SaaS Backup Applications and GDPR Compliance: Privacy Compliance is a Strategic Priority

By Indu Peddibhotla - Senior Director, Market & Product Research
September 8, 2020

With data strategy increasingly at the core of business growth and success, it’s vital to understand the relationship between your data and GDPR. This is relevant to both companies within the EU and global companies that have exposure to any data initiating from the EU – which is often referred to as the exterritorial effect of the regulation.  Yes, GDPR started in the EU, but companies outside of it are impacted if personal data of EU individuals is processed regardless of whether that processing takes place in the EU or not, and irrespective of whether it is a part of a transaction or even unrelated to any payments.

In a prior post, we detailed the key concepts of GDPR along with guiding principles for how an organization should approach compliance. Here, we’ll expand on the concepts, specifically as they apply to SaaS applications. This will involve walking through how Metallic, Commvault’s SaaS data protection product, was designed from day one with data privacy at its heart.

For SaaS applications and GDPR compliance, you must start by determining whether you’re collecting and/or processing the personal data of EU subjects. If yes, then you must comply with the regulation. Otherwise, your business remains vulnerable to fines and brand integrity loss, among other things.

With the widespread adoption of SaaS platforms and the collection of consumer data, privacy concerns have risen in several nations, with non-EU states passing GDPR-like regulations on data usage. For example, the California Consumer Privacy Act (CCPA) was signed into law in June 2018 to enhance and protect the data privacy of California residents. This global regulatory shift should make customer data privacy and data protection a central tenet of your operational philosophies and procedures.

Whether your business is a Data Controller or a Data Processor will also play a significant role in your approach to complying with GDPR. At a high level, Controllers make the decisions to collect and process personal data, deciding what type of data to collect and how it’s implemented or deployed. Controllers are subject to the most stringent of GDPR laws, while Data Processors or sub-processors typically act at the Controller’s instructions.

Let’s look at how Metallic supports the data and transaction location requirements of GDPR.

Data location matters with GDPR

GDPR requires that all data collected on EU citizens, as a general rule, must be stored either in the EU–keeping it subject to European privacy laws–or within a jurisdiction enforcing similar levels of protection.1 Metallic has global data centers supporting every major region, letting our customers localize and choose where their data is backed up. For SaaS applications that are collecting and processing personal data, we recommend having data processed and stored in the same region where it’s collected.

Data security is fundamental to everything we do

From a personal data security perspective, GDPR is about implementing appropriate technical and organizational measures to ensure a level of security appropriate to the risk. Look at any Metallic product, whether Endpoint, Office 365, or Core, and you’ll find state of the art, robust security capabilities that can be tailored to address the risks you and your organization find relevant. Most importantly, this includes the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing and services and the ability to restore the availability and access to data in a timely manner in the event of an incident. Endpoint data is protected through sophisticated tools like anomaly detection, remote wipe, and back-data isolation. Office 365 isolates the backup data separate from the source, ensuring data can be accessed in the case of data loss. These are just a couple of examples of the built-in security to support data integrity requirements.

Enhancing data security with data management

A fundamental principle of GDPR is being able to respond to data subject requests to search and delete data. Data management tools allow administrators to meet these GDPR requirements, and Metallic provides that visibility, making searching for and recovering data easier than ever before.

GDPR involves data protection

To be compliant, your company must meet accountability, data minimization, security, including integrity, confidentiality, and resilience requirements.2 Metallic delivers the capability to monitor compliance policies as well as the amount and types of data stored.

As you expand into the EU, or work with companies that do business in the EU, trust Metallic to have the expertise and capabilities to meet stringent GDPR compliance requirements. Learn more by visiting or signing up for our free trial today.

1) Archive360, Data Sovereignty and the GDPR; Do You Know Where Your Data Is?, Feb 14, 2019
2) Amara, 7 Principles of the GDPR and What They Mean