Barder: Exceptional and rare
In just over a year (25 May 2018), the EU General Data Protection Regulation (the “Regulation”) will replace the Data Protection Act 1998 (“the DPA”) and come into force in the UK. This will be just under a year before Brexit. In any event, the Regulation would still apply to all companies who intend to do business with the EU and handle the personal information of European citizens.
Unlike the DPA, the Regulation imposes a raft of direct statutory obligations upon data processors. Any SaaS provider processing personal data on behalf of its customers will be considered a data processor under the Regulation. Therefore, as a follow-up to our previous blog, we can assist in the process of preparing for the new regime.
As part of a push for the increased accountability of data processors under the Regulation, the legislation imposes an obligation for the contract between a data controller and a data processor to be written and for it to include certain specific terms, including those set out below. Where the relevant contract is between a SaaS provider and its customer, please note the following:
SaaS providers will therefore not only need to consider whether their existing customer contracts are GDPR-compliant, but will also need to review their standard terms and conditions to make them GDPR-compliant. Practical procedures and internal policies will also need to be implemented or updated by SaaS providers to ensure that they are capable of fulfilling their additional responsibilities to their customers e.g. further to a request for an audit or in order to provide details of all processing carrying out in respect of specific individual.
Under the new Regulation, SaaS providers will be unable to engage (or replace) a sub-contractor to carry out data processing on their behalf, e.g. a server hosting provider, without prior written authorisation from their customer. The obligations of SaaS providers to their customers must be reflected in their contracts with sub-contractors, particularly given that SaaS providers will remain liable to their customers for the actions or inactions of any sub-contractor.
The Regulation imposes an obligation upon data processors to designate a specific Data Protection Officer (DPO) within the organisation as part of their accountability programme. Whether this is necessary for a SaaS provider will depend on whether its core activities mainly concern either: (i) the regular and systematic monitoring of individuals on a large scale; or (ii) processing special categories of data on a large scale (e.g. data relating to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sex life or sexual orientation, or criminal convictions or offences). If a DPO is required they will need sufficient expert knowledge to adequately fulfil the role.
Under the new Regulation, data processors must notify data breaches to the Information Commissioner’s Office (ICO) without undue delay and, where feasible, within 72 hours. In some cases, the data processor must also notify the affected data subjects without undue delay.
SaaS providers must either adopt, or refine existing, internal procedures for handling data breaches. Clear policies need to be put in place and internal personnel need to be trained to ensure they are aware as to what constitutes a data breach and to allow them to react promptly should one occur.
The Regulation establishes a two-tiered approach to penalties for breach, depending on the nature, gravity and duration of the breach. The ICO has the right to impose fines of up to the higher of 4% of the annual worldwide turnover of the company and €20m for severe breaches, whereas lesser/specified breaches may incur fines of up to the higher of 2% of annual worldwide turnover and €10m.
Of equal concern to a fine is the potential for data subjects to bring claims directly against data processors, such as SaaS providers, for breaches of the Regulation.
The Regulation represents a radical shift in the law for SaaS providers in terms of their accountability for the processing they carry out on behalf of their customers. SaaS providers processing large volumes of personal data on behalf of their customers are particularly at risk of falling foul of the new legislation.
Should you have any GDPR or data protection queries, please contact Kingsley Napley’s data protection team.
Skip to content Home About Us Insights Services Contact Accessibility