How to Evaluate GDPR Compliance for SaaS Applications

With the European Union meting out record fines for violations of its GDPR rules, enterprises must understand where and how they process and maintain customer data. Unmanaged SaaS proliferation contributes significantly to the need to understand and meet GDPR compliance.

Approximately one in every six employees purchases SaaS applications without IT approval. This unmanaged software acquisition compounds the risk of GDPR non-compliance. Without direct accountability and visibility into your organization’s SaaS inventory, each new tool with the potential to store customer data represents a potential risk of violating GDPR and incurring significant financial penalties.

What is GDPR?

Enacted by the European Union in May 2018, GDPR stands for General Data Protection Regulation. Primarily, it regulates what businesses can and cannot do with privacy data related to the more than 500 million people living within the EU’s jurisdiction.

However, the EU’s regulation carries global implications. Anyone doing business with an EU citizen must abide by the EU’s rules, regardless of the company’s geography. Any business with an Internet presence that can be accessed by European citizens can benefit from becoming aware of GDPR and adhering to its provisions.

How Does GDPR Affect Companies That Utilize SaaS Applications?

GDPR divides organizations that handle privacy data into two distinct categories, data processors and data controllers.

A data controller is “a natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of processing of personal data.” Or, in plain English, a person or organization that determines the handling of personally identifiable information or PII.

A data processor is a business or organization that handles privacy data on behalf of another entity. In this example, cloud service providers, SaaS vendors, and suppliers who work as a third party to the primary business-customer relationship are often processors.

As the data controller, when a cloud-forward business stores the private data of EU citizens in their SaaS applications, they must comply with GDPR and ensure that any third-party data processor (i.e., a SaaS application that transacts or stores customer data) complies with GDPR.

In many cases, this responsibility may fall to the IT security team; the governance, regulations, and compliance (GRC) team; a software asset manager; or in some progressive organizations, a SaaS manager.

GDPR Compliance for SaaS Applications

Presupposing that an organization has taken all the necessary steps as a data controller to maintain GDPR-compliant status, it must also ensure that the SaaS applications it uses to process or hold customer privacy data are GDPR compliant.

Every SaaS application must be discovered, identified, and audited to gain a complete understanding of SaaS GDPR compliance within an IT environment.

Gain full visibility into all SaaS

Shadow IT is defined as software (on-premise or cloud-based) that has not been approved for use by IT. As more low-cost and easy-to-access applications become available, business units are adopting shadow IT at higher rates. Analyst IDC projects that as much as 70 percent of all application spending now occurs outside IT’s budget.

Without a tool or process that reveals all current applications, an organization’s GDPR risk profile remains unknown. According to Zylo data, the average company underestimates its total SaaS application inventory by two to three times.

To begin the discovery process, many companies start by completing an inventory exercise with a spreadsheet. However, analyzing transaction-level financial information that uncovers all SaaS application purchases – such as the Zylo Discovery Engine – enables a faster and more accurate accounting.

Evaluate compliance

Following the identification of all SaaS applications and their relevant attributes such as business owner, cost, and contract terms, it’s essential to evaluate each application’s data privacy attributes.

Determine which applications have a legitimate purpose for storing customer privacy data and their respective compliance with GDPR.

Identifying a supplier’s compliance with GDPR may require a detailed supplier contract review or directly contacting a company representative. When determining compliance or noncompliance, document the findings and associated contractual details in an easily retrievable system of record.

Prioritize and mitigate risks

Once sufficient compliance-related information is available, prioritize mitigation efforts by addressing the most significant potential threat, starting with any non-compliant applications. GDRP risk mitigation entails a range of possible actions from adjusting an application implementation to removing an application from the environment and ensuring the return or deletion of all privacy data.

How to Ensure GDPR Compliance for New SaaS Vendors

To ensure compliance with GDPR for all new SaaS applications, create a roadmap for evaluating future SaaS vendors, suppliers, or applications by considering the following:

Create a SaaS vendor review process

If a process doesn’t currently exist for stakeholder reviews for proposed new SaaS applications, the need to evaluate GDPR compliance before the purchase is an excellent reason to start one.

Ensuring all proposed SaaS applications require approval from organization stakeholders (such as IT, Security and Compliance, Finance, and Legal) facilitates a thorough vetting.

Document how customer data retention, return or deletion works for each SaaS application

A thorough evaluation process can reveal this information, but it’s critical to document it within an easily accessible system of record.

Technology managers who manage SaaS applications must know precisely how to extract, return, or delete personal data from SaaS applications if and when requested by customers.

Schedule regular ongoing compliance assessments

Ensuring compliance is not a “one and done” effort; it requires continuous evaluation to reduce the potential risks of violating GDPR.

As part of onboarding a new SaaS application concerning GDPR, document the timing for future evaluations. If the organization maintains a system of record with renewal dates, planning a GDPR compliance evaluation at approximately the same time frame can aid the renewal decision-making process.

If the SaaS application contract terms span multiple years before renewal, consider evaluating SaaS applications for compliance at least once every 12 months as a goal.

The European Union’s General Data Protection Regulation has dramatically altered the digital landscape worldwide. But by embracing compliance and enabling robust processes around visibility, documentation, and risk reduction, technology leaders can leverage the process of evaluating GDPR compliance as an asset within the realm of SaaS application management.