SaaS suppliers should be aware that from the 25th of May 2018, the General Data Protection Regulation (GDPR) will apply directly in all Member States of the European Union (EU).
Many SaaS suppliers are concerned about their data protection obligations following “Brexit” and are unaware that they will still have obligations (as data processors) to comply with the new rules imposed by the GDPR post-Brexit.
Will the GDPR apply in the UK after Brexit
Regardless of the timing of Brexit and any agreement reached between the UK and the EU on the terms under which the UK will leave the EU, the GDPR will automatically apply in the UK, until UK data protection laws are amended.
GDPR applies to UK SaaS Suppliers despite Brexit
Regardless of when and how Brexit takes place or any subsequent changes made to UK data protection laws, the GDPR will still apply directly to SaaS suppliers located within the UK if:
– They offer goods or services to SaaS customers located within the EU (i.e. in any of the remaining 27 Member States); or
– They monitor the behaviour of EU data subjects;
Even though UK SaaS suppliers will no longer be located within the EU themselves after a Brexit.
GDPR will apply to non-EU SaaS Suppliers
From the 25th of May 2018, the GDPR will automatically also apply to all SaaS suppliers located outside of the EU i.e. in the USA, if:
– They offer goods or services to SaaS customers located within the EU; or
– They monitor the behaviour of EU data subjects, even though the SaaS supplier is not located within the EU.
Complying with the GDPR
The following are the main obligations that all SaaS suppliers, who are subject to data processor obligations under the GDPR, will need to comply with:
– Having specific minimum terms in a written data processing agreement with all customers;
– Keeping records of all categories of processing activities that they carry out;
– Obtaining prior written consent to the subcontracting of any data processing activities;
– Notifying customers of any breach of their obligations, without undue delay, after becoming aware of the breach;
– Appointing a data protection officer (DPO) in specific circumstances; and
– Allowing customers to choose between deletion or return of all personal data.
Fines for Breach
Data subjects will be able to claim damages directly from SaaS suppliers who breach:
– Any obligations under the GDPR;
– Any lawful instructions of the customer.
In addition, data protection authorities will be able to fine SaaS suppliers up to 4% of annual global turnover or 20m Euros (whichever is higher) for breaches of the GDPR.
Preparing for Change
The current position with regard to Brexit is unclear and subject to change. However, all SaaS suppliers supplying SaaS services to customers located in the EU need to be aware that current data protection laws will change throughout the EU on the 25th of May 2018, and/or in the UK following Brexit.
SaaS suppliers who plan to provide SaaS services to individuals located in the EU after the 25th of May 2018, need to take the following action:
– Review their existing privacy policies;
– Review the terms of existing SaaS agreements;
– Create a written data processing agreement;
– Review all internal procedures relating to data protection and security; and
– Review insurance cover limits and exclusions.
Irene Bodle is an international IT lawyer who specialises in IT law, in particular, SaaS and cloud computing. Irene provides specialist, pragmatic and business-focused legal advice to companies who provide IT services to business customers. She has over 14 years experience (gained both in-house and in private practice) advising technology companies across all business sectors on the legal and commercial risks of operating a technology business. Whether you are a start-up who needs help creating a legally compliant business website or are an established technology company who needs assistance drafting and negotiating complex legal agreements, Irene can help you achieve your commercial objectives, efficiently and cost effectively. As a dual-qualified English and Irish lawyer, Irene advises primarily on English law, but also advises on Irish IT law. Being based in Berlin and fluent in German, Irene can also assist in negotiating or advising on technology agreements drafted in German.
Visit https://www.bodlelaw.com for more information.