Ask HN: GDPR compliance for a systems-oriented SaaS
* user email addresses (for signing in, and for password reset links)
* optionally, billing address
* it uses a third party service for recurring payments (Braintree). My service does not store users' credit card details but Braintree of course has to
The service does not use any analytics scripts. It currently only has generic Terms of Service and Privacy Policy documents, generated online by answering yes/no questions and paying $20 or so for each.
For a SaaS service like mine, what are the minimum required things to be GDPR compliant? Are there walkthroughs, templates or recommended services for preparing GDPR-related documentation?
I'm sure many SaaS tools / services are in similar situation as mine, and I'm sure many have already figured this out. Looking for friendly advice!
2 comments
[ 4.5 ms ] story [ 14.7 ms ] threadThe minimum requirements for SaaS would be:
- Having a Privacy Policy. Among other things, specific identify the Data Controller (you), inform users of their rights (there are 8 rights under GDPR), whether you transfer data internationally (EU>US), and others.
- Getting active consent from users. Under GDPR, you must request a "clear, unambiguous affirmative consent" from users. The "clickwrap" method of design might be good to follow.
We shared a quick "GPDR Compliance Plan" video on YouTube a while ago that might be useful: https://www.youtube.com/watch?v=K2F9HEhTpSg