The Ultimate GDPR SaaS Checklist
Before getting into the GDPR SaaS Checklist For Leaders, let's understand why the need for it has arisen.
There is a tonne of material on the General Data Protection Regulation (GDPR) and several organizations and people claiming to be experts and throwing around advice. Moreover, there is an overwhelming amount of information regarding this topic because of the foreseeable enforcement of GDPR in sight.
We want to condense all this information into a specific point by point checklist. Therefore, we are focusing on the Software as a Service (SaaS) industry instead of giving a general list for all companies. This list will help SaaS companies keep track of what they have done and what still needs to be done.
First of all, it is important to understand that for SaaS companies a lot of these processes can be automated but it is not really necessary to do that. You need to take stock of the costs of automation or manual labor and need to decide accordingly what works for you.
Here are the rights of the Data Subjects (client/customer/user/employee in layman terms) that you need to preserve:
- The right to erasure (the right to be forgotten/deleted from the system),
- Under the GDPR, there is right to the restriction of processing (you have to restrict the access to the data and cannot do anything with it without further consent of the user
- The GDPR also grants the right to data portability (provide the possibility to your users to download a machine-readable, exportable file of their data you have collected and processed)
- The right to rectify data (have an edit button for data fields)
- There is also the right to be informed which means you need to get rid of those long terms and conditions and provide this information in a way that is clear and concise
Here you can read the 10 Critical Steps to General Data Protection Regulation (GDPR) for SMEs that highlights the principles that you need to keep in mind.
GDPR compliance Checklist Dos:
1. Create and agree with data protection goals - Article 5
This essentially means that you need to conceptualize, write down and declare your data protection goals. You can find a pre-made template for this on ECOMPLY.io or if you are not a customer: download it here.
2. Appoint an internal DPO with no conflict of interest - Article 37
This can be anyone in the company who is aware and informed about the GDPR. The person should sign a document accepting the responsibilities and should remain impartial when it comes to questions of GDPR implementation.
4. Add ‘cookies via any plugin’ consent - Article 7
Below is the example cookie by inc.com
6. Add features list
- Right to edit or modify feature - Article 16
- The right to delete or forget - Article 17
- Right object of processing & profiling feature - Article 21 & 22
- The right to access (I want to access all my data i.e. export & import feature) - Article 15
- Under the GDPR you need to give users the right to stop automated profiling - Article 18 & 23
- Have double opt-in on a newsletter, lead magnets & sign up - Article 7
- Automatic deleting or provide a timeline to delete the data feature to your users - Article 17
- Consent checkbox on your contact form as well - Article 7
7. Create records of processing activities and maintain it:
8. Ask your third-party vendors to be compliant i.e suppliers and subcontractors:
This includes basically every software and service you are using. Moreover, this means that you need to take stock of all your vendors and contact them as soon as possible. ECOMPLY.io helps you by giving you a list of common vendors and allowing you to add your custom ones.
9. Technical Measures for IT:
- Add anonymization or pseudonymization if a user is no longer using your system
- Add encryption in your system
- Have authentication mechanisms for modifying data
- Double authentication or 2 step verification
- Focus on data minimization if you don’t need it
- Show the system has a strong backup and data can’t be lost
- Web Application Security such TLS, SSL
- Data Centres and its protection. It should be in Europe or US mostly (if possible)
- Encrypted passwords for all the systems
- Internal hard drive or cloud drive should be protected and have a different access level
ECOMPLY.io has following technical measures that you need to report. Below is a good example_
10. Organizational Measures:
While it is important to conceptualize these measures, you also need to implement them.
- Educate your team about the privacy and data protection
- Physical access to your office should always be protected with keys
- Laptop and other devices of the staff should be protected as well.
11. Sales & Marketing:
- Take consent in all your marketing magnets and contact form and record it
- Inform customers about your CRMs, automatic tools, and analytics tool
- Always have an opt-out button
12. Data Processing Agreement:
As a SaaS Vendor, you should be able to provide a data processing agreement on behalf of your customers and promising technical measures to protect their data. Consequently, you need to have these agreements with your vendors. ECOMPLY.io will help you with that.
13. Human Resources (HR):
Have different level controls for each staff. Not everybody should have access to all the system.
GDPR compliance Checklist Don'ts:
- All your vendors might not be compliant! Don't assume that they are
- Don’t assume that privacy shield or ISO 27001 already makes you compliant
- Writing a cold email to customers on their personal email is not a compliant way to reach out to them
- Documentation alone will not save you. You need to actually do those changes
- Don’t keep your laptops open in an open space and people can see those data
- It is not a one-time project. You need to keep making sure that your documentation is correct and updated. Also, you follow all those guidelines and check frequently.
If you are still confused about the GDPR and don’t know where to start, just book an appointment with us for an informal chat.