Understanding GDPR: Key Compliance Strategies for Software Companies

The GDPR only applies to personal data - data from which a living individual can be identified or is identifiable. The diagram above set outs out just a few examples of personal data.

Following Brexit, businesses which operate in both the UK and the EU, have two data protection regimes to consider. As a software development or technology company, you may cater to an international or global customer base. In addition to complying with the UK's version of GDPR, "UK GDPR", UK businesses will need to comply with the EU GDPR, if:

• the company has an operating office within the EU, which processes personal data as part of its own activities; or
  
  
• the company doesn't have an office in the EU, but it processes personal data of individuals in the EU either to sell products and services in the EU or to monitor individuals' behaviour (e.g. through cookies and such like).

(In this briefing we refer to "GDPR" to refer to the EU GDPR and the UK GDPR, as applicable).

The extent of a software company's obligations under the GDPR will depend on whether it is acting as a data controller or as a data processor.  A data controller determines the purpose and means of processing of personal data, whereas a data processor acts only on behalf of a data controller in accordance with the controller's instructions. A software company will be a data controller for some activities, such as in relation to the processing of the personal data of its staff, customer contacts and its own marketing activities, but when it stores or has access to the personal data of its customers' customers, staff or contacts (e.g. it provides a SaaS solution and hosts its customers' data or has access to personal data as part of providing support and maintenance services) it is likely to be acting as a data processor.  While most obligations under the GDPR only apply directly to data controllers, data processors also have some direct obligations under the legislation, including to implement appropriate security measures to protect the personal data they process, and they face potential regulatory action and compensation claims from data subjects for breach of those obligations.  They will also have contractual responsibilities to their data controller.

There are many requirements to comply with under the GDPR regime as illustrated by the diagram below.  A deep dive into each of them is beyond the scope of this briefing. Instead, we have prepared a list of practical steps and compliance strategies that you can take.

1. Internal Procedures

There are a number of ways for software companies to ensure compliance with UK and EU GDPR requirements as part of their day-to-day internal procedures:

• Product and service design – data controllers have a general obligation to implement appropriate technical and organisational measures to show that they have integrated the principles of data protection into their processing activities, known as "privacy by design and by default".  There are numerous aspects to this – ensuring that product designs provide end-to-end security for personal data, support transparency, data minimisation requirements and the exercise of data subjects rights to name a few of these.  A software company may be directly responsible for ensuring "privacy by design" e.g. in relation to its use of personal data to train an AI system that it is developing.  But often the GDPR "privacy by design" responsibility is borne by its customers.  Nevertheless, "privacy by design" will factor into a customer's choice of product and they may seek contractual protection from the software company in this regard, so it is worth baking these considerations into your product and service design processes.
  
  
• Data mapping – when building software and training AI, it is important to identify what types of personal data will be collected and used. You also need to understand how and when personal data is collected from customers, staff and other contacts and how that data is then processed. You should consider whether the company needs all the data that it is holding to make sure only required data is collected and held. The rationale for data collection and storage should be regularly reviewed. 
  
  
• Policies – you should regularly review and update existing policies (e.g., your privacy policy, data protection policy and cookies policy). Any changes to the policies should be communicated and explained to staff to make sure the policies are correctly implemented and used.
  
  You should also have clear policies as to IT and information security to protect against unauthorised access, loss or damage to personal data and have the capability to restore data in a timely manner with provision for regular review of such policies.
  
  
• Training – you should offer training to individuals handling personal data as part of their role and make sure that individuals are aware of the company's obligations under the data protection legislation. A standard process for dealing with customer complaints as to the use of their personal data should be developed and included as part of the staff training.
  
  
• Further protections – you should have written rules regarding data protection impact assessments. Any ''high risk'' processing should be identified and followed up with a data protection impact assessment if required.
  
  You should also consider whether you need a Data Protection Officer ("DPO") if the core activities of the company involve regular and systematic monitoring of individuals or processing of sensitive data on a large scale. Most software businesses won't need to appoint one, but it needs analysis on a case-by-case basis.

2. Your Relationship with the data subject

• Privacy notices – you must provide privacy notices in a concise, transparent and easily accessible form to enhance transparency for individuals. GDPR specifies which information should be included in privacy notices and these should be regularly reviewed and updated.
  
  
• Consent - when you rely on data subjects' consent (and it is a common misconception that a data subject's consent is always required – there may be another lawful basis for processing), consent must be based on a clear affirmative action and be freely given, specific, informed and unambiguous. You need to ensure that you obtain, maintain and are able to demonstrate valid consent.
  
  There are additional, specific rules around consent in relation to direct marketing, marketing communications and cookies and these areas are fertile territory for enforcement action by regulators. 
  
  
• Notification of personal data breach – in the event of a data breach a data controller must notify data protection authorities without undue delay, and in any event within 72 hours after becoming aware of a notifiable breach and may have to inform data subjects too. Specific local law notification requirements may also apply. A data processor is instead obliged to notify their data controller, rather than the regulator. A useful step for software companies to facilitate compliance may be to include a data breach detection and reporting tool that can monitor and notify individuals immediately if a breach occurs. 
  
  
• Data subject rights – individuals have rights with respect to their personal data such as rights of access, correction, erasure, and the right to object to the processing of personal data. You need to make sure that you are able to respond to those individual rights if requested.
  
  Two specific rights to be aware of are the right to be forgotten and the right for data to be portable. To ensure compliance on these fronts, the software should allow users to easily isolate and delete their personal data, as well as transfer their personal data from one service provider to another.

3. Your Relationship with data processors / third parties

• Where you are sharing data with third parties you may need to carry out due diligence on your suppliers, to satisfy yourselves that they are compliant (where you would be liable under GDPR if they are not).
  
  
• GDPR requires certain mandatory requirements to be included in data processing contracts.  You should have a process in place to make sure that any new contracts that the company is considering entering into with third parties are drafted and negotiated to include appropriate data protection clauses.
  
  
• Under GDPR there is a general prohibition on data transfers to countries outside of the EEA that do not provide an "adequate" level of data protection, subject to certain exemptions. The UK and the EU have each approved the other as providing adequate protection to allow personal data to flow freely between the UK and the EEA. However, for other international transfers, a valid transfer mechanism will be required, along with a transfer risk assessment - one such mechanism involves entering into standard contractual clauses issued by the European Commission and, in the case of transfers subject to UK GDPR, supplemented by the addendum issued by the UK Information Commissioner's Office. You should ensure that such clauses are included in contracts under which you are making international transfers of data, where appropriate.