← Back to Blog
Compliance29 March 2026

GDPR Compliance for SaaS Platforms: What UK Businesses Need to Know

A practical guide to GDPR compliance when using SaaS software. Covers data processing, storage, access rights, and what to ask your software vendor.

O

Onarvo Team

GDPR Still Matters in 2026

Four years after Brexit, UK businesses still need to comply with GDPR — or more precisely, the UK GDPR as incorporated by the Data Protection Act 2018. The rules haven't relaxed. If anything, the ICO has become more active in enforcement.

When you use SaaS software to manage employee data, customer information, or care records, you're entrusting personal data to a third party. Understanding your obligations — and your vendor's — is essential.

Your Role: Data Controller

As the business using the software, you are the data controller. You decide what data to collect, why, and how it's used. Your SaaS vendor is the data processor — they process data on your behalf, according to your instructions.

This means:

  • You're responsible for having a lawful basis to collect and store personal data
  • You're responsible for responding to data subject access requests (DSARs)
  • You're responsible for reporting breaches to the ICO within 72 hours
  • Your vendor is responsible for keeping that data secure and only processing it as instructed

What to Ask Your SaaS Vendor

Before signing up for any software that handles personal data, ask:

1. Where Is My Data Stored?

UK GDPR requires adequate protection for personal data. If your data is stored in the UK or EU, you're generally fine. If it's stored in the US or elsewhere, your vendor needs appropriate safeguards (like Standard Contractual Clauses).

Best answer: "UK data centres only."

2. Do You Have a Data Processing Agreement?

A DPA is legally required under Article 28 of UK GDPR. It should cover: what data is processed, the purpose, security measures, sub-processor obligations, and breach notification procedures.

Red flag: No DPA available, or it's buried in generic terms.

3. How Do You Handle Data Subject Requests?

If an employee or customer asks to see their data (DSAR), or requests deletion (right to erasure), your software needs to support this. Can you export an individual's data? Can you delete it completely?

Best answer: "We provide data export and deletion tools in the platform."

4. What Happens If There's a Breach?

Your vendor should notify you promptly — the 72-hour ICO notification clock starts when you become aware, so faster vendor notification gives you more time to assess and report.

Best answer: "We notify customers within 24 hours of confirmed breaches."

5. Who Are Your Sub-Processors?

Your vendor likely uses other services (cloud hosting, email delivery, analytics). These sub-processors also handle your data. You're entitled to know who they are.

Best answer: A published list of sub-processors, updated when changes occur.

Key Areas for UK Businesses

Employee Data (HR Software)

HR systems hold sensitive data: salaries, health information, disciplinary records, right-to-work documents. Your lawful basis is typically "legitimate interest" or "contractual necessity" for most HR data, and "legal obligation" for right-to-work checks.

Ensure your HR software:

  • Encrypts data at rest and in transit
  • Supports role-based access (not everyone needs to see salaries)
  • Maintains audit trails of who accessed what
  • Can export or delete individual records on request

Customer Data (CRM)

CRM data often includes names, emails, phone numbers, and interaction history. Lawful bases include "legitimate interest" for B2B marketing and "consent" for direct marketing to individuals.

Ensure your CRM:

  • Records where each contact's data came from
  • Supports opt-out/unsubscribe mechanisms
  • Can suppress (not just delete) contacts to prevent re-adding them

Care Records (Care Software)

Care records contain special category data — health information, medical history, mental health assessments. This requires explicit consent or a social care exemption under Schedule 1 of the DPA 2018.

Ensure your care software:

  • Has strict access controls (care workers see only their service users)
  • Maintains complete audit trails for CQC inspections
  • Stores data in UK data centres (especially important for health data)
  • Supports data retention policies aligned with care record requirements

A GDPR Compliance Checklist

For any SaaS tool you use:

  • [ ] Data Processing Agreement signed
  • [ ] Data stored in UK/EU (or adequate safeguards in place)
  • [ ] Encryption at rest and in transit
  • [ ] Role-based access controls
  • [ ] Audit logging enabled
  • [ ] Data export capability (for DSARs)
  • [ ] Data deletion capability (right to erasure)
  • [ ] Breach notification process documented
  • [ ] Sub-processor list available
  • [ ] Privacy policy updated to reference the tool

How Onarvo Handles GDPR

Onarvo is built with privacy-by-design:

  • UK data centres — your data stays in Britain
  • Encryption at rest and in transit
  • Role-based access — Owner, Admin, Member with module-level permissions
  • Audit trails across all modules
  • Data export and deletion tools for DSAR compliance
  • DPA available on request
  • Sub-processor transparency — published list

Learn more about our security →

complianceguide