How to Assess if Your SaaS Tools Are GDPR Compliant
The European Union is not messing around when it comes to its General Data Protection Regulation (GDPR) compliance rules, with fines of up to €20 million, or 4% of global turnover for the preceding financial year – whichever is higher. (The largest GDPR fine so far went to Amazon in 2021 – a whopping €746 million.)
To avoid these issues on a legal basis, businesses need to understand the proper management of customer data subjects. One area in which this is particularly relevant is the software-as-a-service (SaaS) stack: since software service ranges so widely in use case and spend, it’s common for company employees to purchase SaaS tools without IT approval – increasing the risk of non-compliance with GDPR.
Visibility into the SaaS stack is crucial for any organization, as every tool added creates an additional risk of violating GDPR if customer data is collected or stored improperly. In this article, we’ll cover the basics of GDPR compliance for SaaS companies and how to mitigate risks in the present (your current SaaS stack) and the future (new SaaS tools you purchase).
What is GDPR and effect on personal data?
In May 2018, the European Union started enforcing the General Data Protection Regulation, or GDPR, with the aim of providing a single set of data security laws across Europe for customers of SaaS companies.
“The GDPR provides the protocols for how businesses and other organizations handle the information relating to the individuals who interact with them. GDPR also brought in new definitions of personal data, consent types, accountability standards, and the roles involved in decision making, interpreting, and processing the data.” - GDPR EU
While it’s clear that the GDPR impacts the 500 million European residents and the businesses who operate in the country on a legal basis, it also has global implications. Whether a company is located within the EU or not, they must be compliant with GDPR requirements if they do business with an EU citizen. In other words, anyone with an online footprint (e.g., a website) that European citizens can access should be aware of being GDPR compliant and the terms to achieve that.
SaaS, GDPR, and the Data Protection Officer
According to GDPR, there are two types of organizations who handle security data: data controllers and data processors:
A data controller is “a legal or natural person, an agency, a public authority, or any other body who, alone or when joined with others, determines the purposes of any personal data and the means of processing it.”
A data processor is “a legal or a natural person, agency, public authority, or any other body who processes personal data on behalf of a data controller.”
More simply, data controllers determine the management of personally identifiable information (PII). Data processors could be SaaS vendors, cloud-based service providers, suppliers who are outside the main company-customer relationship but still process data, security, and so on.
So, let’s say you’re a company who either operates in the EU or is accessible to EU citizens. If you request and store the private data of those EU citizens in your SaaS applications, you are responsible for 1) the GDPR compliance for SaaS in your company and 2) ensuring GDPR compliance of third-party data processors (like your SaaS tools).
Risk mitigation in the present: GDPR compliance for current SaaS apps
For this article, we’ll assume you’ve already done everything you need to assure your company, as a data controller, is GDPR compliant. Now, you need to follow three steps to ensure your SaaS stack is compliant as well.
Understand the full scope of your SaaS stack
As mentioned earlier, it’s becoming more and more common for company employees to purchase or use software applications without IT approval. When software service is used but has not been approved, it’s referred to as “shadow IT”. Gartner estimates that 30-40% of IT spending in large organizations goes to shadow IT, while Everest Group says it’s over 50%.
If your organization doesn’t have full visibility into all the SaaS services being used, your level of GDPR risk for non-compliance is harder to estimate.
Some businesses choose to start this discovery step with a spreadsheet listing all tools, but an online management platform like Sastrify can also give users full visibility into their SaaS stack and control over spend.
Assess compliance with GDPR requirements
Once users have a solid understanding of all SaaS applications (including company information, price, and contract terms), they could start assessing the data security quality of each application.
Think through questions such as:
- Which SaaS applications have a legitimate need to store customer security data and which are storing it unnecessarily?
- Are all SaaS applications that request and store customer data GDPR compliant?
- Is it important to review the contract or speak with someone at the company to ensure GDPR compliance?
- Are there any points of concern that need to be investigated further on a legal basis?
Choose your risk mitigation strategies for current SaaS tools
This is where we rate the potential threats and prioritize the most significant. This could come in a variety of forms: some SaaS tools may just need to be adjusted, while others may need to be cut out altogether if their owners aren’t willing to make changes. In these cases, be sure to confirm that all security data will be returned or deleted.
Risk mitigation in the future: GDPR compliance for new SaaS purchases
As you look to the future, it’s crucial to set up a framework for assessing SaaS vendors and applications before your company purchases from them. Here are a few steps to get you started:
- Lay out a process for evaluating new SaaS services
If your company doesn’t have a review process in place for potential new applications already, be sure to set one up. Stakeholders like IT, Finance, Legal basis, and Compliance teams should have time to request, vet, and approve new tools.
- Ensure proper contract terms with vendors
With many SaaS tools, users could tell from the contract that they will be non-compliant (i.e. certain clauses are inadequate or missing). Be sure your company legal team reviews all contracts with SaaS vendors and knows what needs to be included for full GDPR compliance.
- Document what happens to private data in each application
If customers request something regarding their data – for it to be returned or deleted, for example – make sure that the owners of SaaS services know exactly how to do this for each application.
- Continue to evaluate compliance at set intervals
Unfortunately, GDPR compliance is an ongoing process, and minimizing violation risk is a task software users must work on forever. Decide in advance the intervals at which you will perform future assessments of compliance for each SaaS tool. As a rule of thumb, evaluating each application for compliance once every year is a good place to start for your organization.
- Have a data breach plan in place
No one likes to think of the worst case scenario, but it’s important to be prepared. In the event of a data breach, data controllers are required to notify the authorities within 72 hours unless there is no reasonable risk to the data subjects. Many data breaches go hours, weeks, months, or even years without being discovered, so software users need processes ready to identify issues more quickly.
GDPR compliance for SaaS in a nutshell
The GDPR compliance for SaaS has had an impact on how companies think about data breach and security worldwide, whether they are located in the European Union or not. Teams who plan ahead and work through the steps laid out in this article will be better prepared to thoroughly evaluate SaaS services, document compliance, and reduce risk in the long-term.
Do you now understand the purpose of General Data Protection Regulation? To learn more about getting full visibility into your company SaaS stack, evaluating new tools online, and even handing over contract negotiations with your SaaS vendor, request a demo with one of our Sastrify experts.