SAAS type services

1. Internal processes. In our case we’re a small organization and the personal data of staff and new hires will only be processed by 1 administrative person or the direction itself. If we guide these in clear procedures, which only are a few, we should be ok here.
2. With our SAAS product we’re processing personal data on behalf of our customers. In here we need to make sure our application supports
a)The option to add extra statements and or references to our customers regulations regarding GDPR.
b)The ability to delete a persons data on request of the customer
c)The ability to anonymize data on request of the customer
d)Make sure we have decent processor agreements in place
Since we’re already having the ISO 27001 in place the security of the product has already been standardized and documented. Is there any reason, and if yes which, to use all the templates provided in the toolkit? Because as far as I can see the mo st effort will be a couple of application changes and an internal procedure.
We never use personal data for marketing purposed at all.

Answer:

From your description I understand that you are acting most of the time as processors by providing SAAS type services. This actually limits to a certain degree your EU GDPR related risks since some obligations are only applicable to controllers. For example, you don`t have to deal with Data Subject Access Requests if the requests comes form a data subject that you are not the controller to, however if a request would come from one of your employees you will have to address it.

The same goes for the data breaches, if the personal data affected by the breach is one if your controllers than you need to notify the controller and not the Supervisory Authority or the affected data subjects. However, if the breach affects personal data of your employee then the data breach notification obligations will fall on you.

Another good example is the compliance the requirements of EU GDPR article 30 (https://advisera.com/eugdpracademy/gdpr/records-of-processing-activities/) which are applicable to both controller and processors.

So, unless a thorough analyze of your activities is performed we cannot advise you to discard any of the documents I the toolkit.