SaaS Agreements – Data Protection – Policies and Procedures

SaaS suppliers must have adequate data protection policies, procedures and checks in place when employees or third parties are handling SaaS customer data or face the risk of being heavily fined by the Information Commissioner’s Office (ICO) for breaches of the Data Protection Act 1998 (DPA).

Torbay Care Trust

A health trust in Torquay was recently fined £175,000 for breaches of the DPA after it accidentally published sensitive date of more than 1,000 staff on its website. The sensitive data contained the names, religion, sexuality, date of birth and National Insurance numbers of employees – which had been collected in an internal diversity response exercise.

Obligations under the DPA

Under the DPA you must have:

  • appropriate organisational measures to prevent the unauthorised use of personal data; and
  • effective policies and procedures for handling personal data,

in place.

The Trust was found to be in breach of both of these obligations, as it had no internal guidance on what should and should not be published online and had no adequate checks in place to identify potential data disclosure problems.

Appropriate Organisational Measures & Effective Policies

In order to avoid similar breaches (and fines) for disclosure of SaaS customer data, SaaS suppliers should have a data protection policy in place that all staff have read, accepted and understood. This should be regularly updated to reflect changes in the law and staff should be provided with basic data protection training on a regular basis.

In addition, SaaS suppliers should have robust procedures in place for managing SaaS customer information. For example access to the customer’s information should be controlled and monitored in order to make the information more secure and thus minimise the risk of any accidental or unauthorised disclosure.


Irene Bodle is an IT lawyer specialising in SaaS agreements with over 10 years experience in the IT sector. If you require assistance with any SaaS, ASP, software on demand contracts or any other IT legal issues contact me:

To register for my newsletter click here


Other related articles: