We use SaaS vendors quite a lot in our company. How can we fulfill the requirement of having signed Supplier Data Processing Agreements with large SaaS vendors, for example an IBM, Microsoft, Cisco, etc., who are unlikely to sign something like that? Then, at the other end of the size spectrum, how about small vendors who we pay something like $50/mo. who have probably never dealt with GDPR? For example, a small SaaS vendor that hosts calendaring and appointment schedule for our clients.
Regarding big SaaS suppliers as the ones you mentioned, all of them have either Privacy Policies or Terms and Conditions that you most likely agreed on when purchasing the services. These documents regulate the processing activities between you and the suppliers.
These documents will be updated for sure to meet the requirements of the EU GDPR at least when talking about suppliers like Microsoft.
Nevertheless, the obligations posed on processors such as the ones mentioned in article 28 of the EU GDPR ( processor must not appoint a sub-proc essor without the prior written consent of the controller, processors must implement appropriate technical and organisational security measures to protect personal data, etc.) would still be applicable even if they are not mentioned in a contract or any other legally binding document.
If they don’t comply with the above mentioned obligations they would be facing fines form the competent Supervisory Authorities. You could also bring them to court it they failed to fulfill their legal obligations as regards to EU GDPR compliance and you suffered a loss as a result.
Moving to the small SaaS providers, these regardless of their size, should be compliant with the EU GDPR (assuming the GDPR applies to them based on art. 3 of the EU GDPR). For these suppliers you would need to have a signed Data Processing Agreement (DPA). The Supplier Data Processing Agreement can be found under folder 7 of the EU GDPR Documentation Toolkit.
Depending on the types and categories of personal data processed by one of these suppliers a Due Diligence process might be necessary. For the Due Diligence process the Processor GDPR Compliance Questionnaire, which can be found under folder 7 of the EU GDPR Documentation Toolkit, can be used.