Don't Get SaaS'd: Contractual Tips For In-House Counsel Regarding GDPR Compliance (Part I)

How can in-house counsel (or outside counsel) effectively implement GDPR requirements? Follow this advice.

(Photo via Getty Images)

By now, most of you have heard of the General Data Protection Regulation (“GDPR”) and are anywhere from somewhat to deeply familiar with its requirements, and since it becomes effective on May 25, 2018, you better be at this point.  A comprehensive update to the European Union’s Data Protection Directive 95/46/EC, the GDPR substantially increases the rights provided to individual “data subjects” in the EU.  Given the global reach of the internet, however, the GDPR also has extraterritorial application that reaches all the way to the U.S… and into your software agreements as a result.

For companies that are providing products as software-as-a-service (“SaaS”), the GDPR’s impact is all too real.  The EU and U.S. approach the privacy of personal information differently, which is a big part of the problem.  Since the advent of the internet, the U.S. has approached personal information in a much looser fashion than the EU, permitting companies to compile personal information from website users so long as the online privacy practices of the company were disclosed and outlined in a posted privacy policy.  Although there are some federal statutory restrictions on the collection, use and disclosure of certain types of personal information (such as under the Health Insurance Portability and Accountability Act, as well as the Graham Leach Bailey Act) and under certain state statutes, there is no comprehensive federal statutory approach to the privacy of personal infromation. Such information can be collected without the specific consent of the individual at the outset, subject to specific notice, consent, onward transfer, and other requirements after the fact.
The EU has taken a different approach — it acknowledges that “personal data” is owned by the individual, and the individual must provide informed consent to the use of such personal data.  In essence, the data subject “licenses” the use of such personal data once informed consent is given, and can also revoke such consent at a later time.  In fact, such data subjects enjoy a “right to be forgotten” under the GDPR that requires a company to completely erase such personal data and certify to the data subject that it has done so.
There are other components to the GDPR that are equally impactful, such as the 72-hour notice requirement of all data controllers to the appropriate “supervising authority” of a “personal data breach.”  Similar to its piecemeal approach to the privacy of personal information, there is no U.S. federal data breach law that outlines what constitutes a data breach, or the timeframe within which to provide notice.  In fact, such legislation has been left to the states, and not all of them have implemented laws addressing data breaches and notice, and for those that have, the requirements are widely disparate.

Sponsored

When it comes to U.S. companies that are providing SaaS solutions to their customers, these companies should have long ago started to address implementation of policies and procedures to address these challenges, with an eye towards continuity with their existing SaaS agreements with customers. To those that haven’t (or may not know they need to do so), such companies need not abandon all hope, but definitely need to get moving!  Where companies are providing SaaS solutions to individuals and companies whose employees qualify as “data subjects” under the GDPR, the GDPR requirements will apply to those customers. Further, all such companies need to address compliance through technical solutions, procedural mechanisms, or a combination of both.
So what is a company with a SaaS solution to do regarding the GDPR? Well, there are lots of open questions regarding compliance, and the application of the GDPR to such businesses require tailored review and solutions dependent upon how personal data is processed, accessed and stored.  That said, there are a number of things every company with SaaS solutions should do once it finds that GDPR compliance is required.  Commensurate with the breadth of the GDPR, the number goes beyond a single article.  So… the best place to start is with a systemic approach to set the foundation for compliance  (Part I), which in turn supports subsequent specific contractual considerations in SaaS master service agreements that should be revisited (Part II), and specific policies that may need to be addressed to fully implement GDPR compliance, such as privacy policies, data security policies, and data retention policies to name a few (Part III).

Sponsored

When addressing any SaaS platform, effective legal compliance can only occur when an appropriate foundation for compliance exists. With this in mind, every company providing SaaS solutions should, at a minimum, do the following:
Engage in Data Mapping.  I realize that this seems like a difficult task (as for some companies, it may be), but it is a necessary step for a number of reasons.  The most obvious is that a company cannot engage in meaningful GDPR compliance if it has little understanding of how data is mapped to “data subjects” in the EU.  Further, it is equally important to understand the processes currently in place that collect and store such data — when understood and mapped, the company gains not only  an understanding of its data collection mechanisms and practices, but can then adopt new ones or modify existing ones for EU data subjects accordingly.  On more than one occasion, I have witnessed clients uncover aspects of their practices that they found could be improved overall, and so the exercise turns out to be an exercise in real utility (and not futility).
Know Where Your Backups Reside.  As past of any data mapping exercise, it is important to know where your backups reside for a multitude of reasons. First, the GDPR requires “data controllers” (the person who determines the purpose and means for the processing of personal data) as well as “data processors” (the actual processors of such personal data) to comply, so to the extent third-party processors are being used (and they usually are), there needs to be an appropriate understanding of risks and responsibilities between the parties regarding the “processing” of personal data.  As noted earlier, data subjects must consent to the collection, use and disclosure of such personal data, and understanding where all the personal data resides is essential.
Establish (or Modify) Processes to Address Consent, Data Security, Retention, and Transfer.  A core requirement of of the GDPR is the obtaining of informed consent to the collection and use of personal data. Building upon the data mapping results, companies must establish processes to outline their practices regarding collection, use and disclosure of such personal data so as to obtain actual informed consent.  Further, procedures must be implemented to address data security at the data level — in this case, revising data breach incident response plans to address GDPR disclosure requirements so that necessary procedures are in place.  Moreover, the “right to be forgotten” forces  technical implementation of procedures to specifically address modification to (or deletions of) personal data for specific data subjects, especially when a contractual relationship is terminated.
Although the above tips are not exhaustive, they provide a decent outline of the technical and procedural hurdles that companies providing SaaS solutions should take to set the appropriate foundation for in-house counsel (or outside counsel) to effectively implement GDPR requirements.  Granted, the above elements are not inherently legal, but believe me, they set an essential foundation for the contractual considerations I will be outlining in Parts II and III of this series.  Without them, your company (or client) minus well be implementing GDPR compliance on a treadmill — it will feel like you’re moving somewhere, when in fact, you haven’t moved at all.

Tom Kulik is an Intellectual Property & Information Technology Partner at the Dallas-based law firm of Scheef & Stone, LLP. In private practice for over 20 years, Tom is a sought-after technology lawyer who uses his industry experience as a former computer systems engineer to creatively counsel and help his clients navigate the complexities of law and technology in their business. News outlets reach out to Tom for his insight, and he has been quoted by national media organizations. Get in touch with Tom on Twitter (@LegalIntangibls) or Facebook (www.facebook.com/technologylawyer), or contact him directly at tom.kulik@solidcounsel.com.