Some advice needed please!

[DanSano]

Hey everyone,

I'm Dan and I work for a small SaaS (Software as a service) business and we are explicitly Business to Business.

I've been tasked with getting to grips with everything GDPR and although I think we're nearly there I've come up to a couple of hurdles I was hoping someone may be able to advise on.

We host around 200 websites on our platform as part of the SaaS offering, these websites allow users to generate and 'order' documents. These websites are fully managed by our customers, we just host them.

My issue is, what definition does this data fall under? It's general usernames, passwords, names, addresses, phone numbers, emails etc but we have no control over this data or whether it remains relevant or not. This data is all stored in a database (separate for each site), there are also other data sources such as user account lists etc but again, we don't have any control over this data (Well, we can view/delete it, but that's not something that would happen (Passwords are encrypted)).

Sorry if that's a bit vague, I'm not 100% sure myself!

I look forward to any replies and offer my thanks in advance.

Cheers,
Dan

 

[James Rae]

The word 'Minefield' comes to mind so I always go to the source and thoroughly digest the information provided by whoever will regulate an area of concern ... I'm pretty sure that if you can access other companies data they must acknowledge that under their registration and declare your access, which I'm guessing will be a tough pill to take. Start at the ICO and work outwards as there a many blogs to absorb and develop a clearer understanding.... There will be bigger organisations who have researched the challenges of GDPR and many will gladly impart their findings to others.

 

[Simon Plummer]

In this case it looks like your clients are the data controller and you are a processor acting on their behalf. You referenced personal data is being collected (names addresses etc) so this is within scope of the GDPR. Ultimately they should be asking you for assurance that you meet the requirements that THEY set - i am not seeing this across the board - i am guessing that this is because they don't realise either! Essentially you should send out a communication asking for their requirements - if not response (of which you will see a lot i expect) then you need to create a contract addendum to ensure the contractual requirements are in place. Again - i would expect the controllers to initiate this, however as a processor you have your own obligations to make. Ultimately if they don't guide you on their requirements, lawful basis for processing etc, you should (by rights) stop processing the data - i.e. delete it! You know your customers, so you will understand the best approach. Kick it off with a comms first of all and gauge the response. Oh, and don't forget privacy statements, they should provide you with the copy they want on their site (this isn't up to the host to complete - i am seeing this a lot too).

Hope this helps!

 

[Keith Budden]

Fully agree with what Simon has said above. You are the data processor in this instance and should have a data controller/data processor agreement in place with each of your clients.