SaaS software GDPR compliance

Discover the key points of GDPR compliance for Saas software. The evolution of risks, the role of processor, the new responsibilities in relation to a publisher.

From publisher to Saas software model

Before explaining how to bring SaaS software into GDPR compliance, we need to understand why the publisher model is increasingly shifting towards a SaaS software model.

In recent years, a large proportion of software publishers have decided to initiate or accelerate their transformation. Indeed, the traditional publisher model is increasingly failing to meet clients expectations, whether in B2B or B2C.

The client no longer wishes to install software and own or administer the infrastructure himself. This is the case when the software is "on-premise", i.e. on the client's own servers. They no longer wish to carry out version upgrades, which used to cost them a lot of money. They also want to switch to a "pay as you go" or "pay per use" model , which is much more flexible than a long-term license purchase. This means paying per use or per number of users.

SaaS platforms deliver on all counts. So much so that the majority of digital services are delivered this way. We can, of course, exclude specific, customized software, particularly in industry, for which this model is less suited.

Business change: Software as a Service

For software publishers, this means a change of profession, as they evolve from vendors of solutions operated by the client themselves, to service providers through SaaS (Software as a Service).

The SaaS platform must now provide and manage infrastructure, data storage, global security and a new type of billing.

This is an unprecedented opportunity , since it will also enable the company to monitor usage of the platform. This will enable more targeted, user-relevant developments.

GDPR SaaS software - Impact on personal data

Evolving risks linked to personal data

The risks associated with personal data are increasing significantly. You need to adapt your compliance to the new challenges. At Dipeeo, we believe that the greatest risks come from :

• technical processors , particularly in the event of a data leak on their premises
• of your prospects and clients who will now leave your SaaS or even not be interested in it because of non-compliance, because it's now part of their criteria.
• CNIL (National Commission for Information Technology and Civil Liberties)) control

You are responsible for the Saas software's GDPR compliance ✅

As a publisher, the GDPR compliance of the software is mainly borne by the client (although this varies depending on the contract). Today, as a SaaS, you have to ensure the GDPR compliance of the tool you make available yourself.

To achieve this, we recommend using the "privacy-by-design" principle . This involves taking GDPR rules into account right from the design stage. This enables the development of a compliant tool from the outset and avoids the need for corrections. However, it is also possible to carry out a compliance audit of the application and draw up a corrective plan for deployment.

Several points to check to ensure GDPR compliance of SaaS software

Informing people is a key point. You must inform users of the data collected, how it is used, Data retention periods and users' rights with regard to their data.

That the rules governing personal data are respected within the tool. For example, only personal data required for the service should be collected. Data retention periods must be respected. For example, how long does it take for the data of an unsubscribed user to be deleted? The collection of certain data may also require consent.

The technical providers of the digital tool that carry out processing on personal data must be GDPR compliant. All SaaS products have technical service providers. These include, for example, the data host, authentication, billing... They must therefore be audited to check their compliance and the fact that they take Accountability in the event of a data leak. You can't guarantee the security of all their tools.

Data transfers outside the European Union. Within your service providers, some are likely to store their data outside the European Union. As a matter of principle, this is prohibited by the GDPR. There are exceptions for data transfers to areas with similarly strict rules. Otherwise, this data transfer must be framed by a suitable legal document to allow it. This is a fairly classic case, particularly towards the United States, as many widely used tools are American.

It should be noted that the appointment of a DPO is mandatory in certain cases to be GDPR compliant. Particularly if you process sensitive personal data or carry out a regular monitoring service (e.g. banks or insurance companies). Finally, if you are a public body.

You become a processor 

You process personal data on behalf of your clients if you sell in B2B. You become processors within the meaning of the GDPR of your clients' personal data. (subtitle)

• Being a processor requires compliance with a few rules

Certain information must be included in the T&C to indicate processor status. You will have to indicate and take Accountability in the event of a data leak on your premises. Your client cannot ensure data security or the implementation of the right GDPR processes in your tool. You will therefore have to assume this Accountability.

• You will be audited by your clients

As part of your clients' GDPR compliance, they have an obligation to check that their service providers, processors, comply with the GDPR. They therefore carry out GDPR compliance audits via their internal or external DPO.

This usually consists of a list of questions to answer and the GDPR compliance documents to provide. For example, the privacy policy, which informs users about the data collected, its use and users' rights.

A Privacy by Design report will also be requested, indicating that the application is compliant or that a corrective action plan is underway.

Ensure the technical security of your tool

You must ensure the technical security of your tool, which is now open and accessible from the web.

• You have 100% control over your entire system. This means you need to put in place the appropriate security system, in line with current standards and the criticality of your data (particularly reinforced when using sensitive data). 
• Technical topics to be covered: password management, encryption, backup server, https security, security monitoring tools...

GDPR SaaS software - Conclusion

In conclusion, a SaaS platform is at the heart of GDPR risks and issues since it is, by essence, a tool for processing data, very often personal data.

You have new responsibilities, so you need to adapt your GDPR compliance. But don't worry, with a framed approach and a quality DPO, it goes very smoothly. In fact, feedback shows that this is part of the rise to maturity on data control.

Dipeeo assists SaaS platforms platforms in their GDPR compliance. Dipeeo is appointed DPO with the CNIL (National Commission for Information Technology and Civil Liberties) and handles all GDPR issues for the client in an all-inclusive monthly package.

GDPR compliance Saas software, GDPR saas contract