SaaS and the GDPR: How the market and supplier terms are adapting

How will the General Data Protection Regulation affect SaaS suppliers?

From a SaaS supplier perspective, data processors become directly regulated (and face an enforcement threat) as well as having obligations under their contracts with their customers.

From a SaaS customer perspective, the General Data Protection Regulation, Regulation (EU) 2016/679 (GDPR), results in a greater administrative burden (part of which relates to contracts with data processors) and, similarly, a greater enforcement threat.

At the date of this article, the GDPR has been in final form for over 18 months and most organisations are now in the final phases of their GDPR preparations before it enters into force on 25 May 2018. Therefore now is an appropriate time to reflect on the major legal issues affecting SaaS deals, take stock of how the market has moved and look ahead to what we can expect in the future.

What major new legal issues will arise for SaaS suppliers?

First and foremost, unlike under the EU Data Protection Directive 95/46/EC, data processors have obligations under the GDPR. These obligations relate to areas such as data security and personal data breach notification (see Articles 32-33), obligations in relation to Data Protection Officers (see Articles 37-39) and transfers of personal data outside of the EEA (see Articles 44-50). While more limited obligations apply to data processors than to data controllers, they still result in a new enforcement threat.

In the light of these direct obligations, SaaS suppliers have, in common with clients from other sectors, been engaging in audits of their personal data processing activities over the past 12 - 18 months with a view to developing a detailed understanding of how the GDPR impacts those activities.

For the most part, in relation to the personal data which SaaS suppliers process in their provision of SaaS solutions, they will be acting as data processors. Understandably they will also act as data controllers in relation to the data processing activities relating to their employees and in relation to their marketing to customer personnel and prospects.

For many SaaS suppliers, the most labour-intensive aspect of GDPR compliance over the coming months will relate to their engagement with their customers on the changes required to their contracts.

What will the impact be on data processor contracts?

While the Data Protection Directive imposed certain limited requirements on data controllers in relation to their contracts with data processors, the GDPR expands on these requirements significantly (see Article 28).

The most significant areas of change from a supplier perspective relate to:

• restrictions on the appointment of sub-processors (Article 28(2), (3)(d) and (4))
• audit rights (Article 28(3)(h)), and
• obligations to provide information and provide other compliance support (Article 28(3)(h)).

While SaaS suppliers acknowledge that their contracts need to address these points in some form, there can be significant debates on the level of "control" which they are prepared to offer their customers (although one would expect SaaS suppliers to offer limited or no flexibility in the context of lower value and more commoditised arrangements).

Taking sub-processing as an example, a typical starting supplier perspective can be to obtain a general consent to appointing sub-processors, whereas a typical starting customer perspective can be to require that sub-processors may only be appointed with its specific consent.

The debates on the provision of information and compliance support often take a different route, and focus on the practicalities of compliance, which are typically driven by SaaS supplier questions such as: Who will provide the information/support? And who will pay for it?

While the GDPR envisages that standard form "approved codes of conduct" (see Article 28(5)) and "standard contractual clauses" (see Articles 28(7) and (8)) could be available in the future, in their absence organisations are understandably pushing on with contract remediation processes to reflect the new GDPR requirements and the tensions summarised above play out in those negotiations.

Equally, while there is usually a pragmatic balance to be struck between the parties’ interests, the outcome of these debates will frequently depend on their respective bargaining power. With some industries still at a relatively early stage of cloud services adoption, winning a contract with a customer which defines its sector (and which others may therefore follow) can be a significant determining factor in relation to this.

What strategy are suppliers taking in relation to contract changes?

Strategically, over the past six months or so we have seen a number of larger SaaS suppliers seek to "get on the front foot" by creating their own GDPR terms (and sending them to existing customers as contract addenda). While this is not a surefire approach to avoiding customer debate, if changes are presented in a user-friendly way, allowing SaaS customers to match GDPR requirements to contract wording, it can be effective.

What debates are being had around liability?

The GDPR has also resulted in a significant impact on the parties’ position relating to the level of liability which applies to data protection breaches (although, again, one would expect to see limited or no flexibility from suppliers in the context of lower value and more commoditised arrangements).

In the light of potential fines of €20m or 4% of annual worldwide turnover, whichever is greater, SaaS customers frequently start from the perspective that the supplier’s liability should be uncapped, and that it should be entitled to recover any categories of loss that may arise. In other words, no exclusions of loss should apply.

From a SaaS supplier perspective, there is something of a "double whammy" in the form of both requests of this nature and the threat of direct enforcement action for GDPR breaches. Also, the concept of "risk vs reward" still forms an important part of the debate on caps. The availability of appropriate insurance can be another important associated consideration.

In terms of exclusions of loss, we would expect there to be a level of debate which drills down into specific scenarios and the types of loss which should and should not be recoverable. These debates frequently cover regulatory fines and the compensation which may be due to data subjects, among other topics.

Is there anything else lawyers should be aware of?

SaaS customers should also consider:

• carrying out pre-contractual due diligence in relation to SaaS deals, covering (among other points) hosting locations and security measures, and
• whether the notices given to, and consents obtained from, individuals whose personal data will be stored in the SaaS solutions are sufficient or require updating in the light of the GDPR.

Additionally, SaaS customers should be aware that data protection laws outside the EU may apply, depending on factors including where the recipients of the SaaS solution are based.

While standard form clauses and codes of conduct may in due course streamline discussions between SaaS suppliers and SaaS customers, for the time being we are expecting a significant level of debate between them in the light of the points highlighted above.

The best approach for lawyers on either side of the debate is to develop a detailed understanding of the GDPR (and other data protection) requirements that apply as well as of their clients’ risk appetites.