The EU’s General Data Protection Regulation (GDPR) has been a central concern to all UK businesses working with data over the past few months, and the pressure is unlikely to lessen as the year comes to an end. In just 9 months time, any businesses dealing with data concerning an EU citizen will be working within these strict guidelines, giving extra protection to all EU citizens. Whether or not the UK is part of the EU, most businesses will have some contact with EU citizen data, and so the regulations will still apply.

As such, if you are using Software as a Service, you need to be certain that your service provider is as aware of the GDPR as possible. Anyone who has access to your stored data needs to be 100% compliant, or you will still risk the substantial fines implemented by the EU for non-compliancy. GDPR and SaaS must work hand-in-hand.


What is Software as a Service?


Software as a Service can include any applications that are provided to you by an outside vendor via the internet and paid for usually on a monthly basis, eliminating the need for on-premise hardware. SaaS could include things like cloud service providers (such as Drop Box), Microsoft Office, Google Docs, and Amazon Web Services. It may be that you have a considerable array of these types of SaaS applications working for you without realising the implications this has on your GDPR compliance.


What are the SaaS Risks?


Your path to GDPR compliance need not be over-complicated by SaaS applications. The same processes must still be carried out, but if you are using a number of SaaS services they need to be added to your list of considerations.

The General Data Protection regulation states that:

  • EU citizens must consent to which personal data is used and how it can be used and shared.
  • EU citizens have the right to be forgotten, meaning that they can request that all of their personal data is totally deleted from your files.
  • You must have a clear audit-trail showing exactly what information you have stored, how you have used that information, and who you have shared it with.
  • Your data must be as secure as possible, and you must be able to evidence this.

When your business uses a number of SaaS applications, you risk losing track of what data you have stored where, and how it is all protected. Without clear lines of accountability your GDPR compliance is immediately at risk.

In addition, the more apps you have, the more potential routes there are for hackers to enter your network. You must be able to ensure strong perimeter security as well as ensuring each application is secure in itself. Since human error is always at the top of the list of cyber security threats, you must be aware at all times of exactly who has access to what, and how they are using it. Those with access could actually include the SaaS vendors who could be using or sharing your stored data.

When it comes to a citizen’s right to erasure, you will need to investigate how your SaaS applications store and delete information. Should an EU citizen request that their information be deleted from your system, that information must be totally forgotten and not hidden away in some long-lost file or application. Again, you must provide a clear audit-trail and line of accountability to evidence this.

It is quite clear, then, that the use of multiple SaaS applications can complicate your path to GDPR compliance. This does not mean, however, that the task is impossible.


 GDPR and SaaS – Managing the changes effectively


  • Make yourself aware of every SaaS application within your network. Are all of them necessary?
  • Find out precisely what GDPR regulated information is stored within these applications. This is something you will need to do anyway throughout your entire network as part of your GDPR preparation.
  • Strengthen your perimeter security, but do not rely on it alone.
  • Establish a SaaS standardisation policy which ensures clear lines of accountability. This will mean familiarising yourself with how applications are used and by whom, and tracking this information.
  • Educate your employees on new management and standardisation strategies, GDPR, and cyber security risks and procedures.


If you would like guidance or professional assistance on SaaS and GDPR, contact CBSIT today. CBSIT have in-depth knowledge of GDPR and can make the transitional process to compliance a much less complicated matter for your business.