GDPR compliance SaaS

How to comply with GDPR as a SaaS business

9822
Mariano Rodríguez
Nov 27, 2019 | Last Updated Dec 04, 2019

A few years ago, GDPR compliance took not only Europe but the world by storm. You couldn’t go to any site or app without the popup. It’s amazing how laws in one part of the world can affect companies far away, but a huge privilege of SaaS is that your clients can be anywhere! With great privilege comes great responsibility. SaaS companies have big responsibility to handle customer data properly and laws are catching up to enforce that more explicitly. 

Because SaaS companies work so closely with customer data, it’s imperative legally that they comply with GDPR laws and go through the steps necessary on their sites and apps to make sure problems don’t come up later. 

compliance

It sounds a bit overwhelming but with a few easy boxes checked, you can make sure you’re protected against data law infringement for your clients worldwide. 

Here’s a quick easy guide to GDPR compliance for SaaS companies specifically:

Read the law:

We all rely on the cliff notes, but for something so important, it’s probably for the best. GDPR is not just about adding the pop up to your site and moving on. Anyone within your organization that handles customer data needs to know and understand the law to make the best, safest decisions in the future. This is particularly important with SaaS companies because customer data management is so much more intricate and integral than a basic website. Apart from legal, other roles that need to understand what GDPR covers are: developers, marketers, sales teams, and leadership positions. Making decisions on what third parties to use and other tools to integrate into processes could affect GDPR compliance. Roles have to work together to make sure customer data is handled and protected properly and the right approvals are taking place. 

Read it in its entirety here.

Cliff notes (because we know you’re busy):

Rights of data subject (the user): Chapter 3

Responsibility of controller (you): Chapter 4-24

Conditions for consent (pop ups): Chapter 2-7

Update your policies: 

After reading up on the law, make the changes necessary to you specific processes to be compliant. Then, outline this in your privacy policy so users can understand how you do it. This is really where people will check to see the details of your compliance. This is where you can be specific and just reference this in other areas on your site like pop-ups and footnotes. Many companies have added a GDPR compliance section to their privacy policies directly addressing the requirements. 

GDPR policies

Map out where you take personal data:

This is important for determining where to inform users about your data collection and processing policies and ask for their consent to move forward. You want to make sure it’s early on enough in the sign up or sales process to be compliant. There is a lot to consider. Where do you start tracking customer data? Right as they land on the homepage? If you have a marketing tool or sales tool that tracks customer data for retargeting or utilize cookies, you need to make users aware on your home page and have them opt-in to continue. Opt-in on the homepage is best practice to avoid any confusion asking for permission later in the browsing experience. Most sites do this, as you know. Another detail to think of is when you go to take customer info in a contact form or sign up form. It’s best practice to add a link to your privacy policy so users can read up on what you do with customer data and their rights. Within your app, maybe when users initial sign up and login, have them opt in to have their usage data tracked to cover their usage from their first interaction on. The point is to cover all the bases so there are no surprises later on. 

You should also add the right for users to be forgotten / have data erased. We added an easy way for admins to search for any Beamer user by email or ID and have their data deleted.

Have a DPA (Data Processing Agreement) signed:

Another part of the new regulations that come with GDPR is to have a Data Processing Agreement signed with all your data processors. All businesses and products use third party tools that have to come in contact with customer data like an encryption service, an emailing service, etc. As a SaaS providing services in the EU you must ensure you have signed a Data Processing Agreement with your vendors who may have access to your users’ data. In addition, if your SaaS product is also a sub-processor you must have your own DPA signed by your clients. The DPA lets users know what third party tools have access to their data and how.

Here’s what your Data Processing Agreement needs to include: 

  • You need to let users know that anyone who has access to data is sworn to confidentiality. 
  • All technical and organizational measures are taken to protect data. 
  • Clarification on what personal data we collect and its purpose
  • There will be no sub-processors without further DPAs signed. 
  • The processor will help the controller uphold their obligations under the GDPR.
  • The processor will help the controller maintain GDPR compliance with regard to the security of processing and consulting with the data protection authority before undertaking high-risk processing.
  • The processor agrees to delete all data upon the termination of services.
  • The processor must allow the user to conduct an audit and provide whatever information necessary.

Full requirements can be read here on the GDPR page. 

Now, there might be some confusion about who the players are and with whom you should have a DPA in place. Here there’s an example with Beamer as a data processor of other businesses data:

GDPR players

Add the pop up: 

You will need to do the popup thing. It used to be annoying but I think we’re all pretty used to it now and expect it. Some companies have managed to avoid having an actual “accept” button by just letting users know that if they ignore the popup and continue to engage with your site, they are “automatically” consenting to your privacy policies. You can do this or you can just do the regular pop up – most users know the drill. In your pop-up, you want to let users know that you use their data or cookies and they can check out more information on that in your privacy policy which you should put a link to. You’ve likely seen this format. This is very simple and to the point. You can make it discreetly appear as soon as users enter to get it out of the way on any page or make it a checkbox when they sign up for your app so it’s taken care of. 

GDPR cookies compliance

Make a clear plan to get in touch with users in the case of a data breach: 

One of the most important parts of GDPR is keeping users informed about what happens to their data. If there is a breach of data, you need a plan as to how you’re going to let them know and how you can keep an open flow of communication with users. Emails are standard practice but often go ignored. It’s best to do it in context as well. Using Beamer, you can alert users of a data breach or even just a change in policy, etc. both on any page of your website or directly within your app. Beamer is a changelog and notification center widget that opens up when users click a “What’s New” tab in your navigation or an icon in your interface. A discreet in-app sidebar appears with all latest updates. It’s an in-context, easy way to let users know what’s going on. You can add links to your privacy policy or a support chat or email along with images and videos to make updates more informative. 


Beamer is GDPR compliant for you and your users and we’ve outlined how we use data in our privacy policy so you can easily make us a part of your GDPR compliant processes as well. Read more here. Curious about how Beamer can help you be GDPR compliant and better communicate with users? Try it out.