How does the GDPR affect SaaS?

When it comes to in-house systems, the responsibility of being GDPR compliant falls on the individuals of the company. However, if you’re a business or organization that uses SaaS, things may be a little different.

GDPR SaaS example
GDPR + SaaS = WTF?

What Is SaaS?

Along with infrastructure as a service (IaaS) and platform as a service (PaaS), software as a service (SaaS) makes up three of the main cloud computing categories. It is defined as “a software distribution model in which a third-party provider hosts applications and makes them available to customers over the internet.”

A popular delivery model for many business applications, the perks of using SaaS products include removing the costly need for companies to install and run applications on their own computers. Instead, companies simply sign up and pay either a monthly or annual subscription fee that is priced according to usage, which all usually ends up costing less than an enterprise software equivalent.

custom alt tag

Discover the ultimate GDPR-compliant project management tool.
Sign up for free today!

GDPR and Software As a Service

Who is responsible for what?

We’ve all heard about the new personal data regulation coming into force on May 25th, 2018 across the European Union, but what does it mean for businesses and organizations who supply and purchase SaaS products?

When it comes to the new regulations of the GDPR, both SaaS vendors and customers have their own responsibilities to uphold. The GDPR software requirements will vary slightly depending on whether you are the processor or the controller, and just to clarify…

  • Data processor: the cloud provider, SaaS supplier/vendor
  • Data controller: the company, SaaS customer/purchaser

GDPR for SaaS Software Vendors

Under the GDPR, SaaS suppliers face direct obligations relating to data processing activities. They will need to ensure that their product agreements with customers comply with the upcoming data regulations. Failure to do so could result in customers, their customer’s customers, and local data protection authorities imposing breaches against them.

In order to comply, here’s what the agreement needs to include:

  • The data processing’s purpose, nature, and duration.
  • What kind of data is being processed.
  • The responsibilities, requirements, and rights of the customer.

And what the agreement must explain:

  • How the SaaS supplier will assist the customer in complying with its own requirements as a data controller.
  • That personal data must only be processed in accordance with recorded instructions from the customer.
  • Their obligation as the data processor, SaaS suppliers must advise their customers if they believe an instruction of giving personal data to them goes against the GDPR or any other data regulation law.

Other things to note:

  • SaaS suppliers must inform their customers of any breaches of obligations on their part. The breach must be reported as soon as it’s been made aware.
  • Once the SaaS agreement comes to an end, and if there aren’t any mandatory laws that require storage applied, customers are entitled to have the personal data deleted or returned.
  • Transfers of personal data outside the European Economic Area (EEA) can only happen if the SaaS supplier or SaaS customer has implemented safeguards, such as applying EU model clauses or Binding Corporate Rules (BCRs).
  • Along with product agreements, internal policies and procedures must also be amended or updated to comply with the GDPR.

The GDPR for SaaS Customers

Just like the data processors, data controllers are obliged to meet GDPR requirements too. This means being able to demonstrate what processes and procedures have been established to guarantee SaaS data protection and compliance.

While the data processors are responsible for any damages that are the result of poor compliance, controllers are also held accountable for the actions of the processor which means they should always be sure that the SaaS software vendor they go for has a clear history of negligence. So, in order to ensure SaaS customers have gone with the best option, here are some things to look out for when choosing a supplier:

  • Quadruple check the terms and conditions and ensure you fully comprehend the contract you are agreeing to. The service of a lot of SaaS suppliers is set out according to the terms and conditions, and whether or not they are GDPR compliant should be the deal breaker.
  • That the security management systems they have in place for their data meet the government cloud implementation standards.
  • Your rights to have your customers’ stored personal data deleted or returned if that’s been requested.
  • Whether or not said data can be easily located and sent to them in a suitable format.
  • That the data centre that holds the personal data is certified by ISO 27001.

Your key responsibilities as a data controller:

  • Enhancing your security systems so they are sophisticated enough to ensure things such as limited breaches, prevent loss of data, and unauthorized processing operations. Documenting and maintaining data records and security audits are also expected.
  • That employees of your business or organization are aware of the extended digital rights of your consumers which include the ‘right to be forgotten’ and ‘data portability’.
  • To ensure that a process of reporting data breaches is in place. The GDPR includes particular requirements for data breach notifications, so you have to make sure your company knows how to handle them properly.

What we’ve outlined here is only a brief rundown of the steps you should be taking. For more in-depth information and instructions for both processors and controllers, of course, it’s always advisable to visit the home page of the EU GDPR.

Final Thoughts

Although the GDPR is the European Union’s attempt at a harmonized data protection regulation, it doesn’t mean it’s something that only affects businesses and consumers within the continent. Transcending borders, the GDPR holds worldwide consequences which is why it is imperative for anyone involved in the processing or controlling of personal data to demonstrate and maintain compliance.

So, if you’re a data controller, update your product agreements so that they adhere to the new regulations. And for the processors out there, check in with your SaaS suppliers to see if they’ve started taking the appropriate steps towards compliance, and ensure your own team is fully prepared—if you fancied sharing some of your prep tips, then fire away in the comment section below!


Dinnie and the Zenkit Team