GDPR News Center News for 10-03-2018

The European Union’s upcoming law on personal data processing, the General Data Protection Regulation, goes into effect on May 25th 2018. The GDPR encourages businesses to be more aware of the data they collect and what they do with it, and gives individuals much more control over what happens to their data. Personal data is any piece of data which can reasonably be traced back to a specific individual, including the obvious such as name, address, photo, phone number, and email address, but also the less obvious such as IP address, browser user agent, user ID, and so on. Since personal data processing is a core activity for many SaaS businesses, you need to appoint a Data Protection Officer tasked with making sure all personal data is handled properly, and register the DPO with the local data protection authorities. The GDPR distinguishes between data controllers and data processors. 

As a SaaS, you will most likely be both: you are a controller for data which you collect yourself, and a processor for data which your customers store in your SaaS product. The tricky bit here is that if you use client-side JavaScript to submit the data, the user’s IP address is sent to Google as part of the network request, and while Google claims it does not store this it can still be considered a transfer of personal data. We therefore suggest you collect the data on the server side, set the last octet of the IP address to 0 to anonymize it somewhat but still have rough location data, and submit it yourself. As for single sign-on, i.e. allowing users to log in using their Google or GitHub accounts, this is regulated by the terms between the user and third-party provider, and as long as you handle the data you receive from these services in a similar fashion as the rest of your user data you shouldn’t have to give it much thought. 

Many databases will simply mark a row as deleted or outdated, but not actually remove it from disk until it is overwritten by other data. Most of the issues we have discussed so far have applied to data for which you are the controller. We can’t hope to cover all aspects of running a GDPR-compliant SaaS business here – in particular, we haven’t discussed security practices, processes for exporting and deleting data on user request, or handling of your employee data. 

Keywords: [“data”,”personal”,”collect”]
Source: https://www.sanity.io/blog/a-rough-guide-to-running-a-gdpr-compliant-saas-business

The European Union’s upcoming law on personal data processing, the General Data Protection Regulation, goes into effect on May 25th 2018. The GDPR encourages businesses to be more aware of the data they collect and what they do with it, and gives individuals much more control over what happens to their data. Personal data is any piece of data which can reasonably be traced back to a specific individual, including the obvious such as name, address, photo, phone number, and email address, but also the less obvious such as IP address, browser user agent, user ID, and so on. Since personal data processing is a core activity for many SaaS businesses, you need to appoint a Data Protection Officer tasked with making sure all personal data is handled properly, and register the DPO with the local data protection authorities. The GDPR distinguishes between data controllers and data processors. 

As a SaaS, you will most likely be both: you are a controller for data which you collect yourself, and a processor for data which your customers store in your SaaS product. The tricky bit here is that if you use client-side JavaScript to submit the data, the user’s IP address is sent to Google as part of the network request, and while Google claims it does not store this it can still be considered a transfer of personal data. We therefore suggest you collect the data on the server side, set the last octet of the IP address to 0 to anonymize it somewhat but still have rough location data, and submit it yourself. As for single sign-on, i.e. allowing users to log in using their Google or GitHub accounts, this is regulated by the terms between the user and third-party provider, and as long as you handle the data you receive from these services in a similar fashion as the rest of your user data you shouldn’t have to give it much thought. 

Many databases will simply mark a row as deleted or outdated, but not actually remove it from disk until it is overwritten by other data. Most of the issues we have discussed so far have applied to data for which you are the controller. We can’t hope to cover all aspects of running a GDPR-compliant SaaS business here – in particular, we haven’t discussed security practices, processes for exporting and deleting data on user request, or handling of your employee data. 

Keywords: [“data”,”personal”,”collect”]
Source: https://www.sanity.io/blog/a-rough-guide-to-running-a-gdpr-compliant-saas-business

Leave a Reply

Your email address will not be published. Required fields are marked *