With approximately a third of all SaaS applications purchased by employees, typically with no oversight on the app security and compliance, companies are faced with a risk to fail meeting GDPR requirements and end up with solid fines.
Hence, it is essential for enterprises to be in control of when SaaS assets are being purchased, and how customer data is processed and maintained in those assets. With no visibility on the SaaS spend, each new tool acquired is a potential threat for the GDPR SaaS compliance of the company, posing the risk for substantial financial penalties.
The General Data Protection Regulation is a data privacy act established in 2018 by the European Union which affects all companies doing business with EU citizens, regardless of where they are located. Even an internet business, if working with EU customer data, must adhere to the GDPR regulations.
GDPR identifies two types of organizations - data controllers and data processors. Data controllers determine the handling of privacy, personally identifiable information data on behalf of another organization. Data processors, on the other hand, are actually handling the privacy data on behalf of another organization.
In the case with SaaS tools, the SaaS vendors and suppliers are a third party and hence act as data processors in the business-customer relationship. The data controller is the business that uses SaaS tools in everyday work. This business must comply with GDPR and also ensure its SaaS compliance. Usually, the responsibility here is handed over to the IT department and the IT security/SaaS compliance team inside it, even though some companies also use a dedicated SaaS manager.
Even if the company using SaaS tools in its everyday work has ensured that it is fully GDPR-compliant, it also needs to confirm that the SaaS stack it uses when processing and storing customer data is likewise GDPR compliant. This audit process generally requires that 3 key steps get performed:
The issue with lack of visibility on all software adopted by businesses, usually via their employees, is known as Shadow IT. With Shadow IT the company is not aware of its entire SaaS stack - on average, a company’s SaaS stack is 2 or 3 times more than estimated! Hence it cannot ensure compliance with the needed security, data privacy and other regulations.
With no SaaS acquisition process in place, organizations run a high risk of violating GDPR compliance regulations.
To ensure SaaS visibility via a careful Discovery process, IT departments need to collaborate with employees and teams to set up a complete SaaS record - for example, in a spreadsheet format. Or, they can use SaaS management platforms like Oveo and analyze transactional financial information, for a faster and more reliable SaaS discovery process.
After all attributes like ownership, cost, renewal date, terms, etc have been identified, for each single app in the SaaS stack, a careful evaluation on the SaaS compliance with GDPR should be performed. An evaluation of the customer data storing functionality should be performed along with purposes for storing this data.
This privacy audit process may require review of the supplier contract or even reaching out to a representative of the supplier. After SaaS compliance or non-compliance has been concluded, all outcomes should be carefully documented in the respective SaaS inventory platform.
After GDPR SaaS compliance has been identified, risk mitigation should be undertaken for all non-compliant apps. The process should start from the apps presenting the highest threat. The action taken could vary from complete removal of the app from the SaaS inventory of the company, along with request for complete return or deletion of all data stored, to modifying how the application has been implemented or used throughout the organization.
To ensure compliance for all new SaaS vendors, there should be a reliable SaaS vetting process in place, made up of the following steps:
When a new SaaS is proposed for adoption by the organization, it should be required to go through a GDPR compliance vetting process before being approved for purchase. This vetting process is recommended to be performed by representatives of the IT, legal, accounting and security/compliance departments in the organization.
For each SaaS application, create and maintain an up-to-date record on the purpose of obtaining customer data and how it is stored, returned or deleted. This knowledge is essential particularly in cases when customers require the removal of their data.
The GDPR SaaS compliance evaluation is not a one-time deal. Rather, it needs to be performed regularly, to ensure the organization keeps staying GDPR compliant. Those compliance re-evaluations may be performed as part of the review process before the date of SaaS renewal. Or, if a SaaS license has been signed up for several years, the review process should better be executed every 12 months or less.
It is true that the EU data privacy regulation has impacted to a great extent the process of SaaS tools adoption. But, with a solid, well-structured and ongoing SaaS compliance review process in place - a process that ensures visibility, documentation and risk mitigation - companies can ensure the security of their customer data and stay GDPR compliant at all times.