Enquire
Europe and the UK offer many growth opportunities for SaaS companies looking to expand beyond their home territories. The EU’s and UK’s mass consumer markets have robust B2B (business-to-business) and B2C (business-to-consumer) sectors.
However, successful expansion into the EU and UK isn’t as simple as understanding local market dynamics and selling to customers. The need to comply with complex regulations can be a significant hurdle. This includes not only industry-specific regulations, such as those in financial services and life sciences, but also broad-reaching ones that encompass consumer data protection rights for all industries.
As privacy legislation is constantly evolving, it is important that you stay updated with the latest guidelines and remember that data protection compliance is not a one-time task, but an ongoing commitment.
Here, we look at the key factors that SaaS businesses need to address to ensure compliance with EU and UK data protection laws. There are certain differences between the EU GDPRRegulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons regarding the processing of personal data and on the free movement of such data (General Data Protection Regulation). and the UK GDPRThe UK General Data Protection Regulation. Before leaving the EU, the UK transposed the GDPR into UK law through the Data Protection Act 2018. This became the UK GDPR on 1st January 2021 when the UK formally exited the EU., but for the purposes of our discussion, we’ll use GDPR as a collective term.
The fundamental purpose of the GDPR is to protect individuals’ privacy and data protection rights.
What this means for SaaS platforms: If you processA series of actions or steps taken in order to achieve a particular end. the personal dataInformation which relates to an identified or identifiable natural person. of EU and/or UK residents, you must comply with the GDPR’s 7 principles.
Before any personal data can be collected, you need to confirm a lawful basis – the legal justification for processing someone’s personal data.
Under the GDPR, there are 6 lawful bases.
The most appropriate lawful basisIn the event of processing personal data, an appropriate rationale in order to process personal data. will depend on the specific purpose of the data collection and can vary with the industry sector and type of processing.
Example: An automated payroll SaaS platform company uses legitimate interestsLegitimate interests is one of the six lawful bases for processing personal data. You must have a lawful basis in order to process personal data in line with the ‘lawfulness, fairness and transparency’ principle. to process personal data such as employee bank details and tax identification numbers. Legitimate interests is deemed the most suitable lawful basis as the company is able to demonstrate a balance of interests between their need to ensure the timely payment of salaries and the employee’s requirement to be paid.
You need to make the right decision about your lawful basis from the start, as it is difficult to swap to a different one later on.
To demonstrate compliance with the GDPR, you must have certain contracts, agreements and documents in place.
Contracts and agreements provide clarity and certainty for both businesses and customers by setting out the specific terms and conditions of processing personal data.
Here are some of the documents you should prepare, and some of the contracts you may need:
Privacy PoliciesA term used to describe a series of documents (such as Privacy Notices and Registers of Processing Activities) which are used to account and explain to data subjects how their data is to be processed (most commonly associated with website ‘privacy policies’). and Notices
Mandatory Data Processing Clauses
Data Sharing AgreementA written agreement between data controllers that defines the purpose and lawfulness of data sharing, whilst establishing the roles and standards of the processing of such data (i.e. imposing requirements around security, re-use and further sharing).
TransferThe movement of data from one place to another. This could be, for example, from one data controller to another, or from one jurisdiction to another. Agreement (TA)
Records of Processing Activities (RoPA)
This list is by no means exhaustive, and there are other important documents you should have in place, including a data breach policy and a data retentionData retention refers to the period for which records are kept and when they should be destroyed. Under the General Data Protection Regulation (GDPR), data retention is a key element of the storage limitation principle, which states that personal data must not be kept for longer than necessary for the purposes for which the personal data are processed. policy. A Data Protection Officer (DPO) can advise you on the details of these documents, according to your business’s specific circumstances.
A Data Protection Impact AssessmentA formal documented assessment which allows decision-makers to identify, manage and mitigate any data protection risks associated with a project. (DPIA) is an important tool in helping to demonstrate GDPR compliance. The assessment is used to analyse, identify, and minimise the data protection risks of a project or data processing activity.
DPIAs are mandatory for any high-risk data processing activities, such as those involving special category dataTypes of personal data listed in Article 9(1) GDPR that are considered sensitive and thus require extra protection. Article 9(1) lists data relating to: • racial or ethnic origin • political opinions • religious or philosophical beliefs • trade union membership • genetic data • biometric data • health • sex life • sexual orientation Where these types of personal....
Example: A SaaS platform offers a Healthcare Management system that processes health records and genetic data. This type of data is considered sensitive and high-risk. In the event of a breach, the impact to individuals could be significantly higher than other types of data due to the sensitive nature of the information. Therefore, a DPIA is a mandatory requirement.
But even when a DPIA isn’t explicitly required by the GDPR, it is a beneficial process. DPIAs can help you to identify and reduce your data protection risks, embedding best-practice data protection processes into the business right from the start.
Read more about privacy by design
The GDPR imposes strict restrictions on the transfer of personal data outside the European Economic Area (EEA) and the UK. If you export personal data from these territories to other countries (known as ‘third countries’), you must ensure certain mandated safeguardsWhen transferring personal data to a third country, organisations must put in place appropriate safeguards to ensure the protection of personal data. Organisations should ensure that data subjects' rights will be respected and that the data subject has access to redress if they don't, and that the GDPR principles will be adhered to whilst the personal data is in the... are in place.
A few countries have been awarded what is called ‘adequacy’, which means their data protection laws are ‘essentially equivalent’ to those of the EU and/or UK and do not require the use of additional safeguards or permissions.
European Commission’s latest adequacy decisions
UK Information Commissioner’s Office adequacy regulations
A TIA and a TRA are similar types of data transfer risk assessments. TIAs are used for EU personal data transfers, and TRAs are the UK’s equivalent.
EU Transfer Impact Assessment (TIA) – For EU personal data transfers from the European Economic Area (EEA) to certain third countriesCountries that are not part of the European Economic Area (EEA). when using Standard Contractual ClausesStandard Contractual Clauses are legal tools to provide adequate safeguards for data transfers from the EU or the European Economic Area to third countries. (SCCs) and Binding Corporate RulesA series of data protection policies adhered to by companies established in the EU allowing for transfers of personal data outside the EU within a group of undertakings or enterprises. BCRs provide adequate safeguards when making restricted transfers within an international organisation if both sender and receiver has signed up to the BCRs. Guide to Binding Corporate Rules | ICO (BCRs).
Organisations transferring UK personal data to third countries can also choose to use a TIA, and it may be the better option for transfers between the UK and EU. However, you need to check whether the personal data being transferred is within the scope of the EU GDPR or the UK GDPR, and choose the most appropriate assessment.
UK Transfer Risk Assessment (TRA) – For ‘restricted transfers’ of personal data from the UK to certain countries outside the UK when using SCCs with UK AddendumAn additional document that modifies, clarifies, or supplements the terms of an existing legal document without nullifying the original content., UK BCRs, and the International Data Transfer Agreement (IDTAThe International Data Transfer Agreement (IDTA) is a UK framework used as a mechanism to enable a data sharing agreement for the legal transfer of personal data to a country outside the UK. It came into force on 21 March 2022 and replaced the EU’s Standard Contractual Clauses (SCCs)).
If a country has been awarded adequacy, a TIA or TRA is not required.
Article 49 of the GDPR provides several exceptions, called derogations, that allow for the transfer of personal data to third countries without a TIA or a TRA. These derogations are for specific situations and not intended to be used regularly or as a standard method of transfer.
Here are a couple of examples of the most common derogations:
Depending on your specific business activities, you will probably need to also comply with the EU and UK’s regulations regarding electronic marketing communications and online tracking.
The EU’s ePrivacy Directive was adopted nearly two decades ago, in 2002. Often referred to as the ‘cookie law ’ (as it was the first piece of legislation to regulate the use of cookiesData which tracks a visitor’s movement on a website and remembers their behaviour and preferences. and digital trackers), it also includes rules about marketing calls, emails, texts and faxes, and directory listings. Any businesses engaging in these marketing methods, or the digital tracking of EU customers, must comply with the ePrivacy Directive.
EXAMPLE: A FinTechThe development and use of software and technologies to provide automation and deliver improvements to the financial services industry. company based in China provides an online platform for peer-to-peer lending. Wanting to expand into EU markets, the company has various advertising campaigns and tracks the digital behaviour of potential customers. Therefore, the company must comply with both the EU GDPR and the Privacy Directive. This means the company must ensure compliance with the 7 principles of the GDPR, safeguard the confidentiality of communications for its EU users, and comply with rules about tracking and monitoring. Any non-essential cookiesCookies created by third parties and dropped on website users, for the purposes of analytics or advertisement tracking. on the website must have an opt-in choice.
Note: At the time of writing, the European Parliament and the Council of the European Union are finalising the negotiations on the proposed ePrivacy RegulationA proposed regulation, currently under development, which will replace the ePrivacy Directive., which is set to replace the ePrivacy Directive. The new regulation proposes a broader scope with stricter rules for businesses, particularly those operating online.
The UK’s Privacy and Electronic Communications RegulationsPECR is the UK implementation of the ePrivacy Directive (Directive 2002/58/EC) providing certain rules on marketing, cookies, communication services security and customer privacy (in relation to traffic/location data, billing, line identification and caller directories). (PECR) gives UK residents specific privacy rights regarding marketing calls, emails, texts, and faxes, cookies and similar technologies, and electronic communication security.
The best way to achieve and maintain compliance with EU and UK data protection laws is to appoint a Data Protection Officer (DPO).
DPOs have in-depth knowledge and experience of the various requirements your business needs for compliance with the GDPR and electronic communications laws.
For some businesses, appointing a DPO is not only advisable but also a mandatory requirement. Article 37 of the GDPR states that a DPO is required if:
However, many businesses choose to appoint a DPO even when it isn’t a legal requirement.
Building a data protection culture within your business is the best way to proactively maintain the trust of your customers and stakeholders. And it will also strengthen your reputation.
Outsourced Data Protection Officer (DPO) Services
All businesses that fall under the scope of the GDPR and do not have a physical presence within the EU or UK must appoint a GDPR article 27 Representative. If you are looking to expand into both markets, you will need a UK GDPR Representative AND an EU GDPR Representative.
A GDPR Representative acts as point of contact for data subjects and supervisory authorities.
GDPR Representatives are also the point of contact for data subjects wishing to exercise their rights under the GDPR. These rights include the right to access their personal data, the right to correct inaccurate data, the right to erasureA qualified right under the GDPR allowing for data subjects to request that their personal data be erased (subject to exemptions)., the right to restrict processing, the right to data portability, and the right to object to processing.
See here for additional information:
GDPR Representative: Do you need one?
Any businesses planning on marketing to EU and UK individuals must comply with the EU GDPR, the UK GDPR, the ePrivacy Directive, and PECR.
Maintaining a strong reputation for data protection also builds trust with customers and stakeholders, which is an essential foundation for commercial success.
The best way to achieve and maintain compliance is to appoint a Data Protection Officer (DPO).
A DPO has the expertise and knowledge to help you navigate the myriad of regulations and requirements. They can help you draft the necessary contracts and agreements you will need, as well as manage international data transfers, and keep you up to date on any jurisdictional changes.
If your company does not have a local office in the EU or UK, you will also need to appoint an EU or UK GDPR Representative, or both.
If you need help with your GDPR compliance or are thinking about outsourced data protection services, The DPO Centre can help. We have worked with over 850 organisations globally and have one of the largest teams of expert DPOs available.
Please get in touch by completing the form below.
In case you missed it…
For more news and insights about data protection follow The DPO Centre on LinkedIn
Enquire
Fill in your details below and we’ll get back to you as soon as possible