11 ways using SaaS apps affects your SMEs data security

Sign up for updatesPricingBlogProductContact us

As GDPR rolls out en masse, we all need to start thinking about our customers’ data with a little more emphasis on security and clarity. 

What about all of the third-party apps you use to facilitate business operations? 

That SaaS service that handles your marketing needs, and that team communication app helps you work faster and smarter — how do they play into GDPR?

Using SaaS and apps isn’t risk-free. 

And, a poor choice in vendor could leave you facing heavy fines. Let’s go over GDPR and how SaaS services and apps play a role in the current security economy. 

Time to see if your tech stack is actually secure or not.

#1 Their GDPR compliance

Think about everything you do online. When you pull up that latest level of Candy Crush or connect with your team via Slack, what happens to all of the data that you’re transmitting? Where does it go? 

Chances are, you probably have no idea. 

You probably think it gets fed into an algorithm or stored on a stale cloud server. But, the truth is, you don’t know.

This is where GDPR comes into play. The General Data Protection Regulation (GDPR) is a privacy law that impacts all of the EU and all companies that sell products or services to those located within the EU. In reality, its scope is global. And, almost every business that interacts with customers was supposed to be GDPR compliant by May 25, 2018.

GDPR impacts almost every avenue of data. Whether that’s storage, processing, usage, or even exchange between companies or users, all of that is protected under GDPR’s scope.

In particular, we’re interested in how GDPR plays a role in the daily apps and services that we all use for our business workflows.

Understanding GDPR

GDPR is incredibly broad. Let’s break it down— starting with who it applies to.

It’s safe to say that the primary purpose of GDPR is to ensure that personal data is protected against breaches among growing security concerns.

Did you know that 31% of companies have experienced a cyber attack? And that the average cost of a single malware attack on a company is $2.4 million? The Equifax breach cost them over $4 billion, and that was one breach.

The following buckets of business need to be GDPR compliant.

  1. Any business that deals with data (every business) in the European Union
  2. Any business that deals with data (again, this is everyone) that processes ANY data that originates from someone located in the EU.

It’s important to note that the GDPR language may confuse companies. In the law, it states that those with over 250 employees are the ones who must be GDPR compliant. But, it later states in article 30(5) that a company with fewer than 250 employees must comply if “the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects.” To be clear, this is every business that deals with data. So, really, GDPR compliance must be carried out by ALL businesses regardless of headcount.

All parties involved in GDPR:

  • Data subject: This is your customer, or you, or your client, or really anyone that can have personal data.
  • Controller: This is the person (or entity) that controls the personal data. This person ultimately designates what happens to the data.
  • Joint controller: If there is another party that jointly determines what to do with the data (e.g., processing, etc.), they are the joint controller.
  • Processor: Whoever is responsible for processing the data is the data processor. Almost always this is a 3rd party service your company uses.
  • Sub-processor: If the processor uses other processing services, those services are sub-processors.

Let’s look at an example.

Let’s say that you run a brokerage service for clients. You take client personal data and you use a SaaS service to process that data and analyze it.

Your client is the data subject. Your business is the controller. And, that SaaS service is the processor.

Here’s an important point: the data controller is responsible for data breaches — even if they happen on the data processor’s watch.

Wait! What is considered “personal data” under GDPR?

Well, almost everything.

The list includes:

  • Geolocational and biometric data
  • Name, address, SSN, ID #, etc.
  • Web data (e.g., IP address, cookies, RFID tags, etc.)
  • Behavioral data (e.g., political orientation, etc.)

The list goes on. For app creators, it’s important to remember that cookies and trackers count as personal data.

This part is important. GDPR includes all of the data stored on servers or cloud services.

What is GDPR compliance?

Believe it or not — 56% of companies haven’t complied or won’t comply with GDPR.

Now that you know that GDPR is a privacy law enacted by the EU that applies to almost every business on the planet, let’s go over the ruleset that you need to adhere to if you want to remain compliant.

#2 Consent before collecting any data

“The data subject must at least be notified about the controller’s identity, what kind of data will be processed, how it will be used and the purpose of the processing operations” — GDPR

You have to ask users for consent before you start collecting data on them. This is packaged into Article 7 of the GDPR.

The nuance here is that customers must know that they are opting for consent. This means you can’t combine consent into a checkbox that just says “Agree to our Terms of Service.” It has to be distinguishable.

Within the scope of “consent,” there are a few particulars you should be aware of.

  • You must have a parent or legal guardian opt for consent if a person is under 16 years of age.
  • Your business needs to clearly define why it’s collecting data.
  • You should tell customers why data is being collected.
  • Users need to know how the data will be used

#3 Breach notifications

Both the proper authorities and customers must be made aware of a data breach “without undue delay and, where feasible, not later than 72 hours after having become aware of it” — GDPR

Remember all of those data breaches that hit the headlines? You probably do. But, do you remember how long it took for those companies to notify anyone of the breach?

You would be surprised.

The $4 billion Equifax breach happened mid-May. Customers were informed on Sept 7th. It took Equifax nearly 4 months to inform the public of the breach.

Then we have the LinkedIn hack back in 2012. They didn’t alert customers until 2016! The list goes on and on.

Under GDPR, companies have 72 hours to notify both the proper authorities and customers to any breaches.

Data controllers must make data subjects aware of a breach in 72 hours. And, Data Processors must make data controllers aware of a breach within 72 hours. It follows the following “chain-of-reporting”:

Data processor — Data controller — Data subjects

#4 Right of access

When a customer asks for their data, that “information must be provided without undue delay but at latest within one month.” — GDPR

Data subjects have the right to receive all of their personal data that businesses have collected. And, they have the right to know what kinds of data is collected and why it was collected.

Data subjects have the right to know how their data is used, why that data is being used, and what data is being collected.

You can categorize this into a few separate buckets:

  • How long the data is stored
  • All other entities that will touch this data
  • The categories of data you’re collecting
  • The purpose of this data acquisition
  • How you are using the data

#5 Right of erasure

The “data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay.” GDPR

Not only do customers have the right to know how, where, and why their data is being used. They have the Right of Erasure. So, a customer can request that all personal data gathered on them be deleted.

Don’t worry! There are a few exceptions for things such as R&D, compliance, etc.

#6 Privacy by design

“The term “Privacy by Design” means nothing more than “data protection through technology design.” — GDPR

The GDPR lays out that all apps/websites/services be designed with privacy in mind. This dives into some of the more complex dev topics (e.g., Agile, DevSecOps, etc.) but the main point is that your app needs to be developed with privacy in mind. So, privacy should be a concern starting with your app blueprint all the way through operations and deployment.

This rule is a little ambiguous. But, really, businesses should already be gluing security and privacy concerns to their apps from the start — especially if they want to stay competitive in an evolving market.

#7 GDPR fines

Google was fined over $50 million in the largest GDPR fine to date.

To be clear, there is no carrot for businesses. GDPR fines are incredibly damaging in theory. Not only are the actions taken public (average loss of business post-breach is $4.2 million) but GDPR can fine a business 4% of its worldwide annual revenue (or up to ~$22.2 million).

That’s a chunk of change. Combine those fines with public actions and the costs of a single GDPR infraction can be incredibly high.

Risks associated with SaaS apps

Now that we’ve gone over GDPR, let’s talk a little about all of those apps and SaaS services that you use every day in your business.

As a small or medium-sized business owner, you’ve got a lot on your plate. Between employees, finances, compliance, and client concerns, the last thing you want to worry about is your tech stack.

But, now that GDPR is here, and you are responsible for your customers’ data, where do all of these SaaS brands and apps fit into the equation. How is that sales app handling your data? How does that marketing SaaS stack handle your customer information?

It can be scary. You don’t want to face the stringent fines enacted by GDPR — and you certainly don’t want your business data exposed to risk factors.

Let’s go over 5 risks associated with using SaaS services or apps for your business workflows and how you can overcome them.

#7 Data access risks

59% of all internet users (including SaaS app employees) use the same password for everything.

Probably the most obvious area of risk for business using SaaS solutions or apps for their daily workflows is data access. Who has access to all of your data? And, how do they handle that data in terms of policy and procedure? Of course, this also includes compliance. Are they compliant? How can you tell?

These are all great questions.

The easiest answer is that you should ask them. SaaS providers should have policies and procedure outlines that you can discuss with them prior to purchasing their solution. And, you can always find this information tucked into their Terms of Service Agreement.

Here are a few important points you should discuss with your SaaS/app provider.

  • What are their processes for handling data?
  • Who handles your data and how?
  • Do they have the certifications and compliance procedures that are necessary for your particular industry?
  • How do they segregate your data?
  • What kind of training programs and staff policies do they have in place to adequately protect your data?
  • What happens when the contract is over? Where does your data go?
  • How would they handle a data breach?
  • And, of course — are they GDPR compliant?

Remember, your SaaS service is the data processor. If there is a breach, they should report the breach to both authorities and you.

Note: When you ask them about their security procedures, they may be vague. In part, this could be because they are protecting their processes by ensuring that no one has access to their unique methodologies.

#8 Understanding Where Your Data is Located

SaaS Mag lists Location of Data and GDPR as the 3rd largest issue facing SaaS companies in 2019.

Here’s a question — where is your data physically located? GDPR doesn’t have any rules regarding data location baked into its articles, so it may seem terrifying not knowing where your data is actually at. If you work for a federal entity — don’t worry! Federal Information Security Management Act (FISMA) requires that providers keep your data stored in the country that you are located. So, if you live in the U.S., your data will be located in the U.S.

If you work anywhere else, you’ve got a little problem. You honestly don’t know. And, it gets worse once you start traveling out of the country.

Here’s where things start to get a little “sticky.” The SaaS provider you’re working with may transfer your data to one of their partners abroad for consumption if you travel. So, you may not always know where your data is at.

This can be a problem. Remember, GDPR covers stored data. And, if that data is opened to vulnerability during transfer, your company is going to receive damaging publicity via public action.

#9 What did you agree to?

91% of Americans agree to terms of service without reading them.

Let’s be honest. Most of us just click “I Accept” on the TOS in our day-to-day lives. That message pops us, you click yes, and you continue. 

That doesn’t work for businesses. You need to read the entire service agreement, which will state exactly how they will secure, hold, and manage your data. You also want to discover how long they will continue to update your app or SaaS service and how long your data will be managed.

All of this is captured in the service agreement. You need to read it and understand it. Furthermore, you should have multiple touchpoints for the service agreement. Make sure that your IT, business ops, and other department heads check off on the TOS before you purchase the solution.

Within this service agreement, you want to read over all of the sections and ensure that they adequately cover the protections embedded in GDPR. If not, you have an immediate issue.

So, what happens after you agree to the SaaS contract or download that business app?

  1. Once you agree, you download and install the app or service.
  2. Typically, you give the app or service access to both your company data and your customer data (if necessary.)
  3. All of this data that you’re giving the app or SaaS access to is stored on that SaaS company or app developers' servers. These are typically cloud servers. But, there are certain instances where these could by hybrid or legacy servers. You should discuss these details with your provider.
  4. From here on out, all of that business and customer data is managed, attributed, stored, and distributed by the SaaS or app developer. This means that you don’t have direct control over the data anymore.

This is why it’s incredibly important to talk about security safeguards before you click accept. Once you start using the service, your data and possibly your customer data is in the hands of another service.

And, most importantly, you’re still responsible for that data should they have a breach.

#10 Their security measures

SaaS-based phishing attacks rose by 237% last year.

GDPR does not cover any standardized means of security. In fact, the law leaves that part ambiguous for a reason. 

Every business has unique security methodologies, and each business vertical has individual requirements that fall in-line with various compliance procedures. But, that doesn’t mean you shouldn’t ask your SaaS/app provider which security measures they’re taking.

The most important is encryption. You have to make sure that the SaaS/app has excellent security measures. It’s a must.

But, your unique business needs will dictate how much security you need. If you deal in lots of sensitive data, you’re going to want details from your SaaS/app provider about their security handlings.

This is super important. GDPR puts the responsibility of adequate security measures on both the Data Controller and the Data Processor. This means that you are responsible for your data processor’s security measures. That may sound intimidating, and, let’s be honest, it is.

Make sure that you get clear, concise information on the types of security measures that your processor has in place.

#11 You don’t have control over your data

“If a vendor is not being transparent, it’s not that we distrust them, it’s that they haven’t given us enough evidence to trust them,” Gartner analyst Neil MacDonald

This is, by far, the scariest part of using SaaS services or apps: you don’t have control. 

And, that’s particularly alarming when you will be the one facing GDPR fines should your data processor have a breach incident.

There is some good here. You don’t have to worry about data management, which can be relieving. But, when you’re responsible for the actions of your processor, there’s a certain air of concern that you should have. Make sure that you use a processor that is vetted, responsible, and that you can communicate with on an effective level.

Final thoughts

Using SaaS/apps to facilitate business ops isn’t without risks. 

You’re never going to be perfectly clear where your data is and you relinquish control to another party. It’s important to understand that mistakes made by your vendors reflect on you. And, you’ll be the one facing GDPR fines and public actions should customer data contained within your SaaS provider’s cloud server get compromised.

Stéphane Cohen, founder of Rewhiz

Want to know when the next version of Rewhiz goes live?


Gapps Experts
19 West 34th Street, 
Suite 1018



Brought to you by Gapps Experts, Rewhiz is the only free SaaS management platform that allows tech-savvy SMEs to control their SaaS carbon footprint. Stay tuned for our product updates!

© 2020 Gapps Experts. All rights reserved.

Sign up for product updates