The EU General Data Protection Regulation (GDPR) took effect on May 25, 2018. GDPR is the most significant piece of legislation on data protection to date, and this new regulation broadly affects all organizations, government agencies, and companies throughout the world that collect or use personal data tied to EU residents. The GDPR strengthens privacy rights of individuals by requiring organization who receive and process personal data to comply with stricter regulations, significantly expanding an individual rights over their data, and providing increased transparency into the nature, purpose, and use of data.
AppointmentPlus’ Commitment to Data Protection and GDPR Compliance
As an enthusiastic advocate of the power and customer-centricity of the cloud technology and SaaS community, AppointmentPlus understands the importance of putting data protection and privacy in the hands of the individual. As with other data protection laws, GDPR compliance requires commitment from both AppointmentPlus and our customers. AppointmentPlus is in full compliance with the GDPR as of May 25, 2018, and is providing the functionality necessary for AppointmentPlus customers to comply with the GDPR's requirement for consent. AppointmentPlus is currently carefully examining the required provisions of the GDPR, and are continuing to monitor the GDPR guidance issued by regulatory authorities. To read more about our commitment, you may check out our GDPR Fact Sheet.
Which Organizations are Affected by the GDPR?
Any entity that collects, processes or stores personal information about EU citizens within EU states must comply with the GDPR, despite whether or not they have an EU business presence.
Specific criteria for organizations that fall under the GDPR legislation:
- A presence in an EU country.
- No presence in the EU, but it processes personal data of European residents.
- More than 250 employees.
- Fewer than 250 employees but its data-processing impacts the rights and freedoms of data subjects, is not occasional or includes certain types of sensitive personal data.
The GDPR defines ‘personal data’ as “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
Essential GDPR Requirements for SaaS Customers
The GDPR will change how organizations collect data, as well as how they obtain, document, and manage processing on a legal basis. Here are nine critical GDPR requirements for SaaS customers to consider in their GDPR readiness:
- Data Protection by Design and Default: Controllers and Processors must incorporate data protection into new products and services that involve processing of personal data (Design) and consider data protection issues in all business decisions (Default).
- The GDPR defines 'controller' as “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.”
- The GDPR defines 'processor' as “a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.”
- Lawfulness of Processing: Processing must be based on consent, the performance of a contract, legal obligation, protection of vital interests, tasks carried out in the public interest, or legitimate interest balanced against the fundamental rights of data subjects.
- Controller-Processor Relationships: Controller and Processor relationships must be governed by binding contracts that set the terms of the processing to be performed and provide Controllers the right to object to Sub-Processors engaged by the Processors.
- Security of Processing: Controllers and Processors shall implement appropriate technical and organizational measures to ensure a level of protection appropriate to the risk.
- Conditions for Consent: Requests for consent must be freely given, specific, informed and unambiguous by a statement or by explicit affirmative action.
- Data Protection Officer: Controllers and Processors whose core activities consist of processing operations which require regular and systematic monitoring of data subjects on a large scale or large scale processing of particular categories of data must appoint a Data Protection Officer.
- Data Subject Rights & Information: Controllers shall provide the information outlined in Articles 13 & 14 to Data Subjects, and Data Subjects may access, correct, delete, restrict processing of, and transfer their data, as well as object to automated decision-making based on their personal data.
- Data Inventory: Controllers and Processors must create centralized repositories containing records of processing activities carried out on personal data.
- Data Protection Impact Assessments: Where a type of processing is likely to result in a high risk to the rights and freedoms of natural persons before processing Controllers must carry out assessments of the impact of the envisaged processing operations on the protection of personal data.
To learn more about the GDPR, visit the EU GDPR webpage.