Upgrade to Pro — share decks privately, control downloads, hide ads and more …

GDPR: Practical Advice for SaaS Companies

GDPR: Practical Advice for SaaS Companies

GDPR enforcement starts on May 25. There’s no shortage of advice out there about complying with GDPR, but little of it seems actionable for SaaS companies. With little more than a week left before enforcement, it’s time to ensure you are prepared.

We’ve learned a lot about GDPR, both through our own compliance efforts as well as by helping dozens of other companies complete their own prep. During this one hour webinar, we’ll provide practical, actionable steps so that your company can actually become GDPR compliant in time for enforcement. We’ll cover:

* How to deal with the requirements around consent for setting cookies or collecting and using personal data, and how these impact your analytics and marketing
* Ensuring you have the correct lawful basis for processing personal data
* Hiring or appointing a data protection officer to establish a governance structure for data protection
* When to sign Data Processing Addendums (DPAs) with your vendors
* The best resources and tools for ensuring you achieve compliance and maintain it



May 16, 2018


  1. None
  2. • Regulatory attorney + software developer + CIPP/E • Helped

    hundreds of software companies implement compliance and data protection programs w/ Gridiron Who am I? Chas Ballew CEO and co-founder Aptible
  3. • We help software companies build data protection programs •

    Meet requirements for ISO 27001, SOC 2, HIPAA, HITRUST, GDPR • Get in touch: hello@aptible.com About Aptible
  4. Join us on Slack to talk GDPR! http://get.aptible.com/gdpr-slack

  5. • We are recording the webinar • We’ll send an

    email followup to registrants with the recording, slides, and transcript • During the webinar, use the Q&A functionality within Zoom to answer questions, and we’ll answer as many questions as possible during the webinar Logistics
  6. We’ll cover: 1. A brief history of EU data protection

    law, and how it set the context for GDPR 2. The structure of GDPR and the basic requirements 3. What GDPR means for running your SaaS business 4. A very brief overview of how to think about standing up a data protection management program Objectives
  7. Background & Context

  8. EU Data Protection History 1948: UN Universal Declaration of Human

    Rights (UDHR) adopted 1950: European Convention on Human Rights 1951: Treaty of Paris - European Coal and Steel Community 1957: Treaty of Rome - European Economic Community 1970: der Hessisches Datenschutzgesetz 1973: Swedish Data Act 1970s-80s: More national data protection laws 1980: OECD Guidelines 1981: Convention 108
  9. EU Data Protection History 1992: European Union established 1995: Data

    Protection Directive 2000: EU Charter of Fundamental Rights 2002: ePrivacy Directive 2012: GDPR proposed 2016: GDPR finalized 2018: GDPR effective 2019(??): ePrivacy Regulation
  10. What is the GDPR?

  11. Two goals Protect people Free movement of data

  12. GDPR Scope Material scope: personal data + Territorial scope: •

    Establishment in the EU, or • Targeting, or • Profiling
  13. Principles • Lawfulness, fairness and transparency • Purpose limitation •

    Data minimisation • Accuracy • Storage limitation • Integrity and confidentiality • Accountability
  14. Lawful bases • Consent • Contract performance • Legal obligation

    • Vital interests • Public task • Legitimate interests
  15. Data subject rights • Transparency • Access • Rectification •

    Erasure • Restriction • Portability • Objection • Free from automated decisions that affect rights
  16. Erasure Portability Objection Consent ✓ ✓ withdraw Contract performance ✓

    ✓ X Legal obligation X X X Vital interests ✓ X X Public task X X ✓ Legitimate interests ✓ X ✓
  17. Operational requirements • Accountability • Data mapping + use records

    • Privacy policy/statement • Contracts w/ processors • Security management program • Breach notification • Data protection officer • Workforce training • Transfers to third countries • Appoint EU rep, if not in EU
  18. Liability and Enforcement • Article 83: Big potential administrative fines

    • Article 58: DPA powers include injunction: stop all processing • Article 82: data subject right to sue, joint liability + indemnification
  19. SaaS Company Functions

  20. Marketing and Sales • Direct marketing ◦ Tactics ▪ Web

    analytics, cookies, and consent ▪ Email analytics, tracking, and consent ◦ Buying leads • Suppression source of truth • Vendor management
  21. Product Design and Engineering • Controller vs processor? • Data

    protection by design and by default ◦ Logs and scope of PII across infrastructure ◦ Profiling/tracking - 1st vs 3rd parties ◦ Location data ◦ Data retention ◦ Encryption ◦ Pseudonymisation
  22. Support + Customer Success • Newsletters and the exception to

    “opt in” • Customer data in support systems • Product research and consent
  23. Human Resources and Recruiting Before employment: • Applicant tracking •

    Background screening • Employment contracts • Contractors During/after employment: • Productivity software • Employee monitoring • Data subject rights • Employee record retention
  24. How to Get Started

  25. Data Protection Management 101 • Establish governance • Identify requirements

    • Track data, assets, and uses • Make a plan • Analyze risk • Train your workforce • Measure and monitor
  26. We discussed: 1. A brief history of EU data protection

    law, and how it set the context for GDPR 2. The structure of GDPR and the basic requirements 3. How GDPR affects various SaaS company functions 4. Data protection management 101 Recap
  27. Q&A Use the Q&A functionality in Zoom

  28. Thank you! Slack Community: https://get.aptible.com/gdpr-slack My email: chas@aptible.com