SaaS Agreements – Brexit – How Brexit and the GDPR will affect SaaS Businesses

SaaS suppliers are subject to the General Data Protection Regulation (GDPR) which applies directly in all Member States of the European Union (EU).

Many UK SaaS suppliers are concerned about continued compliance with the GDPR in light of the uncertainties surrounding “Brexit”.  UK SaaS suppliers should be aware that they will still be obliged to comply with the the GDPR after Brexit.

Will the GDPR apply in the UK after Brexit

Regardless of the timing of Brexit and any agreement reached between the UK and the EU on the terms under which the UK will leave the EU, the GDPR automatically applies in the UK, until UK data protection laws are amended.

GDPR applies to UK SaaS Suppliers despite Brexit

Regardless of when and how Brexit takes place, or any subsequent changes made to UK data protection laws, the GDPR will still apply directly to SaaS suppliers located within the UK if:

  • They offer goods or services to SaaS customers located within the EU (i.e. in any of the remaining 27 EU Member States); or
  • They monitor the behaviour of EU data subjects;

Even though UK SaaS suppliers will no longer be located within the EU themselves after Brexit.

GDPR will apply to non-EU SaaS Suppliers

The GDPR also automatically applies to all SaaS suppliers located outside of the EU i.e. in the USA, if:

  • They offer goods or services to SaaS customers located within the EU; or
  • They monitor the behaviour of EU data subjects, even though the SaaS supplier is not located within the EU.

Complying with the GDPR

The following are the main obligations that all SaaS suppliers, who are subject to data processor obligations under the GDPR, will need to comply with:

  • Having specific minimum terms in a written data processing agreement with all customers;
  • Keeping records of all categories of processing activities that they carry out;
  • Obtaining prior written consent to the subcontracting of any data processing activities;
  • Notifying customers of any breach of their obligations, without undue delay, after becoming aware of the breach;
  • Appointing a data protection officer (DPO) in specific circumstances; and
  • Allowing customers to choose between deletion or return of all personal data.

Fines for Breach

Data subjects can now claim damages directly from SaaS suppliers who breach:

  • Any obligations under the GDPR; or
  • Any lawful instructions of the customer.

In addition data protection authorities are able to fine SaaS suppliers up to 4% of annual global turnover or 20m Euros (whichever is higher) for breaches of the GDPR.

Preparing for Change

The current position with regard to Brexit is unclear and subject to change. However, all SaaS suppliers supplying SaaS services to customers located in the EU need to be aware that the GDPR still applies to the UK following Brexit.

SaaS suppliers who plan to provide SaaS services to individuals located in the EU after Brexit, need to take the following actions:


Irene Bodle is an IT lawyer specialising in SaaS, with over 14 years experience dealing with SaaS, cloud computing matters and IT law issues. If you require assistance with any SaaS agreements, cloud computing matters or any other IT legal issues please contact me at:

To register for my newsletter click here


Other related articles: