When it comes to GDPR, look to SaaS vendors to be proactive
The EU’s General Data Protection Regulation (GDPR) is expected to be the most impactful personal privacy regulation on the books.
One of the really interesting things about GDPR is its ripple effects. Organizations are responsible for their own compliance AND the compliance of any entity they do business with. It’s a great way to drive adoption, by requiring that each company hold accountable all the participants in their ecosystem.
Because of the 1994 Data Directive and its compliance requirements, the work needed for EU member states to comply with GDPR is likely lower than their American counterparts. And it’s expected that worldwide, organizations are (and will likely stay) behind in their compliance efforts. A 2017 Gartner report on GDPR estimates that over half of affected companies will be out of compliance with GDPR.
If your business is already taking steps toward internal GDPR compliance, kudos to you. But remember: there’s the matter of external GDPR compliance as well. Count your SaaS vendors among the many entities you work with that must comply with GDPR. And even though many businesses (SaaS or otherwise) are still working towards their own GDPR compliance, you can get an early idea of how they stack up.
Look for these indicators that your SaaS partners will be ready for GDPR compliance go-time:
They are open about making GDPR compliance a priority.
In order to comply with GDPR, and continue the existing relationships with their customers who comply with GDPR, businesses have to make the information easily accessible. Salesforce, Slack, and HubSpot all provide dedicated areas of their website that explain what they are doing to comply with GDPR. The content may be focused more on helping customers with GDPR, or on its own compliance – depending on the SaaS platform in question.
Even if they aren’t GDPR compliant yet, they share what they’ve done so far.
As you start to look for GDPR documentation available from SaaS platforms, you might find dedicated portions of their website like Salesforce, Slack, and HubSpot. But not every SaaS company is as large and has as many resources as those three. They may be working on GDPR compliance without making their public efforts as rigorous.
If that happens, dig a little deeper. Look for other methods of online validation. Your SaaS partner could be addressing GDPR and talking about it online in a less structured way. Bazaarvoice posted an account of their plans to comply with GDPR on their corporate blog.
ProsperWorks offers some limited GDPR compliance details in their customer knowledgebase.
And PipeDrive takes a multi-pronged approach, with security updates leading to GDPR on their blog and guidance on GDPR compliance using their email tracking feature in their support center.
Organizations don’t need a fully baked GDPR compliance plan to let customers know they are working towards a goal.
If your search yields zero results, reach out directly.
Running a quick Google search for “SaaS vendor name + GDPR” should easily yield a result similar to those shown above. If it doesn’t, don’t worry – just get in touch quickly. Connect with your SaaS account rep via email, use the online chat function, or do it the old-fashioned way and pick up the phone. There may be work underway already with no public announcement. The more inquiries from individual customers, the more likely your SaaS partner will be to make that information available.
And if the SaaS vendor can’t provide any details on GDPR compliance processes, or hasn’t started working on it yet, consider your options. Remember that under GDPR, your business can be penalized for the non-compliance of your business partners as well. Is it worth it to take that risk? What other SaaS platforms can provide the same or a similar service while maintaining GDPR compliance? Start answering these questions if you don’t get the results you’re looking for today.
Want to learn more about how to evaluate your GDPR risk? Join this new on-demand webinar — or contact us for a free risk assessment: