Legal ground for Saas

One thing that GDPR ask companies that process personal data is to make sure that whatever you’re doing with your customers’ data it’s legal.
Yes, the regulation is here to provide a clear framework of what can be done, and what can’t.
Regarding Saas business, you’re pretty much covered with 3 cases:

Execution of a contract, consent from the person, a legal obligation.

Let’s walk through the differences.

Usually, people are signing up for a service, and therefore are accepting your Term of Service.
This is considered as a contract.
Using this legal ground for your primary activity get you covered.
Make sure, also, that your customer support activities are clearly described in your TOS/CGU.
You may need to process different contact info, stored in different places, but it’s better to rely on this legal ground.
Don’t forget to publish a privacy notice which explains what data are being stored, for how long, where, and how people can ask for their rights.

If you’re processing payments and issuing invoices, you’ll probably need to rely on legal obligation.
This is also because the personal data you store for this purpose should be retained for maybe ten years.
And these data won’t be eligible for erasure in the case of a Data Subject Access Request

This means you can’t use the case of execution of a contract for this part.

Now, I would advise you to not use these same legal grounds for any marketing activity.
The people you’re marketing to are not your customers yet.
In that case, the safest and most straightforward way to make sure you’re within the regulation is to ask for permission.
First, make sure that people have a say in what is being done with their data.
Next, use that to your advantage to have a real relationship with the people you’re engaging with.
The bare minimum would be to put a widget asking for consent for each marketing activity (subscription to a mailing list, tracking pixel, third-party cookie).
Also, make sure to update your privacy notice where you inform people how they can exercise their rights and what kind of marketing activity you’re doing.

Learn the first easy steps to get started
Grab your 7 actionable steps cheatsheet