This post originally appeared on CIO.com.
In just a few weeks on May 25, 2018, the deadline to be in compliance with GDPR will be here. For IT professionals who manage SaaS apps, GDPR compliance can be a little tricky. The sprawl of SaaS data can be hard to see and, in turn, protect. Here’s what you need to know to be GDPR compliant in the age of SaaS.
1. Who has the keys to your SaaS data?
GDPR is about protecting personal data. To adequately protect an individual’s data, a company needs to manage who has access to the data. For example, how many super admins do you have across your SaaS apps? If an employee transfers to another department or leaves the company, how is that access terminated across SaaS apps? Do you know who has the keys to your company’s personal data?
Companies need to manage not only super admins, but also employees: Who has access to what data? Employees should only have access to data that is critical to their job function. Access rights and the justification for data access should also be documented.
2. Is your SaaS data leaving the company?
Do you know what SaaS data is leaving the company? Employees often forward work email to their personal accounts (for example, forwarding from a corporate Gmail account to a personal Gmail account). Not only is the company information in a personal mailbox, it might also be downloaded to their personal computer and remain in an unsecured environment. This can pose significant risks if this is financial, health, or special category information (as defined by GDPR) like religious/political data or trade union membership.
Employees also try to move data using USB drives or file-sharing services. Can you tell what is downloaded? What controls do you have on this type of data movement? How is this monitored? Unless you have visibility into this data, you can’t protect it—or be GDPR compliant.
3. Which SaaS data files do you have?
Performing a data inventory is critical to GDPR. It is required under Article 30 to record the processing activities of the company. This is not just a point-in-time exercise. These records need to be living documents that are updated on an ongoing basis. If you implement a new system or process, the data processing activity records will also need to be updated.
Knowing what SaaS data you have will allow you to also identify what vendors are processing personal data. Article 28 of the GDPR lists items that a controller must include in its contracts with processors that will have access to EU personal data.
Companies should already be stipulating that the processor only process personal data per documented instructions from the controller and have security measures in place. Additionally, companies may now need to include requirements for how vendors might assist in various obligations such as in the event of a data breach or individual rights requests. To meet this requirement, companies are sending data protection addendums.
To manage the individual rights requirements of GDPR, companies must know what kind of SaaS data is collected and where it is stored. If an individual-rights request comes in to delete data, as long as the company does not meet one of the exceptions, it is expected that the company delete all the SaaS data in every system. To accomplish this, companies will need to have processes that are dynamically updating their processing records.
Where are you on your GDPR data management journey? Follow these steps to jump-start your path to GDPR compliance:
- Maintain an active list of your company’s access controls in SaaS apps, making sure only those who have a business purpose to a system are granted access. Review this list on a periodic basis.
- Create controls that limit and monitor SaaS data leaving the company externally through means such as email forwarding, USB, or third-party sharing services.
- Perform a data inventory of personal data on EU residents. Create a process that captures changes to the environment dynamically.
For more information on how IT teams can prepare for GDPR, download our free whitepaper here: Demystifying GDPR: IT’s Crash Course to Compliance.