While there are many companies going for or considering GDPR implementation after 25th May 2018, there are a bunch of those who are still contemplating on what to do about it. GDPR is not as easy to implement as ISO 27001 and requires a very different approach. This is especially true and gets further complicated when GDPR implementation needs to be carried out for a SaaS based Product Company.
Here are few myths or assumptions that can lead to a trouble.
- If my organization is GDPR compliant, my SaaS product automatically becomes compliant
- If I implement GDPR for my company, only the EU PII data is in question so no need to take into account our online products
- My online products are hosted on cloud platform which are GDPR compliant, so I need not worry about it.
- When a SaaS product is part of GDPR implementation, one needs to ask questions such as
- Where is the EU PII data, and how is it being ‘handled’ by the product?
So what is expected from SaaS product to be GDPR compliant?
In many cases it may be felt that the product has nothing to do with EU PII, but following the steps below can help handle situation in a more accurate way.
- Is the product SaaS based, hosted on commercial clouds platform?
- IS the cloud hosting platform itself GDPR compliant?
- What is the physical location of hosting servers where the SaaS product’s data will be stored?
- Is the SaaS product being managed by any outsourcing company (server management)?
- What are the locations of personnel who support the product from customer experience perspective?
- Is the SaaS product data being provided to any third party vendor for some specific business reason?
It is important to note that above pointers are based on typical scenarios. Depending on the nature of business, business offices’ location, cloud provider, server locations, customer’s location and the EU PII data elements being processed by product, there could be a whole new list of pointers that would need to be taken in to consideration.
SaaS product and GDPR
It is tough to get a SaaS product compliant with GDPR, along with the organisation who created that product. It needs a series of discussions with the technical and non-technical teams within the organisation to form the correct controls framework. The entire approach should be focused on the data elements and the way its processed or controlled, also taking into consideration all the processes and people who handle that data while working with the SaaS product. In an ideal situation the SaaS product review must start with product engineering and architecture, all the way through the UAT to product support. The product must be scrutinised to check for the following GDPR mandates
- How the product is collecting consent of the user?
- How the product allows user to opt out of providing their PII?
- How the product provides the user with right to let the product forget their information?
- What breach notification process is in place which the user can refer to?
While implementing GDPR for a SaaS product, the key to success is a deep understanding of the GDPR regulation, and its accurate technical implementation in the product. More info can be found here at http://www.valencynetworks.com/it-audit-services/gdpr-compliance.html