Equip your SaaS with legal bases so that the use of your website is safe for users and you. If you search for different sites, the Privacy Policy and Terms of Service differ from each other. The same with the cookies. Each piece of information has varying meanings for the website, and it concludes crucial statements. There’s no unique example for all websites because of the specification, the idea of webites, purpose, kind and other features, collected data.
Usually, websites are available around the world, including Europe. Thus, you have to take care of your European users’ personal data. It is required by the law of the European Union, to be exact the Regulation (EU) 2016/679 (General Data Protection Regulation - GDPR). But it could seem challenging to differentiate such users by giving some of the privileges.
Here’s the GDPR’s source https://eur-lex.europa.eu/eli/reg/2016/679/oj
All these documents, amenities are nothing but SaaS and User Agreement where SaaS declares:
to support some service described in Terms of Service and treat Users personal data with respect to GDPR what is mentioned in Privacy Policy,
and User state that:
he’s going to use your website, service according to Terms of service, and give necessary personal data, but you must use them as intended and provide adequate protection.
Where to start with GDPR
There’s no direct dictation to implement the Personal Data Protection Policy (mentioned in art. 24 GDPR). Still, it would be transparent to collect all rules and ways of handling data in one document. It will include a defined, very narrow catalog of mandatory documents: a register of processing activities, a record of categories of processing activities, documentation of personal data breaches, documentation related to the conduct of a data protection impact assessment, and prior consultations with the supervisory authority. After this document is ready, you can start creating your idea and figuring out how your project will affect personal data. The important stuff is to figure out the best security measures to keep your users safe.
If you already prepared the Personal Data Protection Policy, you know that the next step (after creation) is to assess the risk for your users’ data by filling Data Protection Impact Assessment and Privacy by Design. Not every project needs to be checked by Data Protection Impact Assessment, each EU member state defines the catalog itself, but we recommend to do it for each project. Then you can start building your website.
Check the providers with whom you intend to conclude contracts, their privacy policy, the method of data protection, where the data is stored, whether in the EU or outside. Start to build Privacy Policy and Terms of Service. Check if all your documents and your SaaS contain key provisions and ensure that the principles of respecting users’ personal data are respected.
You can check the source https://ec.europa.eu/justice/smedataprotect/index_en.htm where you can find some necessary information about GDPR for small businesses.
The Personal Data Protection Policy
It will be the primary document that includes all GDPR requirements. Is it necessary? The provisions of the GDPR require the implementation of appropriate technical and organizational measures so that the data processing is compliant and can be demonstrated. It’s only an internal document which helps you to keep in order all requirements and duties. It is supposed to contain regulations about: processing of personal data, risk analysis, registers regarding the processing of personal data and records, proceedings in the event of a breach of personal data protection, the security of information systems.
This document can be the basis for your workers to know how to deal with personal data. In the beginning, give some basic definitions to explain key terminology. List the rights of people, describe the role of Personal Data Protection Officer, IT System Administrator, other persons authorized to process data, and Administrator’s responsibilities. In any case, the crucial role and responsibility lie with the Administrator. Indicate the purposes and legal grounds for data processing, as (art. 6 GDPR):
- consent of the data subject,
- the necessity to perform the contract to which the data subject is a party,
- the need to fulfill the legal obligation incumbent on the Administrator,
- the legitimate interest of the Administrator.
List how you collect data (direct contact by person, subscription, conclusion of a contract, hire an employee). What about the period of data processing and data retention? That’s important information you need to review. You can’t keep personal data too long. That’s the time limitations rule – you are obliged to store data in a form that allows the identification of persons to whom they relate, no longer than necessary to achieve the purpose of processing. Establish a time after which you remove all those data.
Are you transferring data outside the European Economic Area (it includes processors who do it on your premise)? Write about it. The European Union has strict rules about taking care of personal data, but it’s not a priority everywhere.
Under GDPR regulation, you should provide a register of personal data processing activities and a register of categories of processing activities if you:
- hire more than 250 employees;
- process data in a way that involves the risk of violating the rights or freedoms of data subjects;
- process data more often than sporadically;
- process information covering special categories of personal data;
- process personal data relating to criminal convictions and offenses.
(Picture from https://ec.europa.eu/justice/smedataprotect/index_en.htm)
GDPR also requires to document or register personal data breaches.
Finally, let’s go to System security. Describe how you protect data by using technical measures. Are you doing a backup? Do you have your own servers or use those in the cloud, using an antivirus program? Do you anonymize data? Reviewing the program architecture is key to organizing and checking data security.
Here is some crucial thing which you should be aware of. You cannot describe the measures you implemented in every detail unless it could be a confidential attachment available only for a few people if needed!
Risk Analysis
Privacy by Design and Data Protection Impact Assessment. It’s mandatory to know where your users’ data goes to know the risk of processing. While creating a new project, you should implement presumption privacy by default. Every new project needs Privacy by Design evaluation. Some also require risk assessment by filling DPIA ( Data Protection Impact Assessment). It all helps to find vulnerabilities to support the best protection for data. DPIA is obligatory (which results from the GDPR and the European guidelines of the working party) whenever the processing is:
- Evaluation or scoring.
- Automated decision-making with legal or similarly significant effect.
- Systematic monitoring.
- Sensitive data or data of a highly personal nature.
- Data processed on a large scale.
- Matching or combining datasets.
- Data concerning vulnerable data subjects.
- Innovative use or applying new technological or organizational solutions.
- Preventing data subjects from exercising a right or using a service or contract.
GDPR includes terminology without supporting definition. For example, high risk or large scale is relevant to describe.
High risk – a situation when DPIA is needed (in some cases, it must occur with other items to be mandatory for DPIA). EU member states will publish lists of processing types that require a DPIA in their jurisdiction, e.g., large-scale profiling, invisible processing, tracking, genetic data, biometrics, innovative technology, denial of service, data matching, targeting of children or other vulnerable individuals.
Innovative technology is processing involving innovation (as artificial intelligence, machine learning, and deep learning, market research involving neuro-measurement, internet of things applications) or the novel application of existing technologies. It’s all new developments in technological knowledge, including new ways of collecting and using data.
Large scale GDPR doesn’t define this but to decide if it’s large-scale processing or not, you should consider: the number of individuals concerned with the volume of data, the variety of data, the duration of the processing, and the geographical extent of the processing.
Vulnerable individuals - in this meaning, people who, because of their circumstances, are not aware of their data processing implications, or they can’t freely consent or reject that processing (e.g., children).
Invisible processing is a situation when you obtained data not directly from the individual, and you don’t in-form that person about processing his data. Processing is invisible because that person is unaware that you are collecting and using their personal data, even if you publish a privacy notice on your website. A DPIA is re-quired where this processing is combined with any of the criteria from the European guidelines.
All contained in this article information is just an essence form how GDPR permeates every professional activi-ty. Although the intention to introduce the GDPR resulted from the need to protect natural persons, they im-pose additional entrepreneurs’ obligations. Anyone offering services should meet the basic requirements and take the user’s will as a benchmark.
Note from the author: Even though it contains a lot of practical information about legal stuff, you cannot treat it as legal advice. Each case is different and requires an individual approach. The purpose of this article is to help you to understand the essence of its subject.
Let's stay in touch!
Would you like to be notified about new posts? Please fill this form.