A presentation at MicroConf Europe in in Dubrovnik, Croatia by Aleth Gueguen
5 months into the regulation enforcement How does the landscape look like Tales from the trenches Majority of penalties 1. Security and data breach (even for tiny companies) 2. Unappropriate marketing usage of personal data gdpr4saas.eu @pl4n3th MicroConf Europe 2018
Being Privacy-friendly is a signi cant selling point. It shows your client that you are serious about their personal data and security. SIGNAL OF TRUST and Accountability gdpr4saas.eu @pl4n3th MicroConf Europe 2018
25th of May deadline only for big companies under the DPAs scrutiny Authorities: two years transition period for SMBs BUT: Only for new obligations Things that are different from previous privacy laws gdpr4saas.eu @pl4n3th MicroConf Europe 2018
Most likely risks for Software companies Most of the fines related to Security Security and proper data management becomes a liability Think: Access Control, Data Lifecycle, overall security measures gdpr4saas.eu @pl4n3th MicroConf Europe 2018
Penalties mechanism: Complaint filed to a DPA Then 1. inquiry from the DPA, 2. recommendations issued, 3. other reprimand, 4. and if still not right -> fine. Fines e ective, proportionate and dissuasive gdpr4saas.eu @pl4n3th MicroConf Europe 2018
Examples of nes security ⋅ data leaks ⋅ unauthorized marketing CNIL Retail firm fined 100 000€ for negligence over processor actions follow-up Optician retail firm fined 250 000€ for violation of customers’ personal data ICO Heathrow Airport Limited fined £120,000 for serious failings in its data protection practices Firm fined £90,000 for nuisance emails about pre-paid funeral plans gdpr4saas.eu @pl4n3th MicroConf Europe 2018
Deadly sins Consent campaign: you don’t have to do that Either you have consent, or you don’t Proof through ESP service Bulk email addition Do you have other legal ground than consent? gdpr4saas.eu @pl4n3th MicroConf Europe 2018
Consent not always the best legal base for processing Can you rely on other legal ground? contract, legal obligation, legitimate interest Document your choice Inform your users gdpr4saas.eu @pl4n3th MicroConf Europe 2018
Examples of legitimate interest: Mailing campaign to past customers Newsletter to subscribers of your service Newsletter after lead magnet Conduct a balancing test gdpr4saas.eu @pl4n3th MicroConf Europe 2018
“Read my new privacy policy” campaign not useful: List of ‘we change this and that,’ User has no diff useful: “this particular bit” has been replaced with “this other thing”. “You can contact us at such-and-such” gdpr4saas.eu @pl4n3th MicroConf Europe 2018
Provide information and reason why you need the data It’s the law, BUT do not forget the WHY : You want customers to trust you gdpr4saas.eu @pl4n3th MicroConf Europe 2018
What’s the landscape for tech companies Who did nothing?
What’s the landscape for tech companies Who did nothing? Just started?
What’s the landscape for tech companies Who did nothing? Just started? 50% complete/ still implementing?
What’s the landscape for tech companies Who did nothing? Just started? 50% complete/ still implementing? All done? gdpr4saas.eu @pl4n3th MicroConf Europe 2018
TrustArc Research Report, July 2018 gdpr4saas.eu @pl4n3th source: TrustArc report benchmarks MicroConf Europe 2018
The one thing essential 1. Document everything 2. Have everyone in your team trained about privacy You want to make it everyone’s responsibility gdpr4saas.eu @pl4n3th MicroConf Europe 2018
What are the reasonable things to do? Depends on the context Likely to lose a client if not privacy-friendly/ compliant Security issues / user not trusting service Advanced marketing techniques Handling sensitive data Running innovative service –users are at risk of privacy breach gdpr4saas.eu @pl4n3th MicroConf Europe 2018
Starter or Grown-up? Starting = OK with privacy-friendly on the surface Growing = implement the real stuff: Data mapping, privacy assessment, documents gdpr4saas.eu @pl4n3th MicroConf Europe 2018
Starting stage Privacy policy and DPA BUT have a plan for the future Understanding privacy laws becomes vital gdpr4saas.eu @pl4n3th MicroConf Europe 2018
Oops Pick this provider for cool feature & because it’s free tier Then discover that he’s selling your users’ data Do you want to inform your users about it? Spend 3 sprints integrating a privacy-friendly solution gdpr4saas.eu @pl4n3th MicroConf Europe 2018
Time to question where you want your customers’ personal data stored European equivalent of AWS = OVH gdpr4saas.eu @pl4n3th MicroConf Europe 2018
Growing stage ~ 100-200 users or lots of data Must be a priority for Cx and head of business Given the constraints it put into the company, if you –as the boss– are not 100% behind, it’s a death kiss gdpr4saas.eu @pl4n3th MicroConf Europe 2018
The Essentials steps 1. Pick someone to take charge of the project 2. Most likely also the point of contact for your company. Probably no need for a DPO, but sometimes it’s a good signal gdpr4saas.eu @pl4n3th MicroConf Europe 2018
privacy by Design framework Proactive, not reactive –preventive not remedial Privacy as the default setting Embed privacy into design Keep it user-centric –Respect user privacy End-to-end security Keep it open –Maintain visibility & transparency Retain full functionality –positive sum, not zero-sum gdpr4saas.eu @pl4n3th MicroConf Europe 2018
Assess your risks Derive from data mapping Security Sensitive data Lack of information, inaccessible information to users & customers Documents missing (LIA, DPA, Record of processing activities) New categories of processing (AI, profiling, IoT,...) gdpr4saas.eu @pl4n3th MicroConf Europe 2018
Some exemples: Support team uses Slack, and put personal data in it Logging for debug and improvement: gdpr4saas.eu @pl4n3th MicroConf Europe 2018
Proper data management Data lifecycle cron job to check for stale data, to-delete date and erase it from all storages Deleted data = data gone Files in versionning Data used in test & staging gdpr4saas.eu @pl4n3th MicroConf Europe 2018
Advanced marketing practice? Need consent for cookies Check requirement if Ads, Facebook retargeting, Profiling be prepared for e-privacy gdpr4saas.eu @pl4n3th MicroConf Europe 2018
what DPOs says Efty work but worth it It’s the direction of history Our company’s image is at stake gdpr4saas.eu @pl4n3th MicroConf Europe 2018
Privacy is for Everyone in the company Am I handling personal data? If yes, is this thing I’m planning to do –new feature, support task, marketing– aligned with privacy requirement? gdpr4saas.eu @pl4n3th MicroConf Europe 2018
Business growth means more pro-active on security and privacy GDPR offers you a framework of thinking Security/ privacy is a shared concern in the teams gdpr4saas.eu @pl4n3th MicroConf Europe 2018
Biggest time sink 1. Documents Privacy Policy, DPA, Terms of Service Back and forth trips between the company and legal team 2. Data mapping and Record of Processing Activities gdpr4saas.eu @pl4n3th MicroConf Europe 2018
Privacy is an ongoing process Have a plan to maintain compliance ‣ You won’t do everything in one go. ‣ Long-term commitment. ‣ Best achievers: users/customers focused ‣ Others laws in the making gdpr4saas.eu @pl4n3th MicroConf Europe 2018
Review your process every 6 months Earmark a sprint for GDPR Better information notice when collecting data automate erasure of stale/obsolete data Better security gdpr4saas.eu @pl4n3th MicroConf Europe 2018
ICO survey most UK citizens still don’t trust organisations with their data 34% have trust and confidence in companies using their personal information (21% in 2017) 15% only for social media companies 33% would get advice and/or information from the ICO 78% felt that if a company/organisation that they used was affected by a data breach and their information was lost or stolen, the company holding the data should be held responsible. 51% of people are concerned about automated decision making. gdpr4saas.eu @pl4n3th MicroConf Europe 2018
DPOs’ STORIES “I want to sign a DPA” You are a controller, you received this email: Give us a DPA to sign As a controller: Signing a Term of Service is a contract DPA is a contract between a processor and a controller Because a processor can only process data on written instructions of the controller gdpr4saas.eu @pl4n3th MicroConf Europe 2018
Data Subject Access Request or “letter from hell” Copy/paste from article 15. A request can be filled through any channel Support should handle request in any form: phone call, email or form submission gdpr4saas.eu @pl4n3th MicroConf Europe 2018
Latest news 1. Japan and EU agreed to a data transfer agreement 2. Other laws/regulations in the making India, Ca 3. E-privacy directive is on its way 4. EBDP not content with Privacy Shield Privacy and Civil Liberties Oversight Board revived Ombudsperson appointed gdpr4saas.eu @pl4n3th MicroConf Europe 2018
Thanks :) Photo credit: Wavy1 on Visualhunt / CC BY-NC-SA gdpr4saas.eu @pl4n3th MicroConf Europe 2018
Here’s what was said about this presentation on social media.
It’s @pl4n3th debunking a few myths about GDPR.
— Benedikt Deicke (@benediktdeicke) October 22, 2018
I’ve seen her talk about GDPR a couple of times, and every time I learn something new. 📝#MicroConf pic.twitter.com/kMem0zqox3
Refreshing #GDPR insight: “Write your privacy policy as if it is content marketing (reviewed by professionals)” by @pl4n3th #microconf
— Karim Dahdah (@karimdahdah) October 22, 2018