GDPR compliance for SaaS:a practical guide

What the GDPR is

The General Data Protection Regulation (EU 2016/679) is the EU law on processing personal data. The UK keeps an equivalent UK GDPR after leaving the EU, so most organisations treat the two together. It applies to any organisation that processes the personal data of people in the EU or UK, wherever the organisation itself is based.

It is a law enforced by data-protection authorities, not a certification you pass. The recurring theme is accountability: you must not only comply, but be able to show that you comply.

Controller or processor: know which you are

GDPR roles decide who is responsible for what. A controller decides why and how personal data is processed; a processor processes it on the controller instructions. A SaaS vendor is usually a processor for its customers data and a controller for its own (employees, prospects, website visitors).

The distinction matters because it drives your obligations, your contracts, and what you must tell people. Map each data flow to a role before anything else.

The core obligations

• Lawful basis: have a valid reason to process, such as consent, contract, legal obligation, or legitimate interests.
• Data-subject rights: handle requests for access, rectification, erasure, restriction, portability, and objection.
• Security of processing (Article 32): apply appropriate technical and organisational measures, such as encryption and access control.
• Breach notification: notify the supervisory authority within 72 hours of becoming aware of a qualifying breach, and affected people where required.
• Data minimisation and retention: collect only what you need, and keep it only as long as you need it.
• Transparency: tell people what you do with their data through a clear privacy notice.

Article 28 and your sub-processors

If you are a processor, Article 28 requires a written contract with your customer (a Data Processing Agreement) covering security, confidentiality, sub-processors, breach support, and deletion. You must also flow equivalent terms down to your own sub-processors and keep a current, published list of them.

Buyers increasingly check this during procurement, so a clear DPA and an up-to-date sub-processor list are part of selling, not just compliance.

International data transfers

Moving personal data outside the EU or UK needs a valid transfer mechanism: an adequacy decision for the destination country, or safeguards such as Standard Contractual Clauses with a transfer risk assessment. Hosting and storing data in the EU avoids many of these questions entirely.

How to evidence accountability

1. 1Keep a Record of Processing Activities (Article 30): what data you process, why, and on what basis.
2. 2Run a Data Protection Impact Assessment (Article 35) for high-risk processing.
3. 3Maintain your security controls with owners, status, and evidence, not just a policy document.
4. 4Log how you handle data-subject requests and breaches, so you can show your process worked.
5. 5Review it on a cadence, because accountability is an ongoing state, not a one-off project.