SaaS Privacy Policy

May 25th 2018, also known as "GDPR Day" in the tech industry, has long passed.

Many SaaS companies don't realize how many necessary changes and updates they might still need to make to their Privacy Policies in order to be GDPR-compliant.

We'll take a look at a few of the key sections your policy needs if you fall under the scope of the GDPR.

Key Changes

Article 12 of the GDPR states that privacy notices must be "concise, transparent, intelligible and easily accessible, using clear and plain language."

Besides writing it in a clear, plain format, you will also need to make the following changes or additions to your Privacy Policy to ensure full GDPR compliance:

  • Be transparent and detailed in your presentation of which personal data you collect, how you collect it, how you use it and who you share it with.
  • Disclose your legal basis for collecting personal data (e.g. consent).
  • State the contact information of your Data Protection Officer (DPO) if applicable, or of the person in your organization who handles data privacy issues.
  • List the rights of EU residents as they are presented in the GDPR and let users know how you plan to uphold these rights.
  • Disclose your data retention practices.
  • Describe your international data transfer policies, if applicable.

Let's take a look at these points and how your SaaS app Privacy Policy can meet them.

Transparency in Data Collection and Sharing

The word 'transparency' is a key term in the GDPR. Be as open and detailed as possible in the sections of your Privacy Policy that cover the following:

  • What personal data you collect
  • Why you collect the data
  • How you use the data
  • Who you share the data with

Amazon Web Services (AWS) is a great example of how these sections can be covered in a detailed fashion that is also concise and clear:

Amazon Web Services Privacy Policy: Personal Information We Collect clause

To keep this section short and easy to follow, AWS includes each category of information it collects with links to more detailed lists. When a viewer clicks to see more examples of a category, they are taken to a long and detailed account of every type of data that AWS collects:

Amazon Web Services Privacy Policy: Excerpt of Examples of Information Collected list

The same goes for the following clause in the Privacy Policy about how and why personal information is used:

Amazon Web Services Privacy Policy: How We Use Personal Information clause

AWS also follows suit with an itemized list of how the company shares personal data with third parties and why it is necessary to do so:

Amazon Web Services Privacy Policy: How We Share Personal Information clause

Please notice that AWS mentions data collected via cookies several times throughout these sections and includes links to its Cookies Notice. It is important to denote which information you collect with cookies and have a Cookie Consent notice on your SaaS app's website.

Legal Basis for Collecting Personal Information

You need to disclose your legal basis (legal grounds) for processing EU consumer data within your Privacy Policy. If your SaaS business is B2C, then your legal basis is probably consent - you request consent from each user to process their data when they access your services and open an account.

If your SaaS is B2B, on the other hand, your legal basis may either be:

  • The fulfillment of a legal contract, or
  • As a legitimate interest (the fulfillment of a requested service)

If the client you are working with requests that you process their customer data, you (the data processor) will need to make sure that your client (the data controller) has a valid legal basis for collecting the data that they transfer to you.

Once you have established which legal basis applies to the personal data you collect, disclose that legal basis in your Privacy Policy and comply with the requirements for that legal basis.

For example, if your legal basis is a contract or legitimate interest, you will need a written contract or agreement on record for any personal data you process on those grounds.

Consent

If your legal basis is consent, the situation may be a little more complex. The GDPR dictates that consent will not be deemed valid unless it is informed, unambiguous, explicit, and freely-given.

In other words, you must give users full disclosure as to what information you are collecting from them before you collect it and request their explicit consent via a decisive action on their part.

This goes for all personal information, including IP addresses and geolocation data collected with cookies.

Here's how Mailchimp does it by presenting users with a cookies banner upon their arrival at the website for the first time:

MailChimp Cookies notice banner: Updated screenshot 2018

The banner links to a Cookie Settings interface where users are told they can control the use of cookies.

Within this interface, users are informed about what types of information are collected via cookies and how to adjust these cookies consent settings. The Cookies Statement (or Cookies Policy) is also linked here:

MailChimp's Privacy Preference Center with cookies settings

Contact forms that request consent for direct marketing must also be compliant with the GDPR, without implementing any pre-ticked checkboxes. Your users must take a decisive action to provide their consent for direct marketing.

Since Mailchimp provides email marketing services to businesses, their website includes detailed information on setting up contact forms with GDPR-compliant consent methods.

Data Protection Officer Contact Information

If your company has a DPO, list this individual's contact information in Privacy Policy.

This is how Oracle presents the contact information for their Data Protection Officer:

Oracle Privacy Policy: Contact information for Global Data Protection Officer clause

EU Consumer Rights

Any company dealing with EU consumer data is expected to uphold their rights as stated by the GDPR and communicate those rights in a clear, easy-to-understand format.

This means that you will need to explain to users which rights they are granted under the GDPR and how you will honor the following individual rights:

  1. The right to be informed
  2. The right of access
  3. The right to rectification
  4. The right to erasure
  5. The right to restrict processing
  6. The right to data portability
  7. The right to object
  8. Rights in relation to automated decision making and profiling
  9. The right to lodge a complaint with EU supervisory authorities

Here is an example of how you can list out these rights and your processes for upholding them:

Mailchimp Privacy Policy: Other Data Protection Rights clause

As you can see, Mailchimp covers each individual right and provides users with instructions or contact information to make such requests. The company also go above and beyond by providing a link directly to EU data protection authorities in case a user feels the need to lodge a complaint.

While it's easy to list these rights and their solutions in the Privacy Policy, it will be quite another programming feat to uphold them. The 'right to erasure' in particular may require some extensive digging when it comes to years-old data backups.

As a SaaS app owner, you may need to make significant changes in how log data, backups, uploads, and diagnostics data are recorded and stored.

Data Retention

The GDPR lays out two main points on data retention:

  1. Personal information may only be retained for as long as is necessary to fulfill the purpose it was collected for.
  2. Users must be informed of data retention policies.

The GDPR is clear that once personal data is no longer necessary, it must be anonymized or deleted so that any information you have on file can no longer be connected to an individual.

The GDPR is not clear, however, on the exact amount of time personal data may be retained without penalty. Each company has its own definition of what constitutes a "necessary" period of time.

Once you decide as to what data retention policy will work best for your business model, you can publish the details in your Privacy Policy.

Here's how Oracle details the exact amounts of time they retain customer data for different situations. This is a great example of transparent communication that will leave customers with little doubt about how their own personal information will be retained:

Oracle Privacy Policy: Data retention clause

International Data Transfers

If your business requires transfers of EU consumer information over international borders, you will need to include this clause in your Privacy Policy. For example, if your servers are located in the United States but you transfer customer data to a third-party processor located in Europe, you will be required to maintain specific procedures in order to make the transfer.

The GDPR requires international data transfers of EU user data to comply with EU-U.S. Privacy Shield or similar certified transfer procedures, as well as EU Model Contractual Clauses.

Once you have defined the specific international transfer certifications you will follow, this will need to be stated in your Privacy Policy.

AWS lists their international transfer policy like this:

Amazon Web Services Privacy Policy: Privacy Shield clause

Example of a GDPR-Compliant SaaS App Privacy Policy

Slack has been more than thorough in its efforts to comply with GDPR requirements, going so far as to publish a comprehensive guide about their commitment to GDPR compliance. The Slack Privacy Policy maintains the same level of adherence.

It begins by trying to establish a clear and easily understood format with this explanatory introduction:

Slack Privacy Policy: Introduction clause

The policy includes a linked Table of Contents to help users navigate:

Slack Privacy Policy: Screenshot of table of contents

This is a great way to give users an overview of what's in the Privacy Policy and make it easy to locate specific information.

The policy goes on to describe which information is collected or received about users:

Slack Privacy Policy: Excerpt of Information We Collect and Receive clause

Next, users are informed about how the collected data is used. Slack states its legal basis for processing data as a legitimate interest in this section:

Slack Privacy Policy: How We Use Information clause

The policy also goes into great detail as to why Slack shares personal information and with whom:

Slack Privacy Policy: How We Share and Disclose Information clause

Slack describes how it handles international data transfers and includes resource links:

Slack Privacy Policy: International Data Transfers clause

Here's the Data Retention clause that's short but thorough:

Slack Privacy Policy: Data Retention clause

Users can find short and to-the-point instructions for contacting the DPO:

Slack Privacy Policy: Data Protection Officer contact clause

Slack takes a rather condensed approach to stating EU consumer rights, but since they provide instructions on how to evoke those rights, they are still being compliant with the GDPR:

Slack Privacy Policy: Your Rights - GDPR clause

You may note that Slack did not include 'the right to lodge a complaint' in this section. That's because they cover it in more detail within another section:

Slack Privacy Policy: Data Protection Authority clause

As far as GDPR compliance is concerned, Slack has presented its Privacy Policy in a neat, well-organized package that is easy to navigate and understand.

If you'd like another model of an exemplary GDPR Privacy Policy for a SaaS business, take a look at CRM giant Salesforce, another company that has taken GDPR compliance to near-perfect realization.

If your SaaS Privacy Policy doesn't reflect the extent of GDPR updates discussed in this article, you may be in danger of receiving some staggering fines from EU supervisory authorities.