Is your SaaS Supplier GDPR-Compliant?

The EU General Data Protection Regulation (GDPR) will impact all organisations big and small around the globe that process any personal data about citizens in the EU. This includes Australian and UK organisations.  Audits will need to be conducted on how all personal data is processed, historically and in the future, to ensure compliance.

Before entering into a contract with a Software as a Service (SaaS) supplier, you should consider what steps they are taking to meet the standards set out by the GDPR. What information security management system do they have in place to ensure they are compliant with government cloud implementation standards? Do you know if you have rights to delete your customers’ stored data if they demand it? Can you easily find that user data and send it to them in a suitable format? Is the data centre that stores your personal data accredited to ISO 27001?

The GDPR requires the controller - the company - to sign a data processing agreement with the processor – the cloud provider - which stipulates a number of obligations such as; only acting on the instructions of the controller, taking adequate security measures to protect you from data loss, assisting in responses to requests for data and removing traces of data after the termination of service.

Similarly, the company is also required to meet the obligations set out by the GDPR which means they must be able to demonstrate what processes are implemented to guarantee data protection and compliance.

The processor is liable for any damages relating to poor compliance which includes acting against the controller’s wishes or data breaches caused by the processor. However, you, the company, also take responsibility for the actions of the processor which means you should take care when engaging with a supplier that has little to no track record or a history of negligence.

It is important to always check the Terms and Conditions. Most cloud providers provide services on the basis of terms and conditions which do not meet the strict requirements set out by the GDPR and unfortunately they are often non-negotiable.