We have the GDPR documents scattered around, because there is a lot of information to keep an eye on, likewise, we have had to review our database and do everything in our power to secure the personal data of our users and newsletter subscribers. It got really hectic. If we had an app or something that would keep everything under one roof and let us collaborate, we’d be thrilled.

9) You mentioned here - "make a list of all the in-app areas that need to be taken care of to comply with the regulation (COMPLETED)" - What were those changes?

As a sales automation tool, Woodpecker is both, data processor and data administrator. We process personal data and allow our users to process personal data of their prospects. That’s why we needed to review how we process personal data and how others can process personal data in the app. We need to be cautious about our users’ data. And we need to make it possible for our users to process the personal data of their prospects in a way that is GDPR compliant.

10) Do you have an example of a cold email you write to your business contacts based on the GDPR who have not opted in?

An email body doesn’t change much from what it was before. There are two things that need our attention when writing a cold email though. The first thing is having a tightly targeted list of prospects. A spray-and-pray approach has never been effective, but now it’s illegal under GDPR. When we decide to send somebody a cold email, we should be able to justify why you chose a specific person to be on our cold emailing list. Our business statute should be tightly connected with theirs.

The other thing is that we should be transparent. We should include information, or at least be prepared to give it when asked to, that we’re processing our prospect’s personal data and that prospects can opt-out from receiving further emails from us any time they want. We have an example of that in our article about GDPR.

You can check out Woodpecker.co right here!

If the answers to these GDPR questions have left you confused about how to start your compliance process or if you find yourself drowning in heaps of excel sheets, book a free demo with us!

‍