Achieving GDPR Compliance is Difficult. SaaS Just Made It Harder.

Tim Jesser discusses an area of particular GDPR risk, the prevalence of SaaS usage, what makes SaaS especially risky, and how to mitigate that risk.


With just days to go until the start of GDPR enforcement on May 25, 2018, I’m hoping most readers have made substantial progress towards achieving compliance.  For those just getting started, you may benefit from this primer: 7 Steps to Kickstart Your GDPR Compliance.  For the rest, let’s discuss an area of particular GDPR risk, the prevalence of SaaS usage, what makes SaaS especially risky, and how to mitigate that risk.

cloud services and saas adoption

Surveys indicate that cost savings are the mostly highly cited reason for cloud adoption with organizations reporting an average 16% savings from using public cloud services. Innovation is another driver of cloud adoption as organizations seek to benefit from the greater agility cloud can provide due to its support for elasticity and on-demand capabilities.

Security, the traditional roadblock to cloud adoption, has somewhat waned as a concern, supplanted by satisfaction with on-premise solutions as the primary reason for avoiding or delaying cloud adoption.  None of these concerns, however, have stopped the relentless pace of cloud services, especially SaaS, with nearly every organization utilizing at least some cloud services.

saas and gdpr

At the same time organizations are ramping up SaaS usage, they are also grappling with GDPR compliance.  The components of GDPR compliance are many and varied, but most of them rest on a simple foundation: an understanding of where in the enterprise personal data resides, who is accessing it, and how it is being processed.  The primary artifact of this foundation is the Record of Processing Activity (RoPA), mandated by Article 30 of the GDPR.  To build their RoPA, organizations must discover and document all personal data repositories in use across the enterprise, regardless of platform.

And that brings us back to SaaS. While most organizations have a reasonably good handle on where on-premises personal data repositories reside, the same can’t be said for SaaS-based personal data repositories. There are a few reasons for this delta of knowledge and visibility. First is that discovery tools and methodologies in use in many organizations are focused on – or even functionally limited to –scans of on-premises data centers. These tools are often unable to perform automated discovery of cloud services to find SaaS-based personal data repositories.  The second reason is the way many SaaS applications are procured.  As opposed to being part of centralized procurement, SaaS applications are often purchased by business units with little to no IT department involvement.

These reasons create a visibility gap in which IT – and the GDPR teams that rely on accurate reporting from IT – are unable to get a complete picture of all the personal data repositories in the enterprise.  Without this holistic picture, the GDPR foundation of personal data visibility is shaky and the mission-critical RoPA is likely incomplete and therefore invalid.  Importantly, a lack of understanding of SaaS-based personal data repositories makes GDPR compliance impossible and opens the door to audit findings and fines.

risk mitigation steps

So what steps can GDPR teams take to ensure all personal data repositories are accounted for, regardless of delivery platform?

Step 1 – Establish automated discovery across on-premises and cloud environments

As noted, performing a data inventory is a critical component of GDPR compliance and is mandated under Article 30.  Automated discovery solutions can help build this inventory not only initially, but ensure it is updated on an ongoing basis. Documents such as the RoPA need to be updated as new systems – both on-premises and cloud – are added or removed.

Step 2 – Determine what data is shared with vendors and how they handle it

One of the many ways GDPR is complex is that an organization is responsible not only for ensuring adequate security measures in its own environment, but also in the environments of vendors with whom it shares the personal data of its customers. Specifically, Article 28 of the GDPR lists items that a controller must include in its contracts with processors that will have access to EU personal data. Since many controllers share personal data with processors via SaaS applications, knowing what SaaS data you have will allow you to also identify what vendors are processing personal data and you can work with these vendors to assess their approach to handling personal data and overall data security practices.

As per GDPR, companies should mandate the processor only process personal data per documented instructions and have security measures in place. Companies may also need to include requirements specifying how vendors might assist in obligations such as data breach reporting.

Step 3 – Categorize personal data by type and know where it resides

Many GDPR processes will require organizations to know not only where personal data resides, but what type of personal data is stored.  For example, to manage a “right to be forgotten” request, companies must be able to find the personal data for a specific subject and then segment out what data needs to be deleted and what should be kept. This process must be done across all data repositories, both on-prem and SaaS-based.

Step 4 – Determine who has access to personal data

As with automated discovery solutions, most organizations do a reasonably good job of maintaining access controls for on-premises data repositories.  Again, in parallel with discovery, these controls break down when it comes to SaaS-based personal data repositories.  When it comes to SaaS, organizations frequently find simplistic access control hierarchies that give a wide swath of users visibility to personal data.  In addition, robust joiner, mover, leaver processes are often not applied to SaaS applications, leaving them exposed to employees who should not have access or have perhaps even left the organization.  Establishing access visibility and control for all personal data repositories, including SaaS-based repositories, is a critical component of GDPR compliance.

accounting for Saas in gdpr compliance

Much of the above guidance can be summed up by saying, “Treat SaaS just like any other system” and as organizations move to one in which SaaS is the dominant deployment platform, this advice will become easier to account for and implement.  In the meantime, maintaining SaaS controls, especially with regards to GDPR compliance, will require special attention and dedication. Establishing a foundation of personal data visibility, regardless of deployment platform is a critical step.