There Is No Such Thing as GDPR-Compliant Software or SaaS Solution
Recently, I stumbled about the first marketing campaigns of vendors claiming that they have a “GDPR compliant” application or SaaS offering. GDPR stands for General Data Protection Regulation and is the upcoming EC regulation in that field, which also has an extraterritorial effect, because it applies to every organization doing business with EU residents. Unfortunately, neither SaaS services nor software can be GDPR compliant.
GDPR is a regulation for organizations that regulates how to protect the individual’s PII (Personally Identifiable Information), which includes all data that could potentially be used to identify an individual. Thus, organizations must enforce GDPR compliance, which includes, e.g., implementing the new principles for user consent such as informed and unambiguous consent per purpose; the right to be forgotten; and many other requirements. GDPR also states that software which is used to handle PII must follow the principles of Security by Design (SbD) and Privacy by Design (PbD). Both are rather fuzzy principles, not being formally defined yet.
Thus, a software vendor or SaaS provider could state that he believes he is following the SbD and PbD principles. But that does not make him GDPR compliant. It just builds the foundation for a customer, enabling that organization becoming GDPR compliant. But to put it clearly: An organization dealing with PII can be GDPR compliant. A service provider that acts as “data processor” in the context of GDPR can be GDPR compliant (for its part of the system). But a software application or a SaaS service only can provide the foundation for others to become GDPR compliant. There just is no such thing as GDPR compliant software.
Vendor marketing departments would be well advised to use such terms carefully, because claiming to provide a GDPR compliant offering might make their customers think that they just need to install certain software or turn the key of a turnkey SaaS solution and they are done. Nothing could be more misleading. There is so much more to do for an organization to become GDPR compliant, starting from processes and contracts to using the software or SaaS service the right way. Understanding what GDPR really means to an organization is the first step. KuppingerCole has plenty of information on GDPR.
Don’t hesitate to contact KuppingerCole via firstname.lastname@example.org for our brand-new offering of a GDPR Readiness Assessment, which is a lean approach in understanding where your organization is in your journey towards GDPR compliance and which steps you have to take – beyond just choosing a tool.