Get Ready for GDPR: Essential Compliance Tips for Businesses | GBAF

Get Ready for GDPR: Essential Compliance Tips for Businesses | GBAF

Editorial & Advertiser disclosure

Global Banking and Finance Review is an online platform offering news, analysis, and opinion on the latest trends, developments, and innovations in the banking and finance industry worldwide. The platform covers a diverse range of topics, including banking, insurance, investment, wealth management, fintech, and regulatory issues. The website publishes news, press releases, opinion and advertorials on various financial organizations, products and services which are commissioned from various Companies, Organizations, PR agencies, Bloggers etc. These commissioned articles are commercial in nature. This is not to be considered as financial advice and should be considered only for information purposes. It does not reflect the views or opinion of our website and is not to be considered an endorsement or a recommendation. We cannot guarantee the accuracy or applicability of any information provided with respect to your individual or personal circumstances. Please seek Professional advice from a qualified professional before making any financial decisions. We link to various third-party websites, affiliate sales networks, and to our advertising partners websites. When you view or click on certain links available on our articles, our partners may compensate us for displaying the content to you or make a purchase or fill a form. This will not incur any additional charges to you. To make things simpler for you to identity or distinguish advertised or sponsored articles or links, you may consider all articles or links hosted on our site as a commercial article placement. We will not be responsible for any loss you may suffer as a result of any omission or inaccuracy on the website.

Home > Business > Time Is Ticking: Top GDPR Considerations for SaaS and Managed Service Providers

Time Is Ticking: Top GDPR Considerations for SaaS and Managed Service Providers

Published by Gbaf News

Posted on April 6, 2018

10 min read

Last updated: January 21, 2026

Battery production facility of Northvolt amid bankruptcy financing efforts - Global Banking & Finance Review — Image of Northvolt's battery manufacturing facility, highlighting its ongoing efforts to secure bankruptcy financing for restructuring and continuing operations in the EV battery market.

Written by Jose Casinha, Chief Information Security Officer, OutSystems

The General Data Protection Regulation (GDPR) Is right around the corner. The new regulation, which goes into effect on May 25, 2018, is arguably the most significant change in global privacy law in 23 years. Businesses must not only ensure that cybersecurity processes are in place to avoid facing financial penalties, but they must also take the time to assess that their software-as-service (SaaS) and managed service providers are compliant.

With May 25 less than two months away, the regulation places important new obligations on any business that handles the data of individuals living in the EU, independent of where the business is located. SaaS and managed service providers will need to ensure that they are complying with these regulations, and organisations choosing a SaaS or managed service provider should make sure the vendors they are considering comply with these regulations.

SaaS and managed service providers need to adapt and amend their services, contracts, and business processes to address the new requirements of the regulation. The consequences for non-compliance will be very costly. Infringement on certain articles of GDPR carries fines of up to €20M or up to 4% of the total global revenue for the preceding year, whichever is greater. Other fines carry penalties up to €10M or up to 2% of the total global revenue of the preceding year, whichever is greater.

The regulations apply regardless of where the personal data is retained—whether on paper or on servers in the cloud. However, the cloud poses quite a few specific compliance challenges.

Controllers and Processors

It’s important to understand everyone’s role in GDPR compliance. GDPR expands the scope of data security regulations. Previously, regulations only applied to the “controller,” meaning the person or organisation that determines the purpose and means of processing personal data. For example, a business would be the controller if it managed customer and employee data.

However, the GDPR extends the compliance responsibility to the “processor” of the data, which includes SaaS and managed service providers. The GDPR requires processors to develop and implement some internal procedures and practices to protect personal data. Most of those procedures and practices are related to information security management. Those who follow international standards like ISO 27001 or SOC2 are the most prepared for the GDPR challenges. Also, the processor must ensure that any subcontractors follow the requirements.

Data Location

GDPR requires that controllers and processors know where personal data is located for storage and processing. This restricts the ability to transfer personal data to countries or international organisations outside the EEA. SaaS and managed service providers may have or use servers outside the EEA, but the transfer of personal data must comply with GDPR data transfer principles. For example, a vendor’s cloud could be on Amazon Web Services (AWS), which would enable customer data to be stored in Europe, therefore complying with GDPR. Data transfer is easier if organisations select a provider with infrastructures located in multiple regions.

Businesses, as the controllers, must assess whether the security measures of their SaaS or managed service provider, the processor, meet the security requirements by conducting periodic audits. The same applies to a processor using a sub-processor. Each International Security Standard has its own security programme as part of the certification process. This means that, periodically, controls that are in place are evaluated, as is their compliance maturity level. As an example, ISO 27001 Annex A specifies 114 security controls that they are required to adopt, and any exclusions of adoption must be justified.

Rights of Individuals and Cloud Contracts

GDPR extends specific rights to individuals regarding the use of their personal data. These include the processes for transferring data and when to erase it. Even though these responsibilities are assigned to the controller, it will fall on the processors to adapt infrastructure or services to accommodate this. For example, choices about shared or dedicated databases must be considered according to the nature of the data schema.

The GDPR is prescriptive about the contents of the contracts established between controllers and processors and sets out many stipulations, including when to process personal data. As people become far more security-conscious about their personal data, there will be more regulations like GDPR. The best approach is to stay ahead of the regulations by launching security initiatives and keeping up with the latest security certifications. By adopting international standards in information security management, companies are much more prepared to handle new requirements.

Data Centre Providers

Data centre providers are also an important link in the GDPR compliance chain that cannot be overlooked. They have the ownership of the physical assets where information is stored. In that sense, they are considered processors and are required to manage personal data related to physical access control like biometrics, video surveillance, their own employees, and subcontractor information.

Getting Ready

The GDPR deadline is fast approaching and organisations have less than two months to be compliant. Without a doubt, the protection of customer and partner data is essential to the survival and success of every organisation. Everyone must understand these regulations and take responsibility for the data they work with, be they controllers or processors. Importantly, organisations must take the time to assess that their SaaS and managed service providers are compliant with GDPR before the deadline. GDPR compliance will ultimately improve data security, which is vital in today’s volatile cybersecurity landscape.

Written by Jose Casinha, Chief Information Security Officer, OutSystems

The General Data Protection Regulation (GDPR) Is right around the corner. The new regulation, which goes into effect on May 25, 2018, is arguably the most significant change in global privacy law in 23 years. Businesses must not only ensure that cybersecurity processes are in place to avoid facing financial penalties, but they must also take the time to assess that their software-as-service (SaaS) and managed service providers are compliant.

With May 25 less than two months away, the regulation places important new obligations on any business that handles the data of individuals living in the EU, independent of where the business is located. SaaS and managed service providers will need to ensure that they are complying with these regulations, and organisations choosing a SaaS or managed service provider should make sure the vendors they are considering comply with these regulations.

SaaS and managed service providers need to adapt and amend their services, contracts, and business processes to address the new requirements of the regulation. The consequences for non-compliance will be very costly. Infringement on certain articles of GDPR carries fines of up to €20M or up to 4% of the total global revenue for the preceding year, whichever is greater. Other fines carry penalties up to €10M or up to 2% of the total global revenue of the preceding year, whichever is greater.

The regulations apply regardless of where the personal data is retained—whether on paper or on servers in the cloud. However, the cloud poses quite a few specific compliance challenges.

Controllers and Processors

It’s important to understand everyone’s role in GDPR compliance. GDPR expands the scope of data security regulations. Previously, regulations only applied to the “controller,” meaning the person or organisation that determines the purpose and means of processing personal data. For example, a business would be the controller if it managed customer and employee data.

However, the GDPR extends the compliance responsibility to the “processor” of the data, which includes SaaS and managed service providers. The GDPR requires processors to develop and implement some internal procedures and practices to protect personal data. Most of those procedures and practices are related to information security management. Those who follow international standards like ISO 27001 or SOC2 are the most prepared for the GDPR challenges. Also, the processor must ensure that any subcontractors follow the requirements.

Data Location

GDPR requires that controllers and processors know where personal data is located for storage and processing. This restricts the ability to transfer personal data to countries or international organisations outside the EEA. SaaS and managed service providers may have or use servers outside the EEA, but the transfer of personal data must comply with GDPR data transfer principles. For example, a vendor’s cloud could be on Amazon Web Services (AWS), which would enable customer data to be stored in Europe, therefore complying with GDPR. Data transfer is easier if organisations select a provider with infrastructures located in multiple regions.

Businesses, as the controllers, must assess whether the security measures of their SaaS or managed service provider, the processor, meet the security requirements by conducting periodic audits. The same applies to a processor using a sub-processor. Each International Security Standard has its own security programme as part of the certification process. This means that, periodically, controls that are in place are evaluated, as is their compliance maturity level. As an example, ISO 27001 Annex A specifies 114 security controls that they are required to adopt, and any exclusions of adoption must be justified.

Rights of Individuals and Cloud Contracts

GDPR extends specific rights to individuals regarding the use of their personal data. These include the processes for transferring data and when to erase it. Even though these responsibilities are assigned to the controller, it will fall on the processors to adapt infrastructure or services to accommodate this. For example, choices about shared or dedicated databases must be considered according to the nature of the data schema.

The GDPR is prescriptive about the contents of the contracts established between controllers and processors and sets out many stipulations, including when to process personal data. As people become far more security-conscious about their personal data, there will be more regulations like GDPR. The best approach is to stay ahead of the regulations by launching security initiatives and keeping up with the latest security certifications. By adopting international standards in information security management, companies are much more prepared to handle new requirements.

Data Centre Providers

Data centre providers are also an important link in the GDPR compliance chain that cannot be overlooked. They have the ownership of the physical assets where information is stored. In that sense, they are considered processors and are required to manage personal data related to physical access control like biometrics, video surveillance, their own employees, and subcontractor information.

Getting Ready

The GDPR deadline is fast approaching and organisations have less than two months to be compliant. Without a doubt, the protection of customer and partner data is essential to the survival and success of every organisation. Everyone must understand these regulations and take responsibility for the data they work with, be they controllers or processors. Importantly, organisations must take the time to assess that their SaaS and managed service providers are compliant with GDPR before the deadline. GDPR compliance will ultimately improve data security, which is vital in today’s volatile cybersecurity landscape.