How SaaS providers are preparing for GDPR

Sometimes the best way to get a sense of something—especially something as complex as GDPR—is to see how your peers are thinking about it. Here’s a collection of documents that some of the most-successful cloud and SaaS providers have put together to explain how they plan to comply with the law; the requirements they have in place for customers and subprocessors; and also their lists of subprocessors that handle personal data.

While all this information is useful for people learning about GDPR, posting it publicly also allows companies to answer any questions their customers (or potential customers) might have in a scalable manner. Typically, SaaS providers will include at least the following content as part of explaining their GDPR compliance:

If you’re a SaaS provider and want to add your information, or if you’ve come across some particularly useful information, please drop us a line or make a pull request.

aws
Overview · DPA

slack
Overview · Subsprocessors · DPA

g-suite
Overview · Subprocessors · DPA · Model
ms office
Overview · Subprocessors

salesforce
Overview · DPA

dropbox
Overview · Whitepaper · Journey · Guide
okta
Subprocessors · DPA
zendesk
Overview · Subprocessors
mixpanel
Overview · DPA · Subprocessors
segment
Overview · Guide for compliance
auth0
Overview · Subprocessors · DPA
linkedin
Overview · Subprocessors · DPA
informatica
Subprocessors · DPA
atlassian
Overview · Subprocessors
intercom
Overview · Data collection practices

GDPR compliance in action

Apart from reading the documentation and legal content SaaS providers are preparing around GDPR, it can also be helpful to see some concrete examples. Here is how a handful of popular SaaS services are adding functionality and changing their terms of service to comply with GDPR, and how they’re communicating these changes to customers:

intercom

Intercom is shortening the length of time for which it stores data on visitors to customers’ sites

In preparation for the new EU General Data Protection Regulation (GDPR), we will now be expiring Visitor data once a Visitor has not been seen for nine months.

This means that from May 11th, 2018:

This change only impacts Visitor data – all other data is unaffected. Note, while GDPR is an EU regulation, it ultimately affects any business with customers in the EU which is why we are applying these changes globally across our entire customer base.

slack

Slack has built tools for importing, exporting and deleting user data

Customers have requested tools to help them comply with the GDPR. And we’re happy to say that we’ve built those tools.

Compliance-related tools include the following:

segment

Segment is building tools for deleting and suppressing user data

To help you comply with user requests related to the right to erasure (the right to be forgotten), the right to object (the various rights to halt certain processing), and the right to restrict processing (the right to restriction), we are developing new capabilities that will be available to all Segment customers in early 2018:

Google Analytics

Over the past year we’ve shared how we are preparing to meet the requirements of the GDPR, the new data protection law coming into force on May 25, 2018. Today we are sharing more about important product changes that may impact your Google Analytics data, and other updates in preparation for the GDPR. This e-mail requires your attention and action even if your users are not based in the European Economic Area (EEA).

Product Updates

Today we introduced granular data retention controls that allow you to manage how long your user and event data is held on our servers. Starting May 25, 2018, user and event data will be retained according to these settings; Google Analytics will automatically delete user and event data that is older than the retention period you select. Note that these settings will not affect reports based on aggregated data.

Action: Please review these data retention settings and modify as needed.

Before May 25, we will also introduce a new user deletion tool that allows you to manage the deletion of all data associated with an individual user (e.g. site visitor) from your Google Analytics and/or Analytics 360 properties. This new automated tool will work based on any of the common identifiers sent to Analytics Client ID (i.e. standard Google Analytics first party cookie), User ID (if enabled), or App Instance ID (if using Google Analytics for Firebase). Details will be available on our Developers site shortly.

As always, we remain committed to providing ways to safeguard your data. Google Analytics and Analytics 360 will continue to offer a number of other features and policies around data collection, use, and retention to assist you in safeguarding your data. For example, features for customizable cookie settings, privacy controls, data sharing settings, data deletion on account termination, and IP anonymization may prove useful as you evaluate the impact of the GDPR for your company’s unique situation and Analytics implementation.

Contract And User Consent Related Updates

Contract changes

Google has been rolling out updates to our contractual terms for many products since last August, reflecting Google’s status as either data processor or data controller under the new law (see full classification of our Ads product). The new GDPR terms will supplement your current contract with Google and will come into force on May 25, 2018.

In both Google Analytics and Analytics 360, Google operates as a processor of personal data that is handled in the service.

Updated EU User Consent Policy

Per our advertising features policy, both Google Analytics and Analytics 360 customers using advertising features must comply with Google’s EU User Consent Policy. Google’s EU User Consent Policy is being updated to reflect new legal requirements of the GDPR. It sets out your responsibilities for making disclosures to, and obtaining consent from, end users of your sites and apps in the EEA.

Action: Even if you are not based in the EEA, please consider together with your legal department or advisors, whether your business will be in scope of the GDPR when using Google Analytics and Analytics 360 and review/accept the updated data processing terms as well as define your path for compliance with the EU User Consent Policy.

More reading

Convinced that GDPR will matter to your company and looking for some more guidance on how and where it might apply, or how other SaaS companies are thinking about it? You can check out some of our other pieces on this topic:

  1. What is GDPR and why should I care?
  2. GDPR 202: Controllers, processors and subjects’ rights
  3. How GDPR might affect the SaaS industry
  4. How to read the full-text GDPR
  5. Other Useful GDPR Links

Subscribe for the latest EnterpriseReady tips.

We won't bug you often, but when we do it will include significant updates and contributions to EnterpriseReady.


Subscribe for the latest EnterpriseReady tips.