The General Data Protection Regulation, or GDPR, compliance deadline is looming. Due to their architecture, SaaS applications are particularly vulnerable. For the companies around the globe that are involved with SaaS, whether as vendors or as customers, it is essential to understand to become compliant.
On May 25, 2018, the scope of the former 1995 Data Protection Directive will be expanded to include more than just domestic companies. Under the new regulation, any company—including foreign companies—that processes EU residents’ data will need to comply. This include companies that may not have a physical EU presence, but rather a global footprint—no matter the size. If an organization collects data of any kind that contains EU citizen information, has EU resident employees, manages a website that uses any technology to monitor EU-based individuals (including cookies), or sells services or products to EU citizens, it must comply with GDPR.
Companies that do not comply can face either a 20 million euro or 4% of global turnover fine. These are for the larger offenses, though. Smaller offenses can induce fines that are either 10 million euros or 2% of the organization’s global turnover. And while better protecting the personal information of citizens and residents of the EU is laudable and necessary, this new regulation puts a significant burden on businesses — especially businesses that rely on SaaS technology.
GDPR Implications For SaaS
Software as a service, which is one of the three main aspects of cloud computing, has gained popularity across all sectors. It allows organizations to avoid the hefty price tag associated with installing and running applications on every device. Instead, businesses can pay for what they use in a monthly or yearly subscription. Organisations also gain increased scalability, flexibility, and agility with SaaS. But will these benefits stand up to the GDPR?
The problem is that organizations that rely on SaaS are particularly vulnerable to the new regulation. The simple fact is that SaaS solutions are so accessible and easy to implement that compliance and IT divisions can lose track of them. An organization’s SaaS stack grows. Some of the solutions are tracked and others fall into the background. Some are siloed and some are integrated. This makes it difficult to consolidate all of the data, applications, and individual licenses. In the end, most organizations underestimate how many cloud applications they have. While it should be concerning that money is being wasted on underused subscriptions, this monetary waste would likely just add up to a few thousand dollars at most. The more significant and more immediate concern is non-compliance with GDPR, potentially costing a company millions in fines.
» There are things that your development agency won’t tell you. Read our article and find out more!
Under the previous data protection directive, TalkTalk was found guilty of security failings in 2016 that gave hackers access to customer data. The company was then given a 450,000 euro fine. Pharmacy2U was found responsible for a similar failure, and they had to pay a 150,000 euro fine. But these fines are a fraction of what the GDPR fines will add up to. The NCC Group recently found that if the GDPR had been in place when TalkTalk was fined, they would have paid over 65 million euros. Pharmacy2U would like have been fined around 5 million euros. In general, the existing fines will be 79 times higher under GDPR.
How To Become GDPR Compliant
Under the GDPR, both SaaS customers (i.e., data controllers) and vendors (i.e., data processors) have new duties that they are responsible for. SaaS vendors’ primary obligation will be to guarantee that all customer product agreements are in compliance. This means that the agreement should state:
- Customer rights, requirements, and responsibilities.
- The type of data being processed.
- The duration, purpose, and nature of the data processing.
- Whether an instruction of providing personal data to the customer breaches the GDPR or other data regulation laws.
- A clarification that the customer must give recorded instructions in order for personal data to be processed.
- How they will help the customer to comply with their duties to the GDPR.
Additionally, from the vendors’ side:
- The SaaS supplier or customer must implement safeguards to make personal data transfers outside of the European Economic Area.
- Customers may have their data returned or deleted if mandatory laws don’t require storage.
- Suppliers are required to report obligation breaches to customers.
In short, SaaS vendors will need to make significant updates to their procedures, internal policies, and product agreements.
GDPR in SaaS Also Means Customers’ Duty
SaaS customers also have a broad set of compliance guidelines. The key to their compliance is the ability to substantiate the procedures and processes that they have put in place in order to ensure the protection of SaaS data. Additionally, customers are responsible for their vendors’ actions — any vendor negligence can fall back on the customer too. To address these two factors, customers should:
- Develop a process for reporting data breaches
Provide employee training on consumer extended digital rights (i.e., data portability and the “right to be forgotten”).
- Increase the robustness of security systems so that they prevent unauthorised processing operations, loss of data, and breaches. The security systems should also produce better documentation, such as security audits and data records.
- Comprehensively vet vendors by thoroughly scanning contractual terms and conditions for GDPR compliance, ensuring compliance with government cloud implementation standards, verifying the right to have customer data returned or deleted, guaranteeing that the data center used is certified by ISO 27001, and identifying if data can be efficiently and appropriately returned.
This does not mean that SaaS vendors and customers will need to overhaul their current processes and procedures, it simply means that they may need to amend some aspects. One likely factor that should be amended is that companies can not charge a fee for a request for personal information. Another factor is that organizations will need to comply with user access requests in under a month. Finally, the smaller details need to be attended to (i.e., organizations should no longer auto-fill consent boxes with ‘yes’).
GDPR Will Change the Way that Companies Operate
The changes that GDPR is bringing are broad and deep. Organizations around the world are being forced to make alterations. Many of them are employing consultants to ensure that they are in full compliance. And while it is of the utmost importance for businesses to fall into line quickly, regulatory bodies have stated that they are not out to punish companies with the fines. During the early stages, they will be willing to work with businesses to help them become compliant.
In the long-term, GDPR is going to change the way that SaaS companies operate. Both vendors and customers will need to remain continuously cognizant of their processes and systems. They will need to ensure that any updates or changes they make, whether to SaaS products or in their operations, are compliant with the new regulation. Additionally, the vendor-customer relationship will change, with customers demanding more accountability from vendors. Eventually, though, GDPR compliance will become second nature, as long as companies embrace the changes that they need to make.