SaaS and GDPR Compliance

SaaS and GDPR Compliance

More and more businesses are using SaaS (software-as-a-service) and it’s easy to see why. Delivering countless benefits to modern businesses, such software gives them greater agility, flexibility, scalability as well as saving them significant amounts of money. They’re simple to use and take very little maintenance compared to on-premise solutions.

However, with the forthcoming introduction of GDPR, it’s important for organisations who are heavily reliant on SaaS to assess just how GDPR will impact them and take the steps necessary to comply with it. Many medium and large businesses utilise a lot of SaaS solutions, using some a lot, using some a little and often not using some at all despite paying for licenses and subscriptions. The forthcoming introduction of GDPR is a great time to gain a clear understanding of what SaaS solutions you are using and whether they are compliant with GDPR.

What is GDPR?

The EU’s General Data Protection Regulation (GDPR) is the result of many years work by the European Union. Many countries in the European Union are relying on data protection laws that are out-of-date. The UK for example relies on the Data Protection Act 1998 which was enacted following the 1995 EU Data Protection Directive. The internet was in its infancy in the late 1990s and the ways that we use the internet and how our data is used has transformed since this time. Consider how so many of the things that are integral to our lives did not even exist in the late 1990s. Google, Facebook, Twitter, Instagram the list goes on. Digital payments have been transformed, most of us bank online and digital marketing is a multi-billion dollar industry. Therefore, the legislation that is designed to regulate how data is used, stored and processed is simply not fit-for-purpose because it is attempting to deal with technology that didn’t even exist when it was introduced.

Why is GDPR so important?

GDPR is being introduced to bring Europe’s data protection laws up to data and is driven by two main concerns. Firstly, the EU wants to give people more control over how their personal data is used. By having more stringent regulations as well as tougher enforcement measures, it hopes to improve trust in the emerging digital economy.

Secondly, the EU wants the new General Data Protection Regulations to help businesses by giving them a simpler and clearer legal environment in which to operate. Prior to GDPR, data protection laws varied across Europe, so having one single set of regulations is estimated to save business a collective €2.3 billion a year.

Who does GDPR apply to?

The GDPR will apply to any company organisation that controls or processes the data of any citizen in the European Union. Even if the organisation in question is based outside of the European Union, the GDPR will still apply to them if they control or process data of at least one European Union resident.

Non-compliance with GDPR

Organisations that don’t comply with the General Data Protection Regulations and follow basic principles for processing data then fines can be issued. These can be up to €20 million or 4% of the organisation’s global annual turnover, whichever is greater.

SaaS and GDPR compliance

There are four steps that all organisations should take to ensure SaaS GDPR compliance:

  1. Realise that SaaS GDPR compliance (and GDPR compliance) isn’t just an IT issue. Other departments must be educated on its impact such as marketing, HR, procurement, compliance and legal. Having a cross-departmental approach is vital to help identify any potential issues and identify what SaaS applications are being used across the organisation.
  2. Understand what GDPR is and communicate this across the company to all employees. This should include what everyone’s rights and responsibilities are, especially in the case of a data breach. There are some very good resources on the internet, but perhaps the best place to start is the EU’s GDPR website.
  3. Undertake a comprehensive review of all existing data protection compliance processes in the context of GDPR. Begin taking action on the most serious areas where you may not be complaint and compile a track record of compliance to ensure that you have an audit trail and plan to demonstrate to any future courts or regulators that you are taking the regulations seriously.
  4. Evaluate your current SaaS solutions and check that they provide the controls and clarity that are important for GDPR compliance.

Thankfully, because GDPR is such a big issue and one that will affect companies across the world, SaaS software providers are ensuring that their products comply with GDPR legislation. However, it’s still important that all organisations do their own due diligence because if they are found not to be compliant with GDPR and a data breach does occur, then the consequences could be disastrous, both in terms of fines and reputation.