GDPR: Practical Advice for SaaS Companies

Transcript

1. None

2. • Regulatory attorney + software developer + CIPP/E • Helped

   hundreds of software companies implement compliance and data protection programs w/ Gridiron Who am I? Chas Ballew CEO and co-founder Aptible

3. • We help software companies build data protection programs •

   Meet requirements for ISO 27001, SOC 2, HIPAA, HITRUST, GDPR • Get in touch: [email protected] About Aptible

4. Join us on Slack to talk GDPR! http://get.aptible.com/gdpr-slack

5. • We are recording the webinar • We’ll send an

   email followup to registrants with the recording, slides, and transcript • During the webinar, use the Q&A functionality within Zoom to answer questions, and we’ll answer as many questions as possible during the webinar Logistics

6. We’ll cover: 1. A brief history of EU data protection

   law, and how it set the context for GDPR 2. The structure of GDPR and the basic requirements 3. What GDPR means for running your SaaS business 4. A very brief overview of how to think about standing up a data protection management program Objectives

7. Background & Context

8. EU Data Protection History 1948: UN Universal Declaration of Human

   Rights (UDHR) adopted 1950: European Convention on Human Rights 1951: Treaty of Paris - European Coal and Steel Community 1957: Treaty of Rome - European Economic Community 1970: der Hessisches Datenschutzgesetz 1973: Swedish Data Act 1970s-80s: More national data protection laws 1980: OECD Guidelines 1981: Convention 108

9. EU Data Protection History 1992: European Union established 1995: Data

   Protection Directive 2000: EU Charter of Fundamental Rights 2002: ePrivacy Directive 2012: GDPR proposed 2016: GDPR finalized 2018: GDPR effective 2019(??): ePrivacy Regulation

10. What is the GDPR?

11. Two goals Protect people Free movement of data

12. GDPR Scope Material scope: personal data + Territorial scope: •

    Establishment in the EU, or • Targeting, or • Profiling

13. Principles • Lawfulness, fairness and transparency • Purpose limitation •

    Data minimisation • Accuracy • Storage limitation • Integrity and confidentiality • Accountability

14. Lawful bases • Consent • Contract performance • Legal obligation

    • Vital interests • Public task • Legitimate interests

15. Data subject rights • Transparency • Access • Rectification •

    Erasure • Restriction • Portability • Objection • Free from automated decisions that affect rights

16. Erasure Portability Objection Consent ✓ ✓ withdraw Contract performance ✓

    ✓ X Legal obligation X X X Vital interests ✓ X X Public task X X ✓ Legitimate interests ✓ X ✓

17. Operational requirements • Accountability • Data mapping + use records

    • Privacy policy/statement • Contracts w/ processors • Security management program • Breach notification • Data protection officer • Workforce training • Transfers to third countries • Appoint EU rep, if not in EU

18. Liability and Enforcement • Article 83: Big potential administrative fines

    • Article 58: DPA powers include injunction: stop all processing • Article 82: data subject right to sue, joint liability + indemnification

19. SaaS Company Functions

20. Marketing and Sales • Direct marketing ◦ Tactics ▪ Web

    analytics, cookies, and consent ▪ Email analytics, tracking, and consent ◦ Buying leads • Suppression source of truth • Vendor management

21. Product Design and Engineering • Controller vs processor? • Data

    protection by design and by default ◦ Logs and scope of PII across infrastructure ◦ Profiling/tracking - 1st vs 3rd parties ◦ Location data ◦ Data retention ◦ Encryption ◦ Pseudonymisation

22. Support + Customer Success • Newsletters and the exception to

    “opt in” • Customer data in support systems • Product research and consent

23. Human Resources and Recruiting Before employment: • Applicant tracking •

    Background screening • Employment contracts • Contractors During/after employment: • Productivity software • Employee monitoring • Data subject rights • Employee record retention

24. How to Get Started

25. Data Protection Management 101 • Establish governance • Identify requirements

    • Track data, assets, and uses • Make a plan • Analyze risk • Train your workforce • Measure and monitor

26. We discussed: 1. A brief history of EU data protection

    law, and how it set the context for GDPR 2. The structure of GDPR and the basic requirements 3. How GDPR affects various SaaS company functions 4. Data protection management 101 Recap

27. Q&A Use the Q&A functionality in Zoom

28. Thank you! Slack Community: https://get.aptible.com/gdpr-slack My email: [email protected]