Search
  • Jeannie Maria Dougherty

Data Privacy Issues for SaaS Companies in the Age of GDPR


Date: Jan 17, 2020 Client: Smartbug Media Role: Ghostwriter


GDPR has been in effect since May 2018, yet many marketers are still adapting their marketing ops and data management to be compliant. According to a 2018 Demand Base study, only thirty-two percent of organizations surveyed report being fully compliant, and many are in the process of still obtaining compliance. 


At the same time, consumers are becoming increasingly concerned about personal data, and the ICO (the governing authority for GDPR) is showing GDPR is not to be taken lightly as big name companies like British Airways and Marriott—as well as SaaS companies such as German social media platform Knuddles—have been fined. 


Regardless of where your company is headquartered, if you do any kind of business with citizens or organizations residing in the EU, you’re obligated to comply—or you risk facing these penalties.


There are many facets to this regulation, and it can be quite complex, starting with the seven individual rights of GDPR.

1. Scope

Once again—because this is the most important part for businesses that operate in the U.S.—if you do business with any citizen or organization residing in the EU, you are compelled to comply with GDPR.

2. Data Permissions

This is probably the most important right of GDPR that affects marketers.

No longer can you simply send out a 14-page legal document with complicated terminology explaining your privacy policies and consider yourself covered. When you’re attempting to obtain consent to access, use, or share personal data, you will need to use language that is clear and easy to understand in layman’s terms.

How GDPR’s Data Permissions Impact Inbound Marketing

If you’re collecting personal data (let’s say for an email marketing campaign) to support your Saas marketing strategy, you will need to clearly outline why you are collecting this information and what it will be used for. For example, as a marketer, you will most likely be using this information to personalize the experience for the end user.


To be in compliance with GDPR, you will need to be open and transparent about how you will process the end user’s personal data. You will need to clearly say who will have access to this information, the purpose of collecting this information, and how long that information will be stored—along with a clear statement that the client or customer has a right to access, modify, and/or delete said information (see “Right to be Forgotten” below).


In addition, if you have that little checkbox underneath the form to request more information that says “SIGN ME UP!” you won’t be in compliance with GDPR. You will need to be clearer about what they are signing up for and confirm that they do in fact wish to be contacted in the future.


Pro Tip: A simple way to do this is to send an automated email confirming their subscription with a second opt in confirmation obtaining the customer’s consent.

It’s also important to consider how demographic and other data such as gross annual income, family size, or age is managed. Although this is great information for targeting in marketing campaigns, if anonymous data can be pulled together to re-identify an individual by any means, it’s not in compliance—so it’s recommended to only ask for the minimum amount of information needed to successfully execute.


3. The Right to Be Forgotten

Each of your EU customers has the right to have their data erased if requested. The only requirement on their behalf is that they make the request, formerly known as a withdrawal of consent.


Much like when Google had to remove several pages from its search engine results in order to be GDPR compliant, marketers will also have to give their clients, customers, and subscribers easy access to their data and the option to opt out of all further communication.


Something as simple as including an “unsubscribe” link in your communications, along with a link to that particular user’s profile, will not suffice—you will also need to note a direct contact for data protection related inquiries to ensure they can be addressed according to the consumer’s request within the 30 days allowed for under GDPR.

Pro Tip: Make sure to perform an audit of your current email marketing database to ensure that each of the folks listed have explicitly opted in to receiving future communications and/or marketing material.

4. Breach Notification

We’ve seen this in the news too many times to count. 


When a corporation (think Experian) has a data breach, and it is required by law to notify affected individuals of the breach. To comply with the GDPR, organizations have 72 hours to provide this notification or they’ll face serious fines. 


The only time affected parties do not need to be notified is if the data in question was anonymized—simply meaning that the data breached was unidentifiable (ex: account numbers) and not identifiable data (ex: name, address, or phone number).  

5. The Right to Information

The GDPR stipulates that clients and customers have a right to know exactly how and why you’re using their information. At any point in time, they can make this request, and you will need to be prepared to provide this information, free of charge.

6. Data Portability

This data portability right outlines that all customers and clients should not only have access to their personal data but also be allowed to easily obtain, copy, transfer, and reuse their personal data for their own purposes across different services, without any loss in usability. 

Pro Tip: CSV, XML, and JSON are three examples of acceptable formats for this data.

7. Privacy by Design

Much like any other data privacy law (such as Health Insurance Portability and Accountability Act - HIPPA), you cannot add data privacy protections as an afterthought. The systems and applications you use to store, share, process, and distribute personal data must be designed with a foundational layer of privacy and protection.


In addition, the GDPR also states that this personal data cannot be accessed by any Jane, Dick, or Joe. Only folks that require access to this data in order to perform the functions of their job should be granted access.


When working on your digital marketing assets (websites, landing pages, banner ads, social media, and so on), you will need to include parameters around the collection of personal data that include rules to abide by the “Right to be Forgotten,” “Data Permissions,” the “Right to Information,” and “Data Portability.”  

As a SaaS Organization, What Does GDPR Mean for You?

When it comes to software-as-a-service (SaaS) organizations, the GDPR software requirements vary slightly.


What’s important to note before we begin are what your EU clients and customers are looking for in a modern-day SaaS solution—and that is a solution that is 100 percent GDPR compliant. Without 100 percent compliance, your EU market will all but disappear.  

How do you maintain 100 percent GDPR compliance?

First, start with your product agreement. SaaS organizations have a direct obligation to ensure that their product agreements with customers comply with GDPR regulations.


Product agreements should include:

  • The purpose, nature, and duration of data processing

  • The kind of data being processed

  • The responsibilities, requirements, and the rights of the customer

  • How your organization will work with the customer in complying with their own

  • GDPR requirements (as well as advisements if they are believed to be noncompliant with GDPR or any other data compliance law)

  • A statement that personal data will only be processed according to the customer’s specifications

  • Notification that all breaches will be reported within 72 hours

  • Notification that once the agreement has been terminated, data will not be kept in a silo, but rather returned to the customer, transferred to another vendor (if the customer so chooses), or deleted from the system


Second, policies and procedures of SaaS organizations must demonstrate that they meet the specifications of GDPR and guarantee SaaS data protection and compliance.


These should include the obvious:

  • Enhanced security systems that are sophisticated enough to limit breaches 

  • Processes in place for reporting data breaches

  • Systems in place to prevent loss of data

  • Processes in place to avoid unauthorized processing operations


These policies and procedures should also have in place systems for:

  • Maintaining data records

  • Processing security audits

  • Communication strategies to ensure employees of your organization are aware of all the facets of GDPR 

In a Marketing Organization, Who Is Most Affected by GDPR?

Although every organization that handles the personal data of its customers is affected by GDPR, there are three roles within marketing organizations that are most affected by these rules: email marketing managers, marketing automation specialists, and public relations executives.

Email Marketing Managers and GDPR

As we stated above under “Inbound Marketing,” users will willingly give their information in exchange for something your organization is offering, be it a white paper, newsletter, or an email subscription.


You want to make clear what their information will be used for and by whom, give them access to said information, and offer a clear and easy opt out on future communications.  


What is forbidden under GDPR are email lists that are purchased. Each user has to individually consent to being contacted by your specific organization. No longer is it OK to automatically subscribe a user and make them do the work to opt out at a later date.

Marketing Automation Specialists and GDPR

Marketing automation is a beautiful and wonderful thing for marketers, but with the new GDPR restrictions, it can also lead to a lot of trouble if it’s not handled properly. 

For example: If your CRM system is set up to send out drip campaigns to an email database, you will need to make sure that system is in alliance with your opt out system when a user chooses to opt out of future emails.

Public Relations Executives and GDPR

Under GDPR, it is no longer OK to reach out to journalists to pitch unsolicited press releases or company announcements.


Because these journalists have not given you their express written consent to contact them, you are limited to utilizing a few options in the EU for these sorts of communications: PRWeb, MyNewsDesk, HARO, and good old-fashioned social media. You are also allowed to reach out to them, to request permission to send your press release—but cannot include the press release in your request. If a journalist reaches out to you on any of these platforms, you then have the green light to make these communications.


Although we’ve done our best to summarize the important aspects of GDPR as it relates to SaaS organizations and marketers, it’s always worth going to the source directly—check out EU GDPR for more detailed information.

3 views