Data Protection Law
SaaS providers can have many different relationships with data. If the SaaS (Software-as-a-Service) provider is simply allowing customers access to technical data then the provider may only be collecting login, name and payment details from their customers. However, some SaaS providers create platforms where their customers can upload data on a vast range of scales and for a wide range of reasons. Whatever the service being offered, it is important to remember that data protection compliance affects all SaaS providers and so should never be overlooked.
When do data protection rules apply?
Data protection law only applies to what is called ‘personal data’. Personal data is information that relates to an identified or identifiable individual. What identifies an individual could be as simple as a name or a number or could include other less obvious identifiers such as an IP address or a cookie identifier, or other factors. If it is possible to identify an individual directly from the information you are processing, then that information may be personal data.
For SaaS providers this could mean a number of things. When collecting personal data from customers in order to allow them access to a platform, the provider must ensure that data protection rules are complied with. However, it could also be the case that the SaaS product the provider supplies allows users to upload personal data. It may also be the case that a SaaS provider’s platform enables customers to allow their clients (customer’s clients) to upload personal data onto their platform. This is where the distinction between a data controller and data processor becomes important.
SaaS providers – data controller or data processor?
All organisations, including SaaS providers, are data controllers. But SaaS providers can be data processors as well. While data controllers are responsible for the processing of personal data, data processors follow the instructions of data controllers when processing personal data. Here are some scenarios:
- A SaaS provider offers access to a media streaming platform. Customers provide a username, password and pay for the service. The SaaS provider in this instance is the data controller of all the customer personal data it collects.
- A SaaS provider offers access to a platform where its customer organises online events with its clients. In order to use the service, the customer’s staff liaise with the SaaS provider over email communications. The customer is also allowing its client’s staff to upload personal data on to the platform so they can organise, co-ordinate and host events. This personal data will include the names and contact details of individuals attending the events. In this instance the SaaS provider is the data controller of the personal data which is transferred between themselves and their customer’s staff. However, the SaaS provider is a data processor for any of the personal data uploaded on to the platform by their customer’s staff (or the attendees themselves) concerning attendees at the events.
Obligations when data controller
SaaS providers will have more obligations under data protection laws when they are the data controller of personal data than if they are the data processor. Instances in which a SaaS provider is most likely to be a data controller include:
- Contract administration with customers.
- Operating a help desk.
- Monitoring and enforcing software usage restrictions.
- Advertising and marketing its goods and services to its customers.
As the data controller in these instances, SaaS providers will be responsible for ensuring their processing of personal data complies with all data protection rules (found most often in the UK GDPR, DPA 2018 and also the PECR rules). Obligations for data controllers include:
- Compliance with data protection principles – found in Article 5 of the UK GDPR. This is something data processors will not be required to do, and they form the foundation of the lawfulness of processing personal data.
- Must ensure individuals can exercise their rights such as rights of access, rectification, erasure, data portability etc.
- Must ensure technical and organisational security measures are in place.
- Must only use processors that provide sufficient guarantees around data protection.
- Must enter into processor contracts with data processors.
- Must notify the ICO (UK data regulatory authority) of any data breaches.
- Accountability obligations such as keeping records, data protection impact assessments and appointing data protection officers.
- Must comply with UK GDPR’s restrictions on international transfers of personal data.
- Co-operate with supervisory authorities.
- Must pay the ICO a data protection fee.
SaaS providers – obligations when data processor
SaaS providers will have fewer obligations under data protection laws when they are acting as a data processor rather than a data controller. Instances in which SaaS providers are most likely to be acting as a data processor include:
- Providing a platform on which their customers upload content including personal data.
- Providing a platform through which customers provide services to their clients.
Data processors have less autonomy and independence over the data they process, but they do have several direct legal obligations under the UK data protection laws and are subject to regulation by supervisory authorities. Obligations include:
- Only process personal data on the controller’s instructions.
- Must enter into processor contracts with controllers.
- Must not engage another processor (called sub-processors) without the controller’s prior specific authorisation.
- Must implement appropriate technical and organisational measures to ensure the security of personal data.
- Notification of personal data breaches to controller.
- Notification of potential data protection infringements.
- Accountability obligations such as maintaining records and appointing a data protection officer.
- Any personal data transferred out of the UK needs to be authorised by the controller.
- Co-operation with supervisory authorities.
We help SaaS providers with SaaS contracts and data protection compliance. One question that often arises is whether or not, when acting as a data processor, the SaaS provider needs to have a privacy notice presented to users of their platform. The short answer is no, the SaaS provider does not need to provide a privacy notice to platform users. The onus in this case is on the data controller (the SaaS provider’s customer) to provide a privacy notice to users of the SaaS provider’s platform.
However, it is often the case that a SaaS provider’s customer (the controller) does not have a privacy notice ready to be used on the platform and so it can be helpful to have a template ready for them to use. Users of the platform should at least be presented with some form of notice explaining who the controller of their personal data is.
The UK GDPR requires controllers and processors to adopt a risk-based approach to data security. It requires both the controller and any processor to “ensure a level of security appropriate to the risk”. The purpose of a risk-based approach is to assess the potential risks inherent in a particular activity and identify and implement techniques to control and minimise any potential impacts. There is not a one-size fits all approach to security.
The legislation makes specific reference to the following data security measures that controllers and processors should consider:
- Pseudonymisation and encryption of personal data.
- The ability to ensure ongoing confidentiality, integrity, availability and resilience of systems and services processing personal data.
- The ability to restore the availability and access to data in a timely manner in the event of a physical or technical incident.
- A process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of processing.
Commonly customers impose a requirement on their SaaS suppliers to implement appropriate technical and organisational measures when processing personal data to ensure a level of security appropriate to the risk. This is not controversial. It is mandated by controller to processor contracts under the UK GDPR.
There are potentially high fines that may be imposed under the UK GDPR. Liability and losses in a SaaS context can arise, for example:
- For breach of the contractual terms required to be included in a controller to processor contract, pursuant to the UK GDPR.
- As a result of a breach of the UK GDPR by the SaaS provider that results in a fine imposed on a customer or compensation claims from data subjects. These fines can be as high as £17.5 million or 4% of the total annual turnover of the undertaking.
For this reason, SaaS providers will generally seek to limit liability for breach of these types of obligations, while a customer will generally seek to carve out liability for breach of these types of obligations from any liability cap.
SaaS providers – here to help
SaaS providers offer services which, compared to many other types of services, tend to be relatively low on risk. The one area of risk which SaaS providers do have to look out for though is around data protection so it is crucial that the provider understands whether they are processing data on their platform as a data processor or a data controller.