At DoubleDutch, we’ve had the good fortune of diving deep with GDPR requirements very early in the process. Within our customer base are many European-based corporations and multinationals that care deeply about GDPR compliance, and who have thought hard about the impact of GDPR as it relates to working with SaaS companies.
During the last six months or so, we have had hundreds of conversations with customers and prospects, large and small, on the topic of GDPR compliance. Based on these conversations, a handful of key learnings seem to be taking shape.
Here is our best shot at distilling these learnings down to a few bullets on what GDPR means for SaaS vendors.
GDPR is Not Just a Europe Thing
I remember taking a class on international law many years ago where the punchline went something this, “There is no such thing as international law.” With a few exceptions like treaties and trade agreements, laws are the work of individual nations, and those that say otherwise are kidding themselves.
But GDPR may be a bit of a different beast. GDPR is proving to have long tentacles as multinationals come to terms with the gravity of slipping up, as well as the complexity of having two sets of operating rules; one for EMEA, and one for everywhere else. The below infographic, from Digital Compliance Hub lays out some of these key changes in an easy to digest manner.
Image Source: Digital Compliance Hub
Many of our multinational customers have decided to hold themselves to GDPR standards globally. It’s just too hard for these companies to have different processes, employee trainings, and products depending on the market they are working within. Also, markets are more fluid than you would think - what are your obligations when a German citizen traveling to the US signs into your software?
So, Europe may have just put its privacy imprint on the globe. For more on the “long tentacles” of GDPR, see this piece on Politico.
The net is this: if you are a SaaS company and you want to to do business with enterprise-level, multinational customers - in Europe or elsewhere - you better get tight on GDPR.
The Uncertainty Around GDPR is Legitimately Scary
With maximum fines of 4% of global revenue or 20M Euros (whichever is higher), the stakes are very, very high to not slip up, and corporate buyers of software are on edge. If DoubleDutch customers are representative, most enterprise software buyers have understandably decided to tread very lightly and take a very conservative reading of the law until they start to understand how the law will be enforced.
And the reality is that nobody really knows how GDPR is going to be enforced. I recently heard about a case of a large European software buyer getting really stressed when they saw that their software vendor was using Zendesk for customer support. Did this mean that Zendesk had access to end user PII? The complexity of SaaS vendors using SaaS vendors, who in turn use more SaaS vendors makes things really tricky to keep track of who has access to what data - which I guess is the whole point of GDPR.
Things are likely going to be messy and slow for a while as enforcers of the law figure out how to put GDPR into practice, and as data processors and data controllers figure out what the law means in practice.
Brexit Adds Complexity to GDPR
With the UK soon to depart from the European Union, SaaS companies that are hosting their data in the UK need to find another answer in order to do business in Europe. This adds another layer to the race to comply with GDPR, as SaaS companies look for cloud vendors that can help hold up to increased scrutiny, and are established in mainland Europe.
In the Near Term, the going may be rough.
SaaS companies will likely face near term scrutiny, longer deal cycles, and increased operating costs. Because GDPR is all about regulating who has access to what data, SaaS companies, by definition, are at the center of the storm.
What will be the impact of GDPR be on SaaS companies? Here are a few:
The business case for startups outside of EMEA to enter that market just got more expensive
The business case for startups to move up to serve enterprise-level, multinational customers just got more expensive
The explosion of security review requests received by SaaS companies in 2017-18 as part of the enterprise sales process is likely to increase still further, causing deal cycles to lengthen, and operating costs to increase
According to a study by HubSpot Research 90% of consumers in the UK, Ireland, Germany, Austria, and Switzerland feel that GDPR is good for consumers, and we feel that way too. Clear policies and laws around the acceptable use of end-user data by software companies is a long term win for SaaS companies. If consumers trust that their data won’t be abused, they are more likely to use software without fears of data misuse.
However, in the short term, expect to see operating costs go up for SaaS companies as buyers adjust to the new regulations.