UK SaaS suppliers must currently comply with the terms of the Data Protection Act 1998 (DPA), which governs data protection law in the UK. SaaS suppliers should be aware that from the 25th of May 2018, the General Data Protection Regulation (GDPR) will apply directly in all Member States of the European Union (EU).
Many SaaS suppliers are concerned about their data protection obligations following Brexit and are unaware that they will still have obligations (as data processors) to comply with the new rules imposed by the GDPR, even after a Brexit.
Will the GDPR apply in the UK after Brexit
How the GDPR will apply to the UK following a Brexit, will depend upon the timing of the Brexit and the agreement reached between the UK and the EU on the terms under which the UK will leave the EU.
In any event:
- if Brexit takes place after the 25th of May 2018, the GDPR will automatically apply in the UK until UK data protection laws are amended;
- if Brexit takes place before the 25th of May 2018 the applicable data protection regime will depend upon the terms of the Brexit deal agreed with the EU.
GDPR applies to UK SaaS Suppliers despite Brexit
Regardless of when and how Brexit takes place, the GDPR will apply to SaaS suppliers located within the UK if:
- they offer goods or services to SaaS customers located within the EU (i.e. in any of the remaining 27 EU Member States); or
- they monitor the behaviour of EU data subjects;
Even though UK SaaS suppliers will no longer be located within the EU themselves after a Brexit.
GDPR will apply to non-EU SaaS Suppliers
From the 25th of May 2018 the GDPR will automatically apply to all SaaS suppliers located outside of the EU i.e. in the USA, if:
- they offer goods or services to SaaS customers located within the EU; or
- they monitor the behaviour of EU data subjects;
Even though the SaaS supplier is not located within the EU.
Complying with the GDPR
The following are the main obligations that all SaaS suppliers, who are subject to data processor obligations under the GDPR, will need to comply with:
- include specific minimum terms in a written data processing agreement with all SaaS customers;
- keep records of all categories of processing activities that they carry out;
- obtain prior written consent to the subcontracting of any data processing activities;
- notify SaaS customers of any breach of their obligations, without undue delay, after becoming aware of the breach;
- appoint a data protection officer (DPO) in specific circumstances; and
- allow SaaS customers to choose between deletion or return of all personal data.
Fines for Breach
Data subjects will be able to claim damages directly from SaaS suppliers who breach:
- any obligations under the GDPR; or
- any lawful instructions of the SaaS customer.
In addition data protection authorities will be able to fine SaaS suppliers up to 4% of annual global turnover or 20m Euros (whichever is higher) for breaches of the GDPR.
Preparing for Change
The current position with regard to Brexit is unclear and subject to change.
However, all SaaS suppliers supplying SaaS services to SaaS customers located in the EU need to be aware that current UK data protection laws will change on the 25th of May 2018, or following Brexit.
SaaS suppliers who plan to provide SaaS services to individuals located in the EU after the 25th of May 2018, need to take the following action:
- review their existing privacy policies;
- review the terms of existing SaaS agreements;
- create a written data processing agreement;
- review all internal procedures relating to data protection and security; and
- review insurance cover limits and exclusions;
To ensure compliance with the new obligations placed on SaaS suppliers (data processors) under the GDPR.
Irene Bodle is an IT lawyer specialising in SaaS, with over 14 years experience in dealing with SaaS, cloud computing and IT law issues. If you require assistance with any SaaS agreements, cloud computing concerns or any other IT legal issues please contact me at:
To register for my newsletter click here
Other related articles:
- SaaS Agreements – Brexit – EU Data Transfers to UK after Brexit
- SaaS Agreements – GDPR – The General Data Protection Regulation
- SaaS Agreements – GDPR – Local Derogations
- SaaS Agreements – GDPR – UK Data Protection Act 2018
- SaaS Agreements – Data Protection – New Obligations for SaaS Suppliers
- SaaS Agreements – Data Protection – New Obligations for SaaS Customers
- SaaS Agreements – Data Protection – Data Processing Agreement
- SaaS Agreements – Data Protection – Amending EU Model Clauses
- SaaS Agreements – Brexit – EU Data Transfers
- SaaS Agreements – Brexit – Legal Implications
- SaaS Agreements – FAQs – What is SaaS and Essential Terms to include in a SaaS Agreement
- SaaS Agreements – FAQs – What is a SLA and Essential Terms to Include in a SLA
- SaaS Agreements – Essential Elements
- SaaS Agreements – Essential Elements – SLAs Explained
- SaaS Agreements – Data Protection – Which Law Applies
- SaaS Agreements – Data Protection – Privacy Shield Update
- SaaS Agreements – Data Protection – Microsoft Irish Data Centre Decision
- SaaS Agreements – Data Protection – Transfer of Data Outside the EEA
- SaaS Agreements – Data Protection – Russian Data Centres