GDPR considerations when implementing software usage analytics
In just a few weeks, sweeping changes intended to better protect the private information of European citizens go into effect. With the networked, global nature of our economy, the General Data Protection Act is likely to touch even the smallest businesses.
As that May 25, 2018 deadline for compliance inches closer, there isn’t a compliance officer on the planet who isn’t consumed with making sure every asset that stores, processes or leverages personal data is covered. Fines for noncompliance are steep.
Organizations can be fined up to 4 percent of their annual revenue, or 20 million euros (approximately $24 million), whichever is greater, (source). And should a breach occur, the expectations for transparency are high and broadly reaching – the regulations require notification to each of the country’s representatives within 72 hours of a breach (source).
With a usage intelligence solution, you may wonder how to ensure compliance if an external intermediary processes or stores the personal data covered under GDPR. Companies that run technology that are subject to the regulation should keep the following in mind.
While not legal counsel, these guidelines should be considered by companies that have clients of usage and intelligence software.
Ensuring Compliance, Who is Responsible?
Under GDPR, the “data controller,” is responsible for ensuring that the principles and requirements in the regulations are met – such as collecting and managing consent. But when a third party – like a software usage and compliance analytics vendor -- processes or stores the data, it can be confusing as to who is actually the data controller. Let’s clarify the roles as they are defined in the new regulations.
Under the regulations, the controller is the one who “determines the purposes and means of processing of personal data” (source). The data processer is the one who processes the data on behalf of the controller. In short, the “data controller” is your company, and the “data processor” is the third party software vendor you’re working with. The “data subject” is the end user – the individual you’re collecting information about.
This means, if you’ve implemented usage or compliance intelligence software, that vendor is the data processor. Even though the vendor stores, works with, and augments information on your behalf, you are the data controller. The vendor may only process a data subject’s personal information based on your direction. In short, as data controller, you are accountable under GDPR to assure that the principles are met.
What does that mean? Simply stated, it is the obligation of the data controller to confirm that the requirements of GDPR have been met by your usage and compliance intelligence vendor and they should have at the ready a summary of its real-time GDPR status in the event of an inquiry.
Is Consent Needed?
There are several approaches that can be used to lawfully process personal information under GDPR. One of them is obtaining consent from the data subject.
Currently, many organizations obtain consent by an end user accepting an End User License Agreement (EULA). But under GDPR, the bar is much higher. Consent must be obtained by a clear affirmative act, be freely given, be specific and informed, and be unambiguous. And consent may be revoked at any time.
Here’s the good news: consent isn’t necessary when leveraging compliance intelligence software. The regulations (Recital 47) protect the legitimate interest of the data controller when collecting and processing as it relates to compliance intelligence. The processing of personal data “strictly necessary for the purposes of preventing fraud” constitutes a legitimate interest of the data controller concerned.
While it’s not explicitly called out, the improvement of products and services may also be considered a legitimate interest. Article 29 specifies processing for research purposes (including marketing research) as processing for legitimate interest of a data controller when balanced with the rights and freedoms of a data subject.
And while consent isn’t necessarily necessary, companies are encouraged to secure this especially with certain customer bases or geographical locations. A separate screen should be provided to have the consent tool highly visible in the EULA. Furthermore, an opt-in or opt-out function should be provided so users can update their settings at any time.
The fairness and transparency standard will also need to be addressed. This requires you to include a privacy notice with legal basis included, imply if a third party will have access and in what geographical location the processing will take place.
Reduce risk, optimize opportunity
How is personal data defined? In the Court of Justice of the European Union opinion for Breyer v Bundesrepublik Deutschland, Case C-582/14, 12 May 2016, IP address combined with ISP records would constitute personal data in the hands of the website provider. But more broadly there could be applicability: even if you’re not an ISP if you “could keep [the IP address] indefinitely and could request at any time from the Internet access service provider additional data to combine with the IP address in order identify the user.”
It is recommended to only collect the minimum amount of personal information necessary to meet your goals when garnering and providing the information to a third party like a software usage intelligence provider. Most providers enable customers to collect organization IP addresses and other application and machine environment data so take advantage of this option as it might help in pinpointing organizations that infringe.
In turn, look for ways to maximize opportunity. For example, as vendors consider the impact of GDPR on traditional email marketing campaigns, in-application messaging may be a more effective way of engaging with trial users and customers.
Ramping up efforts for targeted, in-app messaging campaigns allows you to get personalized messages to customers in a manner that is GDPR compliant. Since an existing business relationship exists with the end user, consent is not needed to send messages through in-app messaging software if the messages relate to the product being used. Of course, it is still important to provide an opt-out mechanism to stop receiving these messages.
While GDPR might seem daunting if companies define the roles and requirements and follow some of these suggested guidelines, it can be achieved with minimal interruption to your business.