Europes General Data Protection Regulation (GDPR) takes effect on 25 May 2018. It replaces the Data Protection Directive.
Australian small businesses of any size may need to comply if they have an establishment in the EU, if they offer goods and services in the EU, or if they monitor the behaviour of individuals in the EU. While there are similarities to Australian privacy laws, there are key differences such as "The right to be forgotten"
Similarities include the need for your business to design compliance with privacy laws into operations. You need to be able to demonstrate you are complying and adopt transparent information handling practices. The Office of the Australian Information Commissioner has a good article covering the requirements for EU GDPR for Australian Businesses who may need to comply. Noting that being a small business doesn’t exempt you like it can for some of the Privacy Law requirements in Australia.
Saasu as a business doesn’t have an establishment in the EU nor have we offered subscriptions to EU residents and businesses since 1st March 2018. That said, our local Australian business customers often sell to their EU customers and we have some EU customers who will be with us potentially up to 1st July 2019 so we wanted to meet the GDPR standards. As a result of Saasu being highly accountable procedurally in the privacy area it was actually an easy decision to close the gap for ourselves.
Many of our customers have had to ensure their operations are compliant if they have an establishment in the EU, sell to EU customers and/or monitor those customers. Saasu is but one piece of our customer’s operational picture. Saasu doesn’t achieve compliance for our customers as a result of our own compliance.
So here are some key considerations that relate to Saasu as a system if you are needing to comply with GDPR. Get a GDPR audit done if you feel you meet the criteria or aren’t sure. What is covered herein is just some key points and not the specific needs that might relate to your business model and unique circumstances.
Client contact information, transactions, notes and attachments
The Rights of Access, Erasure, Rectification and Data Portability has meant that if you record and track customer data for EU customers you’ll need to have operating procedures to update data, report basic information you hold and pseudonymise personal data (Right to be Forgotten) in a way thats meets compliance with both the GDPR and your local tax and compliance laws. Pseudonymising takes the most identifying information (such as the customer’s name) and replaces it with an artificial identifier, or pseudonym. Pseudonymized data is recovered to its original state by adding back information allowing individuals to be re-identified. Anonymized data is one way and can’t be restored.
Exporting and Hosting data derived from EU residents and business
Saasu doesn’t store data in the EU. This is important from a GDPR perspective because it means EU customers data is being exported to Australia. For example, when your EU customer buys something from you and you record that transaction in Saasu it goes into our servers in Australia. That EU customers records have effectively been exported to Australia. We do that securely via an encrypted method that complies with GDPR requirements. The EU requires businesses like Saasu to host and process data outside the EU in a safe way. Australia was assessed by the EU as an adequate country by EU definitions to do this. You still need to check for other systems and procedures in your business used in moving data.
Saasu Web and Mobile app analytics
Saasu monitors customer feature use. We need to be able to tell the right customers the right information at the right time. We also do this to understand the value of features and the user experience. This is critical to improve the product and also to make sure people are on the right plan in our pay for what you use model. We don’t look at or monitor specific data in your file with analytics or humans though (unless you have requested us formally to do that to troubleshoot a service issue).
Saasu Website analytics
Saasu’s marketing website, blog and other web assets use Google Analytics and we have opted into having only the previous 26 months of data stored. This data isn’t client specific. We used more client specific systems like Salesforce, Marketo and some other analytics tools but they were all removed some years ago when we shifted to a more private in-built approach of using internal analytics instead of 3rd parties for data security reasons.
Saasu’s EU General Data Protection Regulation Checklist
- Reviewed our internal process, procedures and technology stack for any GDPR conflicts by performing a Data Protection Impact Assessment.
- Removed some 3rd party tools we used that had analytics features (customer monitoring).
- Moved to a more concentrated analytics model of internal systems plus Google Analytics.
- We have set our Google analytics data to expire at 26 months from creation. Enough timeframe for us to compare our website traffic for this year versus last year.
- Checked Rackspace, Amazon, Google and other key suppliers for GDPR compliance and contractual requirements or conflicts.
- Reviewed our own privacy statement and procedures. Some small changes are being rolled out on Friday the 25th of May 2018 for the start date.
- Updated our standard operating procedures to allow for matters impacting our Customer Experience team – this includes reporting of data breaches and other incident response types and mechanisms.
- Added regular Data Protection Impact Assessment to our business rituals.
- Compliance and training sessions with internal staff.
- Produce a data journey map so you know where your data goes and when.
- Saasu website users will be prompted with a Cookies Approval request if located in the EU.