top of page
Tracey O'Connell

SaaS providers: Why you should think before you complete DPIAs for your client?

Clients ask many SaaS providers to complete Data Protection Impact Assessments (DPIAs). They can prove to be an enormous time-consuming headache and potentially expose SaaS providers to liabilities or claims relating to data security that they did not envisage.

Many SaaS providers are under the illusion that they have to complete DPIAs. Legally, that is not always the case and here is why not:


Cloud providers only legally need to complete a DPIA if they are data controllers in respect to the personal data being processed by them on the SaaS platform.

  1. Under the UK GDPR, data protection legal obligations depend on whether a business is a data controller or data processor in respect to the personal data being processed.

  2. In data protection terms, most SaaS providers are usually data processors. It’s usually the access to their client’s personal data or client end-user data, which is accessible/ processed during delivery of the support and maintenance function that renders the SaaS provider a data processor.

  3. The UK GDPR says that it is data controllers that have to complete the DPIAs in certain circumstances. So, legally, if the cloud provider is a data processor, it does not need to complete DPIAs for the client.

However, it is not that simple, and here is why not:


Even if the SaaS provider is a data processor, it has a legal duty to offer assistance to the controller.


However, the legal duty does not include completing the DPIA form, and the duty to assist is not a carte blanche duty. Article 28(3)(f) says the data processor’s duty to assist should take into account the nature of processing and the information available to the processor. Further guidance referred to by the ICO, within its own DPIA guidance, also says the following.

Each product provider or processor should share useful information without neither compromising secrets nor leading to security risks by disclosing vulnerabilities”.

Although there is a specific context to this example above, it does demonstrate the data processor’s obligations to assist are very much relative to the relevant processing scenario.

Also, the client data controller is advised by the ICO that they may need to ask the data processor for information and assistance.


Although it’s not a strict legal obligation on the data controller client to consult with the data processor (there is a legal need to consult with others such as the Data Protection Officer, relevant experts, other stakeholders and sometimes the data subject), ICO guidance recognises that a need may arise for the data controller to consult with the data processor in some circumstances.

DPIA or assessment of data processor – does your client even know?


It’s important to understand that the client data controller has a legal obligation that includes ensuring the data processor has given sufficient guarantees to implement appropriate technical and organisational measures to meet the requirements of the GDPRs and to ensure the protection of rights. It has long been established that the ICO does not approve of contracts being the only tool to get these assurances.

It is possible that the submission of the DPIA is an attempt to satisfy this legal requirement rather than be part of the DPIA completion. It’s possible the client doesn’t even know! (We see that a lot). Either way, the SaaS provider who is a data processor should think twice about completing the client DPIA as they may inadvertently inherit liability or responsibility, not to mention the time spent.

The commercial reality for SaaS providers.


Irrespective of the legal obligation to provide a DPIA, it is in any SaaS provider’s commercial interests to identify when they are data processors and to be able to understand client drivers and concerns and to be able to respond to them, perhaps in compiling a standard response to client questions at the due diligence stage – but without straying into unnecessary legal waters!

If you have any questions, please contact tracey@law-point.co.uk or call 01202 729444.



bottom of page