Cloud services, or cloud computing, have become extremely popular because they make it easier for teams to work and enable remote delivery of services to audiences around the globe. Cloud computing comes in several varieties, among which SaaS has an important place. Is it necessary to implement GDPR in SaaS applications and how to do it legally?
Why is it necessary to implement GDPR in a SaaS application?
The SaaS (Software as a Service) software model is often put in opposition to on-premise applications. In the latter case, the purchaser receives ready-made software that he installs on company computers.
Of course, he or she still has to comply with the licence provisions, but has control over what happens to the software. SaaS applications, on the other hand, are provided using a cloud service. The software provider provides the ability to use the software, which is generally accessible from a web browser. Where are these types of solutions used? Good examples are programmes such as:
- Customer Relationship Management, CRM;
- Enterprise Resource Management, ERP;
- Warehouse Resource Management, WMS.
A lot of this type of software is delivered in the SaaS model, which is cheaper and allows seamless scalability in contrast to on-premise applications. At the same time, software such as CRM or ERP collects large amounts of personal customer data, which is then processed in many ways.
The protection of personal data in the SaaS model is extremely important from the entrepreneur’s point of view, as a breach of the regulation can result in very high financial penalties.
Remember that the need to implement GDPR arises regardless of whether your company provides services to other businesses as well as consumers.
What is the processing of personal data?
For the implementation of the GDPR to arise in relation to the provision of a SaaS service, the processing of personal data must occur. This is a very broad term and covers any operation performed on data, including but not limited to:
- collection
- recording;;
- organising
- storing
- ordering;
- viewing;
- disclosure;
- distribution.
It does not matter whether the data was collected automatically or not, or in what form it appears (e.g. a record in a database, a scan of an ID card). Any information that identifies or specifies a person is considered personal data. It does not have to be just a name and surname. Identity card number and series, IP address, location data, home address and even income are also considered personal data. If you segment your customers according to such criteria – you are processing personal data.
Does the location of the company matter for the obligation to implement GDPR?
As a matter of principle, the GDPR applies primarily throughout the European Union (including Poland), as well as in the European Economic Area. Regardless of this, the provisions of the regulation are also applicable if:
- the company processes data and is established in the area where the GDPR applies, regardless of where the personal data is actually processed;
- the company is established outside the GDPR area, but the data processing takes place within the GDPR area.
In practice, this means that even in a situation where, although you have established a company in a tax haven (e.g. the Cayman Islands), but the company offers its services to citizens of EU countries, you will still need to implement the GDPR.
How do you implement GDPR in a SaaS application?
The implementation of GDPR can be divided into several stages. Keeping them in order is important in order to get the whole job done solidly.
The first step should be to conduct an GDPR audit of the company. The GDPR audit aims to determine the baseline status of the implementation of personal data protection processes, as well as the awareness of employees in this regard. First of all, the legal basis for data processing should be established based on the wording of Article 6 of the Regulation. As a rule, it will be:
- consent to the processing of the person’s personal data;
- a contractual relationship between the person concerned and the entity offering the service;
- the legitimate interest of the controller (as a last resort).
Furthermore, it must be determined which personal data are necessary for the provision of the service. In this respect, one must be guided by the principle of minimisation, meaning that the processing of data is limited to the minimum necessary.
The GDPR audit should also answer the question about the state of IT application security. When designing them, it is necessary to take into account the possible threats that may arise and the risk of their occurrence. It is worth ensuring that the organisation complies with the international standards of the 27000 family, which testify to information security.
It is also necessary to determine who among the employees and co-workers has access to the data collected in the system and to what extent. It is worth ensuring that those who have access to information have an appropriate level of information security knowledge.
What happens to the data in the SaaS application?
As part of the implementation of the accountability principle, take care to prepare the two registers referred to in Article 30 of the GDPR – we are referring to the register of personal data processing activities and the register of categories of processing activities.
The first register is an obligatory element of the GDPR documentation. The second relates to data that will be uploaded in the application by the SaaS application provider’s customers, e.g. personal data of their customers. Both registers can be in electronic form (and in practice usually are). What data can be found in the register of processing activities? Primarily these will be:
- the data of the administrator and the DPO;
- the purposes of the processing of personal data;
- indication of the categories of persons whose data will be processed and the categories of such data;
- the data retention period.
As for the register of categories of processing activities, it will include, among others:
- categories of processing carried out on behalf of the controller;
- information on transfers of data to a third country or an international organisation.
Development of the risk matrix
The information gathered during the audit should be used to prepare a risk matrix. This usually takes the form of a comprehensive table identifying the areas where there is a risk of data leakage, as well as determining the degree of that risk. The likelihood of an incident occurring can be divided into, for example:
- unlikely, if the threat has not occurred in the past and the risk of it occurring is close to zero;
- medium probability, if the hazard has a low risk and has occasionally occurred in the past;
- very likely, if the hazard has occurred regularly in the past and the risk of its occurrence is real;
- almost certain, when there is an almost 100 % risk of an incident occurring.
Specific countermeasures should then be assigned to each risk. In SaaS applications, these usually have an IT dimension. When developing a risk assessment, it should be remembered that it is incumbent on the administrator to demonstrate the principle of accountability. Particularly strong safeguards should be developed for sensitive data, e.g. for SaaS applications used by healthcare facilities that record each patient’s medical history.
The list of GDPR documents that should be developed for SaaS is quite extensive and, in addition to a data protection policy and the aforementioned registers, also includes a procedure for dealing with breaches of data subjects’ rights, a breach register, a procedure for erasure of personal data and a risk analysis and sometimes a breach impact assessment. Each of these documents should be developed taking into account the specificities of the SaaS service in question.
SaaS provider as processor of personal data protection
A software provider in the SaaS model that makes an application available to a business processes personal data on behalf of and to the extent specified by the administrator. In the light of the GDPR Regulation, it is therefore a personal data processor. Pursuant to Article 28 of the GDPR, in such a situation it is necessary to conclude a contract, the content of which should indicate, in particular:
- an explicit entrustment of data processing to the processor by the controller;
- the processor’s obligation to maintain secrecy with regard to the processing of personal data covered by the agreement and to make the data available only to persons authorised to process them;
- the processor’s obligation to implement appropriate measures to ensure the security of the processing of personal data;
- the processor’s obligation to assist the controller in, inter alia, responding to requests from data subjects;
- the processor’s obligation to make available to the controller the information necessary to comply with its obligations and to carry out audits and inspections.
It should be ensured in the contract that, upon termination of the cooperation between the processor and the controller, the former deletes the stored personal data or returns it to the controller.
Additionally, it is worth emphasising that the processor may process personal data to the extent expressly indicated by the controller, but not in an arbitrary manner.
Moreover, the processor of personal data must be an entity that provides a guarantee to implement appropriate technical and organisational measures to protect the personal data of the data subjects.
How to minimise the risks related to the processing of personal data by the processor?
Since the controller and the processor of personal data conclude a contract between them, it is worthwhile to include clauses in the contract allowing for appropriate shaping of relations between these entities. First of all, the contract should answer the question in what situations and to what extent the processor is liable for a breach of personal data of the controller’s customers. The confidentiality obligation (NDA agreement) should be supplemented by a contractual penalty.
It is also important that the personal data processor develops procedures for crisis situations and for the termination of the cooperation, i.e.:
- Recovery Plan – a procedure provided in the event of a situation that threatens the integrity or continuity of essential services; it allows to reduce the negative impact of the failure and accelerates the return to model operation;
- Exit Plan – defines the rights and obligations of the parties in the event of the termination of the business relationship, such as the processor’s data retention period or the manner in which the data will be received by the administrator;
- Business Continuity Plan – defines the organisation’s approach to updating critical areas for potential risks.
The administrator should also ensure that there is a clear audit procedure that does not raise questions about the processor’s responsibilities, the timing or the manner in which information is to be provided. Finally, the parties can agree between themselves the specific locations (server sites) where the processing of personal data will take place. In this way, the administrator avoids the risk when personal data is transferred to countries that do not apply the GDPR standards.
Administrator versus processor of personal data. Who is liable for breaches?
When planning the implementation of GDPR in a SaaS application, it is important to remember that the processor and the controller are jointly and severally liable towards the data subjects whose data has been breached. In practice, this means that it is the affected party who is free to designate the entity (or both entities) from whom they will seek compensation for damages. The appropriate place to regulate recourse claims is precisely the contract concluded between the administrator and the processor.
Both companies that use SaaS cloud services and their providers should pay close attention to the provisions of the GDPR regulation. The need to apply it imposes a whole series of additional obligations, failure to comply with which may result in a high financial penalty, as well as the risk of liability for damages.