From analytics tools to double authentication and compliance management software — SaaS (software as a service) has become an integral part of modern business operations.
However, with the rise of SaaS solutions comes an increased risk of non-compliance with the General Data Protection Regulation (GDPR). GDPR compliance is mandatory for any company operating within the EU, or any company that collects, processes, or stores personal data of EU citizens.
Compliance with GDPR is especially critical for procurement processes as they involve the collection and processing of a lot of personal data. Even if a company already is compliant with GDPR, it still needs to pay attention to working with suppliers who are not, as it can be held accountable for their data processing.
In this article, we'll discuss the most important steps to control GDPR compliance (in the procurement process) and how to minimize risks when managing GDPR compliance in your SaaS stack.
What is GDPR and the effect on personal data?
Before diving into the best practices, it's essential to understand the GDPR's basic principles. The GDPR outlines strict rules on how businesses should collect, process, record, and delete personal data.
In May 2018, the European Union started enforcing the General Data Protection Regulation, or GDPR, with the aim of providing a single set of data security laws across Europe for customers of SaaS companies.
“The GDPR provides the protocols for how businesses and other organizations handle the information relating to the individuals who interact with them. GDPR also brought in new definitions of personal data, consent types, accountability standards, and the roles involved in decision making, interpreting, and processing the data.” - GDPR EU
While it’s clear that the GDPR impacts the 500 million European residents and the businesses who operate in the country on a legal basis, it also has global implications. Whether a company is located within the EU or not, they must be compliant with GDPR requirements if they do business with an EU citizen.
In other words, anyone with an online footprint (e.g., a website) that European citizens can access should be aware of being GDPR compliant and the terms to achieve that.
SaaS, GDPR, and the Data Protection Officer
According to GDPR, there are two types of organizations who handle security data: data controllers and data processors:
A data controller is “a legal or natural person, an agency, a public authority, or any other body who, alone or when joined with others, determines the purposes of any personal data and the means of processing it.”
A data processor is “a legal or a natural person, agency, public authority, or any other body who processes personal data on behalf of a data controller.”
More simply, data controllers determine the management of personally identifiable information (PII). Data processors could be SaaS vendors, cloud-based service providers, suppliers who are outside the main company-customer relationship but still process data, security, and so on.
So, let’s say you’re a company who either operates in the EU or is accessible to EU citizens. If you request and store the private data of those EU citizens in your SaaS applications, you are responsible for 1) the GDPR compliance for SaaS in your company and 2) ensuring GDPR compliance of third-party data processors (like your SaaS tools).
Risk mitigation in the present: GDPR compliance for SaaS applications
For this article, we’ll assume you’ve already done everything you need to assure your company, as a data controller, is GDPR compliant. Now, you need to follow three steps to ensure your SaaS stack is compliant as well.
Step #1: Understand the full scope of your SaaS stack
As mentioned earlier, it’s becoming more and more common for company employees to purchase or use software applications without IT approval. When software service is used but has not been approved, it’s referred to as “shadow IT”. Gartner estimates that 30-40% of IT spending in large organizations goes to shadow IT, while Everest Group says it’s over 50%.
If your organization doesn’t have full visibility into all the SaaS services being used, your level of GDPR risk for non-compliance is harder to estimate.
Some businesses choose to start this discovery step with a spreadsheet listing all tools, but an online management platform like Sastrify can also give users full visibility into their SaaS stack and control over spend.
Step #2: Assess your compliance with GDPR requirements
Once users have a solid understanding of all SaaS applications (including company information, price, and contract terms), they could start assessing the data security quality of each application.
Think through questions such as:
- Which SaaS applications have a legitimate need to store customer security data and which are storing it unnecessarily?
- Are all SaaS applications that request and store customer data GDPR compliant?
- Is it important to review the contract or speak with someone at the company to ensure GDPR compliance?
- Are there any points of concern that need to be investigated further on a legal basis?
Step #3: Choose your risk mitigation strategies for your SaaS tools
This is where we rate the potential threats and prioritize the most significant. This could come in a variety of forms: some SaaS tools may just need to be adjusted, while others may need to be cut out altogether if their owners aren’t willing to make changes. In these cases, be sure to confirm that all security data will be returned or deleted.
Risk mitigation in the future: GDPR compliance for new SaaS purchases
As you look to the future, it’s crucial to set up a framework for assessing SaaS vendors and applications before your company purchases from them. Here are a few steps to get you started:
- Lay out a process for evaluating new SaaS services
If your company doesn’t have a review process in place for potential new applications already, be sure to set one up. Stakeholders like IT, Finance, Legal basis, and Compliance teams should have time to request, vet, and approve new tools.
- Ensure proper contract terms with vendors
With many SaaS tools, users could tell from the contract that they will be non-compliant (i.e. certain clauses are inadequate or missing). Be sure your company legal team reviews all contracts with SaaS vendors and knows what needs to be included for full GDPR compliance.
- Document what happens to private data in each application
If customers request something regarding their data – for it to be returned or deleted, for example – make sure that the owners of SaaS services know exactly how to do this for each application.
- Continue to evaluate compliance at set intervals
Unfortunately, GDPR compliance is an ongoing process, and minimizing violation risk is a task software users must work on forever. Decide in advance the intervals at which you will perform future assessments of compliance for each SaaS tool. As a rule of thumb, evaluating each application for compliance once every year is a good place to start for your organization.
- Have a data breach plan in place
No one likes to think of the worst case scenario, but it’s important to be prepared. In the event of a data breach, data controllers are required to notify the authorities within 72 hours unless there is no reasonable risk to the data subjects. Many data breaches go hours, weeks, months, or even years without being discovered, so software users need processes ready to identify issues more quickly.
Best practices for ensuring GDPR compliance in your procurement process
Non-compliance with GDPR can result in heavy fines, which can be as high as 20 million EUR or 4% of a company's total global revenue.
To ensure complete compliance with GDPR, buying businesses (who are usually the data controllers) must be accountable for the personal data they process, whether they do it themselves or through a third party. This is what they should do:
1. Conduct a data audit
A data audit is a crucial first step in GDPR compliance. It helps identify the personal data processed by your SaaS stack, where it's stored, and who has access to it. This information is then used to assess the risks associated with data processing and identify areas where GDPR compliance may be lacking.
2. Update your website's cookie consent banner
To comply with GDPR, the text in the banner needs to be written in plain language that's easy to understand and must offer an opt-out button for those who don't want to give permission.
3. Manage data access and encryption (data mapping)
Managing data access is an important part of GDPR compliance. Data mapping involves identifying the personal data collected and processed during the procurement process.
This includes identifying where the data is collected, who has access to it, and where it is stored. Access to personal data should be restricted to authorized personnel only. It's also important to ensure that all data is encrypted both in transit and at rest to protect it from unauthorized access.
4. Manage vendor relationships
One of the most significant risks associated with procurement is the use of third-party vendors. Vendors may have access to personal data and may process it on behalf of the organization. Therefore, it is important to ensure that vendors are GDPR compliant. This means conducting due diligence on the vendor's data protection practices, including ensuring that they have appropriate data protection policies and procedures in place, and that they are legally compliant with the GDPR.
5. Implement GDPR-compliant contracts: DPAs
It's essential to have GDPR-compliant contracts in place with all SaaS vendors to ensure that they are processing personal data in compliance with the GDPR.
Signing a Data Processing Agreement (DPA) with any parties acting as data processors on behalf of a business is a crucial step towards achieving GDPR compliance in procurement. The DPA is a legally binding contract that outlines the responsibilities and obligations of both the data controller and the data processor concerning the protection of personal data. The DPA specifies the purpose, duration, and nature of the data processing, and also outlines the security measures that must be in place to protect the personal data.
6. Train employees on GDPR compliance
Training employees on GDPR compliance is critical to ensure that everyone in your organization understands the importance of GDPR compliance and their role in achieving it. Employees should be trained on the basic principles of the GDPR, the rights of data subjects, and the risks associated with data processing.
Nowadays, the majority of companies are relying on 360° data protection systems which include e-learning solutions that offer their employees the ability to train themselves on GDPR according to their availability.
7. Perform regular GDPR compliance audits
Regular GDPR compliance audits help ensure that your SaaS stack remains compliant with GDPR regulations. These audits should be conducted at least annually and should assess whether the SaaS stack is processing personal data in compliance with GDPR regulations.
8. Conduct a Data Protection Impact Assessment (DPIA)
If your data processing is connected to a higher risk which is the case e.g. if you work with video surveillance, the following step is crucial for you:
Performing a risk assessment helps identify the risks associated with data processing in your SaaS stack. It's important to identify and evaluate any potential risks, such as data breaches or unauthorized access to personal data. This includes identifying where the data is collected, who has access to it, and where it is stored. Access to personal data should be restricted to authorized personnel only. It's also important to ensure that all data is encrypted both in transit and at rest to protect it from unauthorized access.
A DPIA is a mandatory process that helps organizations to identify the risks associated with processing personal data when the processing might result in high risks for the rights and freedoms of the data subject. It's a service that involves identifying the type of data being processed, the purpose of processing, and the potential risks to individuals' privacy rights. A DPIA might need to be conducted before a new procurement project involving personal data processing begins. It is essential to identify any potential privacy risks before starting the procurement process to ensure that these risks are minimized or eliminated and to assess if a Data Protection Impact Assessment in the terms of Art. 35 of the GDPR is required.
Required Security Levels and Protection Measures for GDPR-Compliant Software
In our data-dependent world, ensuring robust and consistent protection measures are in place is not just a legal obligation — it's also an essential part of trust-building with customers and stakeholders.
1. Two-Factor Authentication Requirements for Data Access
As one of the primary lines of defense against unauthorized access to sensitive data, Two-Factor Authentication (2FA) adds an extra layer of security beyond just a username and password. For example, an additional security question or the use of biometrics can be the second factor that ensures only authorized personnel have access.
GDPR highlights 2FA as a security measure software developers need to integrate into their systems. The 2FA process involves complex programming languages and technologies, requiring software engineers' expertise to effectively implement.
2. Data Encryption Requirements for Storage and Transmission
Encryption of data, both at rest and in transit, is a necessary part of GDPR compliance. This includes the encryption of emails and any other transmission that involves contact details like an email address.
Data stored on cloud servers or databases also needs to be encrypted to protect it from potential breaches. Failing to encrypt data could lead to unauthorized access, which is not just a bad idea but also a violation of GDPR's security policies.
3. Privacy by Design and Privacy by Default Principles in Software Development Projects
The GDPR's Privacy by Design and Privacy by Default principles provide a guide for software development companies to create GDPR-compliant software with protection in mind. The idea is to consider privacy during every phase of the development process.
Privacy by Design calls for incorporating data protection principles into the system from the onset, rather than as an afterthought. Privacy by Default requires that systems should default to the highest level of privacy, such as not collecting unnecessary data or limiting third-party access.
4. Protection Impact Assessments to Identify Potential Risks to Data Subjects' Rights
Protection Impact Assessments (PIAs) are another critical requirement of the GDPR. Before processing personal data that could pose high risks to individuals' rights and freedoms, software developers should perform a PIA.
The analysis helps in the early identification of potential issues, such as those related to third-party services. Regular assessments provide a proactive approach to data protection, ensuring compliance with GDPR requirements and securing the trust of users.
GDPR compliance is essential for any organization that processes personal data, including SaaS vendors.
But adhering to GDPR's stringent requirements can be a challenge, particularly for businesses new to data privacy regulations. Seeking GDPR consulting services can be an effective solution for ensuring compliance, especially when navigating these essential security measures. This way, businesses can focus on their core competencies while having the peace of mind that they are respecting their customers' data privacy rights.
By following these best practices, you can ensure that your SaaS stack is GDPR compliant, protecting the privacy rights of your customers and avoiding heavy fines. Always remember to:
- Conduct a data audit
- Perform a risk assessment
- Implement GDPR-compliant contracts
- Manage data access and encryption
- Ensure data portability and deletion
- Train employees on GDPR compliance
- Perform regular GDPR compliance audits
*This post is in collaboration with HeyData . Established in 2020, heyData is a leading compliance start-up headquartered in Berlin. Their all-in-one platform solution helps small and medium-sized enterprises as well as start-ups manage their data protection and compliance requirements.