GDPR for SaaS in Plain Spoken English
While my previous article was entirely dedicated to TODOs getting your company GDPR compliant, this one talks about a shortcut to that compliance through first implementing Privacy Shield. Especially if your company is registered in the US.
Now, your business is in the US, but you still process (or plan to do so 🤔) personal data belonging to EU citizens: acquire the Privacy Shield Framework compliance first. As a bonus, it’s also just a shortcut to GDPR.
PSF regulates how data from the European Union (and Switzerland) can be stored and processed in the US. Understanding PSF is way easier than GDPR: they have got all the certification rules published on their website.
Here is the list of 8 TODOs to get certified by EU-US Privacy Shield:
1. Understand Data Flows — describe the personal data flow in your system.
You need to determine which personal data you collect and store, or at least plan to store, in the future. Things ranging from credentials and payment details, to data received directly from users, including your site behavior analytics. All of this needs to be accounted for, both onsite and on third-party services you’re using. This means the entire data pipeline.
The Privacy Shield Notice should cover every item on this notice. In short, it requires:
- The above link to the notice page.
- A description of types of personal data you collect 🗒️
- A list of affiliated organizations that also uphold Privacy Shield standards.
- A declaration of intent to comply with Privacy Shield and only collect pertinent personal information.
- Where to direct complaints and how to follow up on any and all issues.
- To which third parties you transfer collected personal information.
- That users can get access to their information, and that in the event you modify the use of their information, users will be given a choice on how they wish to proceed.
3. Revise third-party contracts — double check that all third-party services handling the personal information you’ve collected are also certified.
You need to be certain that any third party service you’re using, is either certified itself, or is required by contract to operate by Privacy Shield standards. Start by going over the list outlined in Point 1. Chances are you won’t need to do anything.
4. Sign up for an independent recourse mechanism — enlist the services of an independent organization that will arbitrate in conflicts with users you weren’t able to resolve yourself.
You need to determine and enter into a contract with an organization that will independently resolve any conflicts you couldn’t hash out with a user. You can use European organizations, here is an example. The http://privacyshield.uscib.org/ company is among the most economical ones, it will set you back just $50 💰 Their website has a buggy payment processing, but I’m sure you’ll be able to figure it out.
5. Draft internal policies — create an internal policy and/or mechanism for handling data requests, data deletion requests, refusal to provide data to third parties, etc.
You are expected to know what to do in the event of any issue or requests, as well as maintain a paper trail for such events.
- Your employees need to understand when they’re dealing with personal information, and who to contact in the organization if issues arise.
- Logically and predictably respond to a request regarding personal data and reply to them within 45 days. A specific employee needs to be assigned to deal with this, preferably one who won’t lose their cool when responding to a request from external agencies and organizations.
- Ensure the security of all personal data, by having a Security Policy controlling access to the data and having a plan on hand in the event of a break in.
- Have the ability to edit, change or delete personal data on demand.
You must also implement the Choice Principle:
- Opt-in: if you plan on using sensitive information (data on finances, sex, health, etc.), then you need to receive overt consent from the user.
You need to have a written internal policy, ready to be provided in the event of an investigation, complaints regarding policy adherence, etc.
6. Prepare for Self-Certification — prepare basic information about your organization, choose a privacy officer, and apply for self-certification.
When applying, you must provide the following:
- Describe your business and operations, with an emphasis on handling personal data.
- When specifying whether you’ll be handling human resources data or no, choose no (unless of course, you are 🤔).
- Specify whether or not you’re participating in other privacy programs.
- Cite an independent organization that will be handling conflict resolution.
- Have the Privacy Officer (Corporate Officer) sign the application.
7. Conduct annual compliance assessments — don’t forget to conduct an annual internal audit and renew certification.
You need to annually update your application and make sure all measures and mechanisms put in place for the certification are operating correctly.
8. Leaving Privacy Shield or Organization ceased to exist — what to do in the event of rescinding a certification or company closure.
If an organization ceases to exist, one is required to report this to Privacy Shield. Say, when a non-certified company buys the Privacy Shield compliant one, all personal information collected while under Privacy Shield needs to be deleted. In case you decide to drop the Privacy Shield certification, you will have to delete all reference of affiliation and compliance.