In approximately nine months, a strict new privacy regulation will go into effect that impacts pretty much everyone.
The EU General Data Protection Regulation (GDPR) is, according to its own website, “the most important data privacy regulation in 20 years.” Enacted by the EU Parliament after four years of deliberation, GDPR aims to protect the privacy of EU citizens, specifically their “right to be forgotten” – AKA, their right to demand that organizations identify and eradicate any and all data about them.
GDPR only protects EU citizens but applies to virtually every company with a global footprint – even if it’s just online. It doesn’t matter if you don’t have a physical presence in the EU. As of May 25, 2018, you must abide by GDPR if you:
- Sell goods or services to EU citizens
- Operate a website that uses technologies like cookies to monitor people based in the EU
- Employ any residents of the EU
- Collect any sort of data that may include information about EU citizens
The provisions in the GDPR legislation run deep and wide. If you touch any data about anyone in the EU, you’re on the hook for a slew of increased obligations, from a stricter definition of consent to new laws on profiling, data handling, data retention, data processing, breach notification requirements, and more.
The EU isn’t messing around, either. Breaching GDPR can result in fines of up to 4% of your annual global turnover or a whopping 20 million Euros – whichever is higher. (The penalty system is tiered, however, and lesser offenses, like not having your records in order or not conducting an impact assessment, may only cost you 2% of your annual global turnover. That’s a relief.)
Why SaaS-heavy organizations are particularly susceptible to GDPR
Which brings us to SaaS.
The rise of software-as-a-service offerings has delivered countless benefits to modern businesses, from greater agility and flexibility to cost savings to scalability and beyond. But the very ease and accessibility of SaaS solutions make it a slippery slope for IT and compliance departments.
You know you have a significant SaaS stack, both accounted for and in the shadows, but you can’t exactly pinpoint the location of every license, application, and piece of data. You can guess, but you’ll probably undershoot it; by one estimation, the average enterprise organization was using 928 cloud apps, but most CIOs think their organization only uses around 30 or 40 cloud applications. That’s a significant gap.
The discrepancy between your known quantity of SaaS apps and the reality of your cloud ecosystem is concerning in any circumstances. Most medium and large businesses waste a serious amount of money on unused, underused, or unmanaged licenses and subscriptions. But the pending enforcement of GDPR represents a new and particularly pressing impetus to gain a clear, comprehensive understanding of what you have and where it lives. Poorly managed SaaS accounts may cost you thousands of dollars; failure to comply with GDPR can cost millions.
How to prepare your SaaS stack for GDPR compliance
So what’s a SaaS-centric company to do?
1. First, start now. May 25, 2018, will be here before you know it and you need to be prepared
2. Consider assigning a cross-departmental task force to address GDPR. This is an IT issue, certainly, but procurement, compliance, HR, Legal, and other business units must also be educated on its impact. Bringing multiple teams to the table will also help IT identify and wrangle shadow applications, an important step to GDPR compliance.
3. Familiarize yourself with the requirements. This sounds like a no-brainer, but the GDPR is dense stuff with endless intricacies. You need to understand the new definition of consent, for example; the rights you must communicate to your employees; requirements for your IT service providers; what to do in case of a breach; and much, much more. The EU GDPR website is a great place to dig in (and even includes a handy countdown clock to the enforcement date!)
4. Review your existing compliance processes in the context of GDPR to find the most glaring holes in your procedures and documentation, then begin addressing them immediately. Compiling a track record of compliance before next year’s deadline will both help you toward that goal and demonstrate to any future courts or regulators that you’re taking the regulations seriously.
5. Evaluate your current tech stack. Does it provide the visibility and controls that you need to comply with GDPR and prevent breaches? This should include everything from security software to compliance tools to vendor management to all things data-related.
GDPR may originate in the EU, but it will have global consequences. Compliance is important for all affected organizations but especially critical for companies that rely on SaaS products. Knowing what you have and where you have it has always been a nice-to-have; with GDPR around the corner, it’s become a necessity.