Trickle down GDPR?—?why every ISV is?impacted

GDPR background

By May 25, 2018, any company doing business with subjects of the European Union must comply with the GDPR’s stringent rules or face fines up to 4% of revenue. Underpinning the regulations is the principle of “Privacy by design” which means compliance cannot be an add-on, but must be baked into the operational DNA of the organization.

The General Data Protection Regulation (GDPR) is the new data privacy regulation jointly proposed by the European Parliament, the Council of the European Union and European Commission, aiming to “strengthen and unify” data protection laws for individuals within the European Union. GDPR consists of 99 Articles, plus 173 Recitals, which provide explanatory text to aid interpretation of the Articles. The new regulation will replace the old Data Protection Directive [95/46/EC], which has been effective since 1995.

GDPR applies to organizations…

• Holding or processing personal data of subjects residing in EU
• Offering goods or services to EU residents
• Monitoring behaviors of EU data subjects

The law applies to any company whose data processing concerns private data of EU data subjects, irrespective of the company’s (processor or controller) location.

That means most ISVs and their customers.

The biggest change, particularly for US companies, is that customers must give consent for their data to be used — “opt-in”. This is in stark contrast to the US approach of “use data until the customer opts-out”.

Why should I worry — we’re small?

Many ISVs, even though they hold EU data and clearly need to comply with GDPR, are adopting a “keep your head down” strategy.

I got a junk email from a multi-national lead generation company that claims that Google, Box, and Square have used them for over 3 years to build a contact and account data for their reps. But when I emailed back asking how they were intending to comply with GDPR the email I got back was somewhat surprising:

“Great question, we’re following our client’s lead in most cases and taking a wait and see approach to the new policy. We have many Fortune 1000 clients that are not taking an active approach to the policy and are continuing their outbound efforts.”

I can see that companies are considering GDPR as yet more unnecessary red tape foisted on them by the EU. What many don’t appreciate is that this the new normal. The data privacy laws are catching up with how customer data is distributed and used. And whilst it is being driven from the EU, similar standards will be created in the next few years in every developed country. In summary GDPR is “about being honest with customer data.”

There can be benefits from the effort required to comply with GDPR so it should have a positive ROI. The benefits are 3 areas; reputation, data clean up, and process improvement. And if you accept that you are going to need to comply then why not get ahead of the herd and turn it to your advantage. This is explored in this article “benefits not fines”

We’ll never need to comply

GDPR doesn’t seem like a priority item. Revenue is more important. Closing that next big lighthouse customer logo. 

Which is why GDPR IS going to be an issue. Those lighthouse customers you want to win are definitely worrying how they comply with GDPR. They are looking at where their customer data is stored and how it is processed. They know that they are under the spotlight of the regulators who want a couple of high profile scalps — and fines of 4% of global revenue — to drive home the message GDPR is serious.

As an ISV you are probably holding their data. You are definitely processing it. So you are the “data processor” in the relationship. The customers will want to know how you are going to support them comply with GDPR. As you think about that, you will turn around to your app providers and ask them the same question. And so on down the levels.

Everyone in the food chain from the largest multi-national to the most innovative startup in the tech space are going to get caught up in this. Which is good for all of us as consumers who are fed up of being constantly spammed.

OK, I get it. So how should I comply?

It is not hard.

The major activities are:

• Build a Data Inventory of all apps down to field level: This may seem arduous but there are ISVs apps (elements.cloud) that can do this automatically, and are far quicker, easier and more sustainable than spreadsheets. 
• Identify all data fields in the Data Inventory that hold Personal Data: This is a large one-off activity, but needs to be kept up-to-date as fields are added or changed. Some of these fields can be pre-categorized.
• Ensure that all end customer data has a justification for holding it: There are several reasons why data can be held (consent, contract, legal basis…). This may mean going back to get explicit consent, and if consent is not obtained, then the data must be deleted. It is a great opportunity to re-engage end customers and purge obsolete data.
• Provide an electronic means to post a Request: This essentially means you need a web page or email address where a customer can raise one of the 6 GDPR requests; Subject Matter Access, Right to Rectification, Erasure “right to be forgotten”, Right of Restriction of Processing, Right to Receive Personal Data and finally, Right to Object. And then you need the back end processes to be able to deal with each request, which is the next point.
• Document the new GDPR processes and revise existing processes: There are specific processes that need to be in place to make sure that your staff do not inadvertently break the rules. This may be a huge change for many marketing, sales and support teams.
• Train teams on the implications of GDPR: The core principles of GDPR need to be understood by all staff. They must know how to access the operational processes that relate to their role.

Below is a more detailed GDPR implementation plan. Several of the steps have links — shown by the paperclip — to the relevant GDPR Article (clauses) or supporting information. The colored corner indicates there is a lower level diagram with more detail. 

The final word

GDPR and recent data breaches have put data privacy in the spotlight. Customers that move fast to demonstrate “Privacy by Design” will earn trust, confidence and deeper engagement with their end customers. ISVs can close deals faster by positioning themselves as part of the GDPR solution when customers reevaluate their data management and apps.

Elements.cloud GDPR solution can help you analyze your risk, will enable to you comply, and can highlight on-going non-compliance. All this for just $730 per year per Editor. Viewers are free.

DATA: Don’t spend hours building spreadsheets with data fields for all your apps that you know will be out of date tomorrow. Use an Elements Ref Model validate your Personal Data fields. (Salesforce sync, other apps CSV import). We’ll even do the heavy lifting by pre-qualifying the fields and highlighting potentials. And we alert you to changes.

PROCESS: Quickly map processes with links to supporting information. Apply version control that satisfies the regulators. Make the maps available so your staff understand how to maintain compliance. We’ve even built some example processes you can copy as a starting point.