With GDPR now in force, maintaining compliance is imperative. However, the growing use of Software as a Service (SaaS) has become a GDPR landmine threatening to undermine compliance efforts.
One of the foundations of GDPR compliance is a holistic picture of all personal data repositories across the enterprise. Increasing SaaS usage makes establishing this picture more difficult as the discovery tools and methodologies in use in many organizations are focused on – or even functionally limited to – scans of on-premises data centers.
To ensure GDPR compliance, marketing teams must better understand which cloud applications access and house customers’ personal data. This understanding helps to reduce IT’s visibility gap which is widening as cloud solutions are increasingly purchased directly by business units, such as marketing, instead of through the IT team. Without an accurate view of SaaS usage, the GDPR foundation of personal data visibility is shaky and opens the door to audit findings and fines.
Minimizing GDPR Non-Compliance Risks
Step 1: Perform ongoing data inventory
To mitigate these risks, performing an accurate data inventory is critical—as is conducting this exercise on a regular basis to ensure personal data isn’t sneaking in as new cloud tools are adopted. Automated discovery solutions help ensure accuracy, as they can sift through thousands of applications and easily identify SaaS solutions that house or process personal data. Manual inventory analysis simply won’t find many of these data repositories.
Step 2: Determine what data is shared with vendors and how they handle it
One of the many ways GDPR is complex is that an organization is responsible not only for ensuring adequate security measures in its own environment but also in the environments of vendors with whom it shares the personal data of its customers. Since many organizations share personal data with processors via SaaS applications, knowing what SaaS applications are in use will allow you to also identify what vendors are processing personal data. You can then work with these vendors to assess their approach to handling personal data and overall data security practices.
Step 3: Categorize personal data by type and know where it resides
Many GDPR processes will require organizations to know not only where personal data resides, but what type of personal data is stored. For example, to manage a “right to be forgotten” request, organizations must be able to find the personal data for a specific subject and then segment out what data needs to be deleted and what should be kept. This process must be done across all data repositories, both on-premise and within SaaS applications.
Step 4: Govern access to personal data
While access controls are often properly regulated for on-premises data repositories, the opposite is often true when it comes to SaaS-based personal data repositories. This gap in access control governance exposing personal data to employees who should not have access to it or have perhaps even left the organization represents a major violation of the GDPR. Once personal data is identified and categorized, organizations must do a better job controlling who can access this data—regardless of where it is housed
Also Read: How Brands and Agencies are Affected by GDPR
Defusing SaaS Landmines to Achieve Compliance
Maintaining SaaS controls, especially with regards to GDPR compliance, will require special attention and dedication. As we go forward in the era of GDPR, marketers and IT teams alike must understand how every new project, software deployment and policy impact the collection, processing, and storage of personal data. In time, we will be evaluating how every company decision affects personal data side by side with how we assess the impact of each decision on the bottom line.
Also Read: What Does GDPR Mean For Martech?