How to Evaluate GDPR Compliance of Your SaaS Stack
Sethu Meenakshisundaram
April 21, 2022
SHARE ON :
SaaS, along with all the benefits, comes with a lot of risks, especially related to data privacy and compliance. In this article, we will cover the GDPR compliance challenges that come with SaaS apps and how to address those.
Businesses have a growing dependency on SaaS apps, and they use different types of SaaS tools to function every day. Not having clear visibility of the SaaS apps you use should certainly make you question one thing, which is - how you will mitigate the risks that are associated with each of these SaaS tools.
With the growing dependency on SaaS, it is important to think of a proper way to associate with SaaS vendors that will benefit both you and your vendor in the long run to ensure GDPR compliance.
SaaS vendors, aka "processors," can have a lot more power over your company's internal data than you can imagine, and the risks that come with that power are many. The most critical ones are:
SaaS vendors can serve as a point of attack: Attackers could compromise the SaaS provider's IT systems and then use that vendor to attack you.
Data stored in the vendor’s cloud can get leaked: Your data may be lost or compromised if the SaaS vendor suffers a breach.
Inadequate access controls. If the SaaS vendor does not maintain adequate access control over its systems, a malicious attacker can cause you harm.
Malicious insiders: Malicious insiders at the SaaS vendor's end can misuse your data for various purposes, like monetary gains.
The European Union is concerned about the data privacy and security of its people and has implemented General Data Protection Regulation (GDPR) as a result. GDPR harmonizes data protection across all 28 member states of the European Union (EU), including the European Economic Area (EEA).
Introduced in May 2018, GDPR is based on seven key principles, and it is these principles that govern GDPR compliance. Breach of any of the seven principles can lead to severe fines. The fine can be 4% of the global turnover or 20 million euros, whichever is higher- is the maximum penalty. In addition to fines, businesses can also face lawsuits from customers whose data they have compromised.
Complying with the GDPR is a minimum precautionary measure to protect customers' personal data and is critical for businesses that use SaaS.
Failure in compliance or risk management at one of your SaaS vendor’s end can expose your company to significant compliance, litigation, and operational risks.
Hence, it is important to ensure that the SaaS vendor whom you have associated with or will associate with is GDPR compliant.
Before we move further, let's have a quick understanding of the terms GDPR uses to address a customer, vendor, and individual.
Data Controller vs. Data Processor vs. Data Subjects
Controller or processor- both have direct obligations under the GDPR. Controllers have more obligations than processors, like dealing with and responding to data subject rights and breaches.
GDPR defines a controller as the person who processes personal data and defines the purpose for processing the data and the means of how data is being processed. In contrast, a processor is someone who processes personal data on behalf of the controller.
GDPR confirms processors can only process personal data as required by their contract with the controller. Processors are not permitted to appoint sub-processors without approval from the controller. But processors can decide on the non-essential means- technical and organizational elements (hardware or software) for data processing.
In many cases, SaaS vendors are usually processors as well as controllers in a B2C setting, whereas they are processors in a B2B setting, and SaaS customers are the controllers. Data subjects, however, are the individuals whose data is collected and processed.
Your SaaS vendors that process personal data of data subjects (individuals from the EU) are termed as "processors," and you, who defines how processing of that data to be done, as the "controller," and individuals whose data you are collecting, are your "data subjects."Any action taken with personal data, including storing, transmitting, compiling, deleting, or reviewing, falls under the purview of "processing."
How Will You Ensure Compliance of Your SaaS With GDPR
1. Mitigate Vendor Risks through proper contracts
GDPR mandates businesses to have processor due diligence in place.
To ensure GDPR compliance, controllers should only partner with processors who provide sufficient guarantees to implement appropriate technical and security measures to comply with GDPR requirements through strict contracts.
Many SaaS contracts, when reviewed, reveal inadequate or no GDPR compliant clauses that Article 28 mentions. Understanding the required contract elements for controller-processor relationships is one way to define processor requirements.
Contractual agreements are critical for managing vendor compliance. Article 28 defines processor requirements, including the requirement for controllers and processors to form a contractual relationship, and specifies the components that must be included in contractual agreements.
2. Establish IT Governance
Have complete visibility on SaaS inventory at all times: If you keep a regular check on the discovery, management, and organization of your SaaS stack, you will always have a clear picture of what resources you have at hand. Visibility also includes maintaining accurate data on present vendors, so you know whom you have to deal with. Having proper data can save you more time than you think on keeping up with your SaaS vendors and their compliance measures, among other things.If you still use spreadsheets to manage this data, then consider using a SaaS management tool like Zluri to automate SaaS discovery and management for you in less than a few minutes for tasks that take months if done manually, allowing you to have 100% visibility on your SaaS resources.
Be transparent about your data collection motives: You are the data controller of your data subjects, so have a policy in place to notify your employees as well as clients and customers about the data you are collecting about them and for what purpose the data is being collected.You should always have a cookie banner on your site to notify your website visitors regarding the same and only collect data on their consent. It is also important to only collect data that is required, so do not collect unnecessary data.
Establishing an inventory of the personal data your organization processes: Creating a list of the personal data your organization stores is the single most important thing you can do to keep your privacy in check. Your data map will detail the types of personal data you process, the purposes for which you process it, the legal basis for which you process it, whom you share it with, how long you retain it, and what you do with it at the end of the day, as well as how you've secured this entire lifecycle. This oversight of the data lifecycle from the point of origin to destruction will prove to be beneficial.A data map is also used to create Article 30 records, which are required by the GDPR for all controllers and processors (you and your SaaS vendor). Records of processing are not the same as your full inventory—they are more of a summary—but you must have the inventory in order to be able to make those records.
Have technological safeguards in place: Controlling who or what has access to or uses resources in the cloud is really important to keep the data safe and secure. Both you and your SaaS provider should have sufficient access controls in place to ensure that attackers do not get any opportunity to cause harm.This should include the implementation of a Privileged access management system, zero-trust models, multi-factor authentication, encryption, and remote wipes, to name a few.
Is data protection by design and by default incorporated: When it comes to data protection by design, it simply means ensuring that data protection principles are implemented at the outset of every project. Data protection by default refers to the fact that your SaaS vendor is automatically implementing the data protection principles you specify. Having data protection by design and default can be extremely beneficial when conducting data protection impact assessments (DPIA). You will be in a better position to determine whether or not you require a data protection officer (DPO) or an EU representative, and you will be able to appoint one if necessary.
Perform risk analysis for new or changing business processes: Data Protection Impact Assessment (DPIA) is a process that systematically identifies and mitigates risks associated with the processing of high-risk personal data. It is a good practice to conduct DPIA whenever you start a project that involves high risk.DPIA is great for controllers in defining data responsibilities their SaaS vendors to have in place; such responsibilities are enforced via contracts.According to the ICO (Information Commissioner's Office), certain circumstances necessitate a DPIA, and Article 35 of the GDPR defines such risks as if the technology is AI-based, if you process biometric or genetic data, data collection is based on geolocation or behavioral tracking, or if there is a risk of physical harm to data subjects in the events of a data breach, to mention a few.Also, it is ideal for conducting a joint DPIA if there are multiple controllers involved in the project.
4. Prepare for Response
Does your SaaS vendor entertain data subject rights such as requests for access/ portability or erasure? GDPR grants the right to data subjects to have their personal data erased by the controller, and the controller, under conditions set by the GDPR, is obligated to delete such data upon request without any delay, which is a period of 1 month. So ensure your SaaS vendor (processor) has such provision in place.Along with this, you must evaluate how your SaaS provider will have provisions to respond to your requests regarding data porting and access.
Breach notification within 72 hours: In the event of a data breach, the controller must notify the authorities within 72 hours unless there is no reasonable risk to the data subjects. In addition, if there is a high risk to the affected data subjects, then in such cases, data subjects should also be notified. This is a significant undertaking for any organization, as it necessitates the exploration and implementation of a comprehensive containment strategy. When you consider that many data breaches are not discovered for weeks, months, or even years after they have occurred, the challenge of identifying data breaches becomes even more significant.
5. Continuous SaaS Monitoring:
To ensure if your SaaS vendor is living upto the promises they made, auditing and reviewing at regular intervals for security controls and compliance measures they have in place is crucial.
Examine the access controls and other security protocols that your SaaS provider employs to ensure that they are effective. You want assurance that the protocols in question are effective, and even if the security measures in question do not meet your ideal standards, you can put remediation measures in place at your own end if feasible. Otherwise, you may have to look for a different vendor.
It is essential for SaaS vendors to have adequate safeguards in place for the use, processing, storage, transmission, and destruction of data.
How Zluri Can Help?
Zluri has taken all the steps to protect your sensitive information seriously against modern-day cyber threats, secure your SaaS environment, and help you stay GDPR compliant.
Zluri can assist customers in fulfilling their obligations as data controllers by:
Providing a platform for discovering, managing, securing, and optimizing SaaS applications.
Keeping you in control of SaaS purchase, renewal, and disposal.
Supporting customers in complying with requests from Data Subjects.
Aggregating applicable personal data for customers replying to requests from Data Subjects.
Replying to investigations and inquiries from supervisory authorities concerning processing activities on behalf of a customer.
Conducting Data Protection Impact Assessments.
Alerting instantly whenever a risky application enters your SaaS stack.
Block or terminate them and prevent your organization from malicious apps and users.
Rather than considering GDPR compliance as a one-time remediation effort, it is critical to view it as an ongoing process. Maintaining GDPR compliance has numerous benefits; it ensures not only regulatory compliance but also drives strategic business outcomes.
At its core, GDPR is all about safeguarding customer privacy, fostering customer trust, and facilitating the expansion of sustainable digital services.
Apart from avoiding regulatory penalties, businesses have a genuine opportunity to improve their consumer reputation and differentiate themselves
Sethu is the Co-founder of Zluri. He believes SaaS and APIs will help everyone become a builder. He frequently writes on SaaS management and workplace automation. Before Zluri, he was part of the founding team at KNOLSKAPE, one of the leading corporate learning gamification startups that he helped scale across 30 countries. Other than technology, Sethu is passionate about quizzing, board games, and photography. His retirement plan is to operate a board game bistro in one of the touristy spots of Southeast Asia.