GDPR Compliance For SaaS Platform Owners

Last updated on 02 September 2019 by Elizabeth Clinen
GDPR Compliance For SaaS Platform Owners

Software as a Service (or SaaS for short) is an increasingly popular form of delivering online applications to consumers. It's a highly successful business model, but there is often some confusion about SaaS, especially when it comes to privacy and compliance.

This article will detail the particulars behind the General Data Protection Regulation (GDPR) for business owners running and/or operating a SaaS platform.

We will discuss who the GDPR applies to and highlight the key sections of the GDPR that relate to your SaaS.

But first, let's go deeper into what SaaS is and why privacy regulations are so important for them.


An Overview of Software as a Service

Software programs used to be purchased outright, whether as a digital or tangible copy, and downloaded directly to a device. With the rise of cloud computing (of which SaaS is a subset), it became popular for program developers to instead create a cloud-based service and charge users a subscription fee for their usage of the service.

This newer business model allowed customers to access the service through various devices rather than one allocated device. It also minimized the overhead costs for companies, as it removed the need for on-site hardware installation and maintenance.

The subscription-based feature (usually paid in a month-by-month or pay-as-you-go format) meant that customers could budget their costs better, as well as customize their own experience by selecting which features and services they'd prefer to use.

Furthermore, the ability to simply install and apply any service updates, rather than purchasing new software, has made software much more user-friendly.

Some popular examples of SaaS are Microsoft Office 365, Google Apps, Amazon Web Services, Dropbox and even Netflix.

However, these benefits have also given rise to a whole new host of issues that can be experienced by both SaaS users and developers, especially when it comes to security and privacy.

The main security concern about the use of online software - for both consumers and companies - relates to the trust that is required between all parties.

As a business using SaaS, you're entrusting a third-party provider with your business processes, confidential client and company data and all manner of important information.

The likely requirements of different staff members having varying levels of access can also create confusion, and as such you must ensure that only authorized employees can view any sensitive data.

What's more, it's important to be aware that any SaaS provider has complete ownership and management of the cloud system - including your client and customer data.

As both a business owner and SaaS customer, you still have control over the services you use and the data you collect, so it's important to be up to date on all the privacy legislation necessary, to make sure all the data collected from your customers remains protected.

Though there are some similarities between original software programs and SaaS, the considerations for privacy are quite different.

This difference stems from the fact that, as a SaaS platform owner, your customers aren't necessarily making a copy of your software and installing it on their own device, but they are acquiring the rights and permissions to access it as a service instead.

So, how can you ensure you're able to fully protect all your collected customer data? By following the GDPR.

The General Data Protection Regulation (GDPR)

The GDPR came into effect on the 25th of May, 2018.

This legislation was designed by the European Parliament back in 2016 when the European Union recognized the importance of data protection for its citizens, especially as we see the changes that technology has made in our lives.

The EU was able to see that, as these changes have occurred, they had to review the legislation initially in place and make the appropriate changes.

This previously in-place legislation was known as the 1995 Data Protection Directive (officially known as Directive 95/46/EC) and aimed to protect individuals and the processing of their personal data.

Even though the 1995 Data Protection Directive was effective at the time, as the Internet grew and technology became more and more advanced, it was apparent that the legislation would soon grow outdated and ineffective.

Regardless of this growing ineffectiveness, the EU has always been seen to have high standards of data protection, and the GDPR only serves to concretize that standard.

So for all businesses it applies to, it's essential that you are aware of the requirements, and are in complete compliance with them.

Key Sections Of The GDPR:

  • Increase in the Territorial Scope

The GDPR has widened its reach by including international companies that collect data from any citizen in any EU member state. This increase in reach will affect organizations founded within the EU, as well as organizations that are based in another country but offer their products and/or services to citizens of the EU.

This means that if your business is located in a non-EU country such as the United States or Australia, and regardless of whether the GDPR legislation or its predecessor has ever had to concern you before, it will now.

GDPR Info: Article 3: Territorial Scope

  • Bigger Penalties For Non-Compliance

If a company is found to be non-compliant with the GDPR, the penalties include administrative fines that can reach either 20 million Euros (approximately 2.4 million USD at time of writing), or 4% of the company's global annual turnover - whichever amount is greater.

Luckily, avoiding such pricey penalties can be easily done by making sure your SaaS platform (and any subsequent websites and/or apps) follows all the necessary GDPR requirements.

GDPR Info: Article 84: Penalties

  • Explicit Consent From Users

Consent is likely to be the most essential part of the GDPR, but also one of the trickiest. It relates to the consent that is required by companies from their data subjects, before any collection or processing of data occurs.

Considering the purpose of the GDPR is to give consumers a higher level of control regarding their personal information, explicit consent is a great way to ensure this happens.

Conditions for consent are stronger, and companies are now required to state their request for consent in clear, concise terms that can be understood by anyone visiting their site or using their services.

GDPR Info: Article 7: Conditions for Consent

Here's an example of how Dropbox gets consent during its free trial or account sign-up as its collecting personal information from people.

After requesting different personal information such as a first and last name, email address and financial information, a user must click to check a box that says, "I agree to the Dropbox Business Agreement and Terms."

Dropbox account sign-up form with I Agree checkbox for consent

This step of making a user check a box is considered good consent under the GDPR because it's clear what the user intends when the box is checked, and in order to start the trial or create an account, this must happen.

  • Breach Notifications

If any breach has occurred regarding company data, this breach needs to be brought to the attention of the proper authorities within 72 hours of the company becoming aware of the breach. Customers are also required to be notified within the same timeframe.

Any breaches must be picked up on by the data processors who act on behalf of your company, and reported to the data controllers within your company. These breaches should always be noted in an internal register in order to keep track of the occurrences.

GDPR Info: Article 33: Notification of a personal data breach to the supervisory authority

  • Right To Access

The GDPR has given consumers the right to access the data collected from them by data controllers. This access should be given easily, for free, and in an electronic format.

Providing access to their own data is a great way to empower customers, relieve any reservations they may have regarding their privacy, and make sure your company remains totally honest and transparent - an important factor for any business.

If you happen to receive any requests from a customer wishing to access their own personal data, this request needs to be responded to promptly, within one month.

Here's an excerpt from Article 15 that covers the right of access:

GDPR Info: Article 15: Right of Access by the data subject

  • Right To Erasure

This is also known as data erasure or the right to be forgotten. Its introduction allows customers to request that any and all their data previously collected by a company is erased. If this request is sent, any third-party services need to cease processing that customer's personal data as well.

While there are conditions regarding eligibility for erasure, such as the data no longer being relevant or the customer withdrawing their consent, this addition to data protection is a great way to instill more confidence in your customers and website visitors.

Here's an excerpt from Article 17 that covers the right to erasure:

GDPR Info: Article 17: Right to erasure - Right to be forgotten

Here are some examples of how you can approach Articles 15 and 17 within your SaaS agreements.

LinkedIn's Privacy Policy details the different things their users are able to do regarding their personal data, as well as how they can contact the company for any further information or queries in a clause titled "Rights to Access and Control Your Personal Data."

LinkedIn Privacy Policy; Rights to Access and Control Your Personal Data clause

Twitter has approached GDPR compliance by including a small banner notification on their homepage. This notification informs any visitor that their Terms of Services and Privacy Policy have changed, with a hyperlink to the updated policies.

Twitter GDPR banner notification with updated Terms of Service and Privacy Policy

This is effective because often, users might not know about any updates to legislation that have occured. It's a great way to ensure your company remains honest and transparent.

Twitter also makes sure to highlight that the collection and sharing of user data is dictated entirely by each user, making sure they know their full level of rights.

Twitter's GDPR Updates summary: User controls over personal data section

  • Privacy By Design

This is a common concept that has been commonly seen in various industries for many years, and it's just recently become an aspect that is required by the GDPR. The GDPR's idea of privacy by design simply means that data protection should be one of the core features upon designing and developing your business idea.

While this doesn't mean you have to conduct a total design overhaul of your SaaS platform, you just simply have to make sure that your data controllers know what is required of them, and how to take the necessary steps to protect the personal data of your customers.

GDPR Info: Article 25: Data protection by design and by default: Privacy by Design

  • Data Protection Officers

Aside from data processors and data controllers, the other very important role involved in GDPR compliance is that of the Data Protection Officer (DPO). While not required in all cases, if you are required to have a DPO, this role must be appointed to someone within the company who has appropriate knowledge on data protection laws and practices, or an external service that can provide proper guidance and support.

The DPO should assist the company in maintaining compliance with the GDPR and any other related legislations, and they hold a high level of responsibility and accountability.

They must also further educate and train the company and its employees on all the necessary GDPR requirements, as well as act as the point of contact for the company and the allocated supervisory authorities.

Here's an excerpt of Article 37 that discusses the designation of a DPO:

GDPR Info: Article 37: Designation of the data protection officer

  • Carrying Out Data Protection Impact Assessments (DPIA)

If your business is one in which the processing of individual data has the potential to result in high risks for the freedom and privacy of those individuals, you will need to carry out what's known as a Data Protection Impact Assessment (or DPIA for short).

A DPIA is conducted by the Data Protection Officer, and its purpose is to assist in identifying any major risk areas in your data protection practices. While it's not necessary for every business to do these, it can still be a great way to ensure your practices are fully compliant with the GDPR and other legislations.

GDPR Info: Article 35: Data protection impact assessment

Am I A Data Controller Or Data Processor?

Legally, a data controller is defined as a "person that determines the purpose and means for processing personal data." In comparison, a data processor is defined as "the person that processes personal data on behalf of a data controller."

The best way to describe the difference between a controller and a processor is this:

  • You are a data controller if you are an individual and/or organization that is responsible for the recording and use of personal information from consumers.
  • You are a data processor if you or your organization maintain hold of personal data, but the use of that data is decided by another organization.

Under the GDPR, both the controller and the processor are liable for any breaches and damages that may occur due to noncompliance.

If you're the operator of a SaaS or cloud service, you might be wondering about the distinction between a data controller and a data processor, and which one applies to you.

According to the GDPR, a SaaS business is technically considered to be both. This is because a SaaS platform is the entity that is collecting personal data from users as well as deciding on the purpose of that collection.

SaaS platforms also maintain the control of any collected data and can decide how that data is processed. As such, a SaaS business is both the data controller and data processor.

Example of GDPR Compliance

Shufti Pro, a European startup company, sets a great example of GDPR compliance on its website. As you can see below, rather than hiding any mention of GDPR compliance within its Privacy Policy, a whole page is dedicated to explaining how the company is complying with GDPR requirements.

Shufti Pro GDPR Compliance Guide intro

This guide covers topics such as Cookies, Lawful Basis, Deletion, Access to User Data, User's Individual Rights Requests, Deletion and Automated decision-making, all of which the GDPR requires to be addressed.

There's even a section for a "Game Plan" that describes to users in really simple terms how user data is used.

Shufti Pro GDPR Compliance Guide: Game Plan summary section

By using language that reads easily and avoids any technical jargon, Shufti Pro is able to ensure that just about anyone could read the GDPR Compliance Policy and understand it.

A direct link to this Compliance Policy is included in the fixed footer of the website so consumers don't need to search hard to find it. This helps make it easily accessible.

Shufti Pro website footer showing GDPR Compliance link

In conclusion, while the GDPR might seem extremely confusing with many different aspects that must be taken into account, it's best that you see compliance as an investment for your company instead of a nuisance that must be dealt with as quickly as possible.

That way, you'll be more encouraged to put in the necessary time and money needed to reach and maintain proper compliance. Doing this is key in protecting your business and ensuring you don't face any of the potentially heavy fines that come with non-compliance.

Your SaaS platform can achieve total GDPR compliance by doing the following:

  • Update your Privacy Policy to detail your personal data practices as well as all user rights such as the Right to Access and the Right to Erasure
  • Request explicit consent from every user who uses your SaaS before collecting or using any personal information by using a checkbox/clickwrap method
  • Understand the responsibilities of both the data controllers and data processors, and ensure proper implementation of both roles
Article categories
Elizabeth Clinen

Legal writer.