I have seen a lot of FUD on GDPR and Compliance recently, and a lot of non European firms paying lip service to offering GDPR compliance solutions, and when you take a deeper look, those claims fall down pretty easily.
To that end I pulled together the five questions I think you should be asking your existing, or proposed, SaaS software vendor with regards to GDPR Compliance:
- If they are dealing with data on your behalf you should insist upon a Data Processing Agreement. If you don’t get offered one by default it should be a red flag.
- Where are they storing data ? If you are an EU company is it outside of the EU ? Do they adhere to the EU-US privacy shield ? Is the data stored in country that is supported under GDPR legislature and/or has the necessary binding agreements.
- What GDPR Compliance features exist in their product ? Are they ‘real’ ? Do they really help you with your GDPR responsibilities ? Are they clear on what they do with your data ?
- Does their product have features in place that you can use to protect your data. An example could be enabling you to provide your own keys for data encryption.
- Does your vendor keep track of “who” did “what” or do you have to do this yourself ? Can you easily get to an Audit log of Activity ? Article 30 “Records of Processing” outlines how data processors and controllers need to be able to show “how” and “when” data was processed and be able to prove it.
My talented team worked very hard on building practical solutions into the File Fabric to provide these type of protections for a companies unstructured data, whether it is stored in the EU or outside of the EU. As the CEO of a UK based company I’m very aware of compliance and how it affects us a company and how it affects our customers. The world has changed. Now every company needs to think like a bank when it comes to protecting data.