From the 25th of May 2018 the EU General Data Protection Regulation (GDPR) will come into force and change UK data protection law. The GDPR will place further more onerous obligations on SaaS customers (data controllers) in relation to all data processing. SaaS customers need to amend the terms of their existing SaaS agreements and privacy policies and implement the changes into internal policies and procedures in order to comply with the upcoming changes in UK data protection law.
Data Subject Rights
Data subjects will have more extensive rights to access, rectify and object to the storage and processing of their personal data. New rights to delete, restrict processing, rights in relation to profiling and the right to data portability will be introduced. SaaS customers will also be required to provide a lot more information to data subjects about processing activities than in the past i.e. in their privacy policies.
Data subjects will be able to take direct action against SaaS customers and claim damages resulting from breaches by SaaS customers of their obligations under the GDPR.
In addition data protection authorities will be able to fine SaaS customers up to 4% of annual global turnover for some breaches.
Preparing for the Changes
SaaS customers should review the terms of their existing SaaS agreements and privacy policies to ensure that they comply with the new rules before the GDPR comes into force.
SaaS customers should ensure that existing and future agreements with any subcontractors (data processors) impose the same data processing obligations on further subcontractors (sub-processors), as the SaaS customer could be liable to the data subject for any breaches of the new rules caused by any subcontractors.
SaaS customers should ensure their insurance cover and the terms of their SaaS agreement with all SaaS suppliers include indemnities and limitations on liability relating to personal data that are sufficient to cover the higher level of fines and claims made directly by data subjects.
Irene Bodle is an IT lawyer specialising in SaaS agreements with over 10 years experience in the IT sector. If you require assistance with any SaaS, ASP, software on demand contracts or any other IT legal issues contact me:
To register for my newsletter click here
Other related articles:
- SaaS Agreements – Data Protection – SaaS, Brexit and the GDPR
- SaaS Agreements – GDPR – The General Data Protection Regulation
- SaaS Agreements – GDPR – UK Data Protection Act 2018
- SaaS Agreements – Data Protection – Data Processing Agreement
- SaaS Agreements – Data Protection – Amending EU Model Clauses
- SaaS Agreements – Data Protection – Brexit and the GDPR
- SaaS Agreements – Data Protection – New Obligations for SaaS Suppliers
- SaaS Agreements – Liability – Covering the Risks with Insurance
- SaaS Agreements – Data Protection – Privacy Shield Update
- SaaS Agreements – FAQs – What is SaaS and Essential Terms to include in a SaaS Agreement
- SaaS Agreements – Essential Elements
- SaaS Agreements – Essential Elements – SLAs Explained
- SaaS Agreements – Data Protection – Transfer of Data Outside the EEA
- SaaS Agreements – Data Protection – Which Law Applies
- SaaS Agreements – Data Protection – The Patriot Act
- SaaS Agreements – Data Protection – Russian Data Centres