Compliance can be difficult to navigate, yet it’s an essential part of keeping your organisation afloat. Regulations put in place to protect data and privacy must be adhered to, as you could find yourself facing hefty fines, and legal consequences if you don’t comply. 

GDPR is one of the most important pieces of data protection laws , and it extends to SaaS applications your business may use, like Slack, Google Drive, or Microsoft Teams. 

Ensuring data is protected in these SaaS applications is crucial to remaining compliant with GDPR. Let’s explore what it means for your organisation. 

What is GDPR? 

GDPR stands for the General Data Protection Regulation. It’s an EU law that obliges most EU businesses to protect the privacy and data protection rights of all individuals, wherever they are. When the UK left the EU, it retained the GDPR (making some small amendments) and called it the "UK GDPR". Where we use the terms GDPR, we mean both the EU GDPR and the UK GDPR.

Coming into effect in 2018, GDPR gives individuals more control over their personal data, and requires businesses to be transparent about how they collect, process, and store personal data. 

Any EU or UK organisation that handles personal data must ensure that individuals (also known as "data subjects") are aware of how and why their data is being processed. If data subjects demand access to their information, organisations must, in general, provide it, and personal data must be deleted if data subjects would like their information erased. 

What does it mean for businesses, big and small? 

All businesses, regardless of their size, must comply with GDPR if they handle personal data. If they don’t, they can face serious consequences such as hefty fines, and reputational damage. 

Some organisations that process large amounts of sensitive personal data or who undertake large-scale monitoring of data subjects may need to designate a Data Protection Officer (DPO) who will oversee the business's GDPR compliance, and act as a point of contact for data subjects, as well as supervisory authorities. 

There are several elements of GDPR to consider for organisations who are required to adhere to it: 

1. Legal Basis

Every piece of personal data collected must be obtained and further processed with a valid legal basis, such as consent or because the legitimate interests of the business (or another person) justify it. Whatever the basis, you must be transparent with the individuals, meaning that people must understand why personal data is being collected, and how it will be used. Even when consent is given, it can be withdrawn at any time. 

2. Personal Data

GDPR defines personal data as information related to an identified or identifiable person. This could be a name, ID number, location, an online identifier.. 

3. Data Controller

To understand your duties under GDPR, you’ll need to know whether your organisation is a data "controller", or a data "processor". A data controller determines what data is collected, and for what purpose. It will be down to the data controller to ensure the organisation is collecting data legally, and for legitimate purposes. 

4. Data Processor 

A data processor processes personal data solely on the instructions of a data controller. The data processor may be a tool or third-party company that you use for data collection, and some organisations may be data controllers as well as data processors. 

5. Right to Access

At any time, individuals have a right to request access to their personal data, and organisations must comply with this, providing copies to the data subject, unless an exemption applies to some or all of the personal data. 

6. Deletion Request

Data subjects also have the right to request that their personal data is deleted, in particular if they decide to withdraw consent, or if you are holding onto data unnecessarily. This is known as the ‘right to be forgotten’ and organisations must oblige unless there are certain circumstances that make it essential for them to store the data, such as legal obligations. 

7. Data Breach Notification

Under GDPR, organisations must report a "personal data breach" that is 'likely to result in a risk to the rights and freedoms of individuals' to the relevant supervisory authority within 72 hours, and they must inform affected parties if it poses a likely high risk to their rights and freedoms. 

8. Transfer of Personal Data

Understanding where you can transfer personal data is key as GDPR imposes restrictions on transfers outside the European Economic Area (EEA) or UK to countries that do not have an adequate level of protection in place. Specific safeguards, such as contractual clauses or binding corporate rules, need to be secured to ensure the protection of personal data during these transfers. 

If you don't follow the correct procedures, you may get fined, up to 20 million euros (or £17.5 million), or up to 4% of your total global turnover, whichever is higher. An example of this is the huge fine imposed on Meta in 2023 to the tune of €1.2 billion, due to the transfer of European users' data to the US, without the correct data protection procedures in place. You can see the full list of GDPR enforcements here. 

Regardless of the size of your business, you should ensure you’re working in line with GDPR requirements, and put the necessary safeguards in place to remain compliant. 

What are the GDPR data principles? 

The GDPR data principles outline what organisations must adhere to, in order to remain compliant. They should be taken as a framework for ethical data processing. 

The GDPR data principles are: 

1. Lawfulness, Fairness, and Transparency

Any organisation processing data must do so in a lawful, fair, and transparent manner. Data subjects must be aware of their personal data being handled, and must understand the extent to which it is being used. 

2. Purpose Limitation 

Personal data should only be collected for specific purposes that are legal and legitimate. Companies should define the purposes for data collection, and ensure they are justified in their decision. 

3. Data Minimisation 

Organisations should only collect the personal data necessary for processing, and it should be relevant for the intended purpose. 

4. Accuracy 

Any personal data held by organisations should be accurate and up to date. Inaccurate personal data should be rectified or erased. 

5. Storage Limitation 

Personal data should be stored securely, and in a form that only permits identification of data subjects for as long as is necessary. 

6. Integrity and Confidentiality

Personal data must be processed in a way that ensures appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage.

7. Accountability 

Every organisation processing data is responsible and accountable for complying with GDPR. In order to show that they are accountable, they need to keep records of data processing activities, and ensure data risk assessments are carried out to address any vulnerabilities. 

Organisations should align with these data principles to ensure they are complying with GDPR regulations, and securing customer data to protect individuals’ rights. 

Why is data minimisation important for GDPR? 

The less personal data you store, the less chance there is of a personal data breach impacting that information. Article 5(1)(c) of GDPR requires that personal data be “adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.” 

Essentially, this means that organisations should only collect personal data that is relevant. Before personal data is collected, there should be a clear objective of what this will bring to the organisation. 

Once personal data has been collected, it should not be retained longer than necessary for its intended purpose. Organisations complying with GDPR should establish and implement data retention policies that outline the duration for which personal data will be stored. Once this date has passed, personal data should be securely destroyed. 

Data security tools like Metomic can help to enforce data retention periods automatically, enabling teams to comply effectively with GDPR, and minimise the amount of personal data they hold at any one time. 

Data minimisation is also a core component of the ‘Privacy by Design’ principle in GDPR which mandates that organisations should consider privacy and data protection aspects throughout the entire lifecycle of their systems, and services. It is key that this aspect of GDPR is adhered to, in order to protect subjects’  privacy and data protection, while still attaining business goals. 

What types of personal data need protecting in order to comply with GDPR?

There are a range of data types that need to be protected in order to comply with GDPR. 

This could include basic information such as names, addresses, phone numbers, and passport numbers, as well as financial data related to bank accounts or credit card details. 

It also covers online identifiers such as IP addresses, and usernames or cookies that track users online, and sensitive personal data such as race or ethnicity, biometric data, health data, or data related to sexual orientation. 

It’s worth bearing in mind that GDPR also encompasses personal data relating to your own employees, such as payroll information, and it extends to physical data, such as paper files, so you should have measures in place to protect personal data at every level. 

What are the risks of not complying with GDPR? 

GDPR holds serious implications for those who are non-compliant. Financial penalties can hit businesses hard, with fines of 4% of a company’s global turnover or 20 million euros/£17.5 million (whichever is higher), depending on the severity and impact of the violation. 

Legal action, such as lawsuits raised by individuals affected by personal data breaches, can also incur further financial losses. 

Reputational damage sustained as a result can be long-lasting too, particularly when it comes to the loss of customer trust, potential loss of business opportunities, and the effect this can also have on partner relationships too. 

Non-compliance with GDPR also raises the risk of security breaches, making your organisation vulnerable to cyberattacks. Mitigating these risks is crucial for organisations to demonstrate their commitment to data protection, build trust with customers, and avoid the severe consequences associated with non-compliance.

How does GDPR relate to SaaS apps?

GDPR extends to Software-as-a-Service (SaaS) applications, and it’s vital that organisations are aware of the implications of storing and processing personal data within SaaS apps such as Slack or Google Drive. 

Here are some key considerations for SaaS apps in relation to GDPR:

1. Built-in Data Protection 

SaaS providers have an obligation to create their applications with consideration for privacy and data protection. However, it’s worth noting that security features within apps can be limited, and as such, you may need to consider additional security measures that focus on protecting personal data, and ensuring you comply with GDPR. 

2. Data Processing 

SaaS apps will typically be classed as data processors, and therefore have specific obligations outlined in GDPR. As part of their standard contracts, they must process personal data lawfully, and ensure appropriate security measures are in place. However, as SaaS apps are configured by their users, GDPR compliance relies on SaaS app users to ensure that steps are being taken to protect customer data. 

3. Data Transfers 

Where personal data is transferred from the EEA or UK to countries outside the EEA or UK that are not considered 'adequate', SaaS providers need to ensure adequate safeguards are in place. This may include implementing appropriate data transfer mechanisms, such as Standard Contractual Clauses or Binding Corporate Rules. "Adequate" countries can be found here.

4. Privacy Policies 

SaaS providers need to be transparent and provide information on how personal data is collected, processed, and stored. Users should have the option to set clear data retention periods and communicate this effectively to their customers. 

Ultimately, the responsibility for GDPR lies with the organisation, so they will need to ensure that their SaaS applications are configured to align with GDPR. 

How can organisations be compliant when dealing with SaaS apps? 

When it comes to SaaS apps, organisations should be implementing procedures such as data mapping to understand the types of data that are being processed, where it is stored, and how it flows within the SaaS application. Understanding where your data is can help you put the right steps in place to start protecting it, and ensuring you are GDPR compliant. 

Peter Wood, tech founder and CTO at Spectrum Search, says, “It's vital to have a clear understanding of what data is being stored and processed on these platforms. As someone who's built a licensed cryptocurrency trading platform, I appreciate the complexity of data flows in modern applications. Companies must map out data flows to identify where personal data resides and how it's being used. This process is crucial for maintaining transparency and control over data.

“Leveraging technology for compliance can be a game-changer. In my work at Spectrum Search, I've used technologies like Zapier to automate workflows, ensuring compliance processes are streamlined and less prone to human error. Similarly, organisations can use automation and AI to monitor and manage GDPR compliance more efficiently.” 

Before the SaaS app is implemented, organisations should also conduct due diligence with the provider, to ensure that they meet the necessary requirements for GDPR compliance, and to check that their data processing agreements meet your company’s needs. You should also understand whether they work with any third parties and if so, how they contract with them. You may also need to contact these third parties.  

If the SaaS app relies on user consent for data processing, ensure that proper mechanisms are in place to obtain explicit and informed consent. Implement features that allow users to provide and withdraw consent easily. 

Establishing processes to handle personal data deletion requests will help keep you in line with GDPR, and ensure you address requests within the required time frames.  

Internally, you should review your privacy policies to reflect the use of SaaS applications, and provide the appropriate training to your employees so they can understand what they need to do to remain GDPR compliant. Regular audits can also help you get an idea of any gaps within your processes that may impact data protection.

How can Metomic help your organisation stay GDPR compliant?

Metomic monitors and detects sensitive personal data sharing within SaaS applications in real-time to align with GDPR requirements, in particular - data minimisation. 

Its proactive monitoring capabilities help organisations understand where sensitive personal data lives, and how employees are handling it. With automatic retention periods for sensitive personal data, security teams can ensure that data isn’t retained longer than necessary for its intended purpose. 

See how we helped digital healthcare provider, Numan, to educate their employees on data security best practices.