This webinar provides practical, actionable steps that any SaaS company can use to actually become GDPR compliant with the EU data protection regulations. Specifically, the webinar covers:
- A brief history of EU data protection law, and how it set the context for GDPR
- The structure of GDPR and the basic requirements
- How GDPR affects various SaaS company functions
- Data protection management 101
00:00:09 All right. Everybody, we’ll let people roll in as they join. We’ll get started in just a moment here. Give it like one more minute before we go. Okay. It looks like we’re getting pretty close. It looks like the attendees have stabilized so I’m going to get going. I believe we’re recording this, and so, I’ll just get started.
00:01:34 Hi, everybody. My name is Chas Ballew. I’m with a company called Aptible. Today we’re going to be talking about the new EU general data protection regulation. In particular, we’re going to be talking about how it affects SaaS companies. What I mean by SaaS company is a company that’s buying a lot of Cloud services and may be building software in the Cloud, it’s not strictly speaking limited to the business model of SaaS like recurring revenue. It’s more about the operational model of SaaS.
00:02:07 You should listen to me for the following reasons. I’m a regulatory attorney. I practice for a couple years in the Army in Washington DC. Before that and after that I was a software developer, and I have a certification from a body that certifies privacy professionals, in particular, a specialty in Europe, in European data protection law, and more importantly, I probably, at this point, helped hundreds or maybe thousands of software companies stand up and run security management and compliance programs in particular with a product we offer called Gridiron.
00:02:43 I’ve been doing this for a while. GDPR is new for everybody but as I’ll show you, GDPR is actually not new. There’s a lot of things in GDPR that are not new, and that we have actually quite a bit we can learn from GDPR. Just a little bit about Aptible. We help, this is what we do. We help companies build like GDPR compliance programs and HIPAA compliance programs and we help in a couple different ways. If you’re interested or want to learn more, our website’s aptible.com and there’s some other ways to learn more.
00:03:15 If you’re also interested in learning more specifically about GDPR, we have a free Slack team that you can jump into and ask questions. We’ve been doing a lot of Q&A. We’re writing like a written version of this webinar, which is like the SaaS company’s guide to GDPR, which is going to have a lot of content from this webinar just in a written form and links to everything that we’ll cover and we’ll post it in the Slack here.
00:03:43 So if you want to get access to that article or be notified when that drops, you can join the Slack and also if you just have like follow-up questions, you can jump in there. Right before the last thing, before we actually get down to the details. This is being recorded. We’re going to post it on YouTube. We’ll send an email after for everyone who’s registered, we’ll send you an email with the recording and the slides and a transcript whenever that’s done.
00:04:11 Then, during the webinar there’s a little Q&A tool somewhere in zoom around here it says Q&A. If you can find the zoom control panel. If you just click that you can type questions and just drop questions in as we go. I’m going to answer questions. We’ve got some questions that were submitted beforehand. I’m going to answer those as we’re going or we’ll also have a spot at the end to batch questions.
00:04:36 I’m not going to be looking at the Q&A tool necessarily as I’m going and as I’m talking because there’s just too much going on for me to cover all of that, but I will try to get everything at the end and if you have a question and I already answered it, I’ll try to jump back and point you to where I answered that before. I’ll try to answer as much as possible as I can during this webinar. That said 54 minutes here is not enough time. You can probably do a webinar like this for a week straight and we’re not going to be able to cover everything that I want to cover, but I’ll try to flag as many issues as I can for you and get you started on the right path.
00:05:19 Again, just flag questions and you can follow up in Slack later or you can email me. I’ll give you my email at the end too. Okay, so good part. What are we going to do? They’re going to be four parts to this, the second and the third part are going to take the longest. There’s going to be two brief parts. In the beginning, I want to give you an understanding of GDPR is new, but it’s, like I said it’s not really new. I’m going to explain what I mean. What do I mean by that it’s not really new?
00:05:45 A lot of principles and concepts under GDPR actually come from, prior European data protection law, and so, understanding that a bit will help us understand how to comply with GDPR because it helps you understand the intent of the regulators and the intent of the regulatory scheme. What was working before? Why do we need GDPR? What was broken? What needed to be fixed in the opinion of the European Union?
00:06:12 We’ll spend a little time talking about the structure of GDPR and the basic requirements, how it works. Again, there’s a lot more than I can cover in full detail here but I’ll give you a feel for how I think and how Aptible thinks about approaching GDPR. What are the important essential concepts and how does it all fit together? Understanding the structure really helps understanding like, “Okay. What do we do about it?” It helps you make practical decisions.
00:06:38 Then, in the third part, we’re going to talk a bunch about these practical areas. I’m going to talk about four areas of a business like your SaaS business and some issues, I’m going to do issue flagging and talking a little bit about practical [inaudible 00:06:52]. We’ll talk about marketing and sales kind of like growth and getting and acquiring new customers and some issues that pop up in there. We’ll talk about product engineering and design and what product teams need to know and engineering teams need to know.
00:07:06 We’ll talk about customer support and like customer success, and then, we’ll talk about recruiting and HR and sort of like dealing with employees and internal issues. Then, finally, at the end, we’re not going to have enough time, again, to do this. I’ll give you a brief overview of how to think of if you don’t have any, like if you don’t have like a governance program or a GDPR compliance program in place and you don’t really know what that means or what would that would involve.
00:07:34 I’ll give you just a brief rundown of how to think about like what are the steps are, whose basically seven or eight steps, and you could have 70 steps or you can have 5 steps or whatever but the point is I’ll give you a framework for how to think about this stuff.
00:07:49 All right. Let’s get down to it. A little bit of background on GDPR. GDPR is new but it’s not really new. I’m not going to read through every one of these but I will tell you that there is a history for GDPR going back, it’s 2018, so my math is going to be terrible but going back 70-plus years in Europe. 70 years leading up to GDPR, and there have been two kind of tracks I would say, like two themes that have been rolling along almost independently but that have been merging and GDPR is the merger of these two themes.
00:08:27 The first is you can see the very first thing up here is human rights and this idea that like humans have individuals natural people. People who like breathe and eat, have feelings and eat cheeseburgers and love dogs. Those are like natural human beings as opposed to like legal people, which are like corporations and businesses and organizations, so natural human beings have rights. Certainly, an inalienable rights and Europe has been very progressive and sort of vocal about putting those rights into conventions and treaties and later like, they’re enforceable human rights for European Court of Human Rights.
00:09:07 For example, in 1950, that was stood up. At the same time, as we’ve had Europe tracking along and being concerned about human rights, at the same time, there’s been this other track where Europe has been looking for a deeper economic integration throughout Europe and it started in the 50s, when they said, “Okay, we’re going to regulate coal and steel and we’re going to make a community of coal and steel production to agree on like how to produce coal and steel [inaudible 00:09:36] and who can buy it and stuff like that.”
00:09:38 Specifically, it was because right after World War II coal and steel are the two things that you need to like go to war, to build tanks and planes and bombs and stuff. It changed a little bit with the Nuclear Age but the Treaty of Paris here is really about economically integrating Europe, and then, later much more bigger steps to integrate Europe together. Through the 70s and the 80s you started to see the emergence of like privacy laws and [inaudible 00:10:04] laws regulating data, saw some early versions of non-binding, and then, kind of binding treaties in the 80s, which became really, really important because a lot of the principles and language that pop up for GDPR actually from convention [inaudible 00:10:22] in the OECD guidelines.
00:10:24 In 1980 and ‘81 we see some of the first language. It’s like reused again through GDPR. Then, in the 90s we see the European Union finally established. We see the beginnings of the Data Protection Directive, which is EU wide data protection regulation. GDPR basically like a big update to the 1995 Data Protection Directive. Then, there’s other developments and Human Rights.
00:10:51 Is my mic by the way … Test. Hello. I’m not sure if my microphone is working. You guys can hear me? Okay. Thanks. I’m not getting … If anybody, just chat me. Yeah. Thank you very much for this feedback. For whatever levels my mic is not showing up in the level so I was just like terrified [inaudible 00:11:21] minutes and nobody had heard any of this stuff.
00:11:24 Anyways, human rights and economic integration, EUs massive step towards economic integration. We’ve seeing the EU Charter of Fundamental Rights, and so, these things have been trucking along and converging and the real sort of rebalancing that’s occurring right now is what we’re going to see in a minute is rebalancing between basically companies and people. Economics and people, human beings and their ability to like to have the right to privacy and the right to like be able to communicate freely without being sort of intercepted or snooped on, stuff like that.
00:12:01 But at the same time, we want to not have 28 different states in Europe with 28 different laws. That’s kind of the way things have been going with the Data Protection Directive and hasn’t really been working. We have this like patchwork throughout Europe and also like not really, the European Union has not been happy with the level of protection that they’ve been getting from data. The whole of GDPR is rebalancing this and changing the balance between humans and human rights and basically companies and corporations.
00:12:33 GDPR is bigger than just like for-profit corporations that applies to the public sector, that applies to nonprofits as well but companies and business make up probably most of the activity here. There’s even things, we’re going to talk about this several times. There’s even things more specific than GDPR so when we talk about what is the general data protection regulation, what does that mean? What does it mean to the, as opposed to what? Why not just the data protection regulation?
00:13:05 Well, it turns out GDPR is supposed to be the baseline, and then, there’s more specific rules for specific situations. There’s a law enforcement data protecting directive dealing with like how police agencies and law enforcement agencies can deal with and collect data that’s really important in Europe. You had like secret police for a long time under the Nazis and under the Russians. There’s a lot of like sensitivity and importance around that so that gets its own specific set of rules.
00:13:38 There’s something called the ePrivacy directive, which again is these directives. Directive is a form of law in the EU where it has to be EU pass a directive, and then, each state has to pass their own version of it and that leads to some weirdness. We’ll talk about that later when we talk about marketing and how do you get consent for marketing and something called the soft opt-in rule, but each state has their own rules. The regulations are passed once and they apply everywhere.
00:14:07 The GDPR is a regulation. The ePrivacy directive is going to get turned into a regulation probably sometime next year. That covers specific scenarios like cookies, sending email or any like unsolicited marketing or messaging, text, push notifications even probably stuff like that, and so, GDPR applies in a lot of situations but there are some situations where you’re not allowed … I’ll explain some of these in a minute here but some situations where you’re not allowed to use all of the tools that GDPR would offer you because you’re in a specific situation like sending email or something where you want to send some marketing email, you can’t use all of the tools available for GDPR. You have to use just two specific ones that are available to you in the ePrivacy directive.
00:14:54 We’re going to focus mostly on GDPR, and then, in the practical section we’ll talk about sort of how it works better, but the basic idea is as I said before, GDPR has two goals. The first goal is to protect humans and natural people and human rights, and the second is to facilitate the free movement of data to be able to have like a nice system or a nice place. Europe, for example, to be able to do fun things and nice things and meaningful things with data and how do rebalance between these two.
00:15:26 This is what GDPR is all about. It’s about regulators putting a thumb on the scale and saying, “We’re going to rebalance between people.” Ultimately, like I said [inaudible 00:15:38] the data affects a lot of things but in particular companies and economic activity. There’s some really important things to understand up front. I know most of this stuff has been written about and talked about. I’m going to just cover it real quickly.
00:15:53 First question that comes up under GPRS. Does GDPR even apply to you? There are two ways that GDPR can apply to you or both of these have to be true. The first is you have to be processing the right kind of data. You have to be, you have to have the right kind of data before GDPR can require that you protect it. That data is personal data. That’s defined in GDPR. Basically, it means any identifiable data about a natural human being and that includes anything that you can identify somebody with.
00:16:24 It could be an email address. It could be a name. It could be a birthday. It could be an IMEI device identifier from a phone. It could be a MAC address. It could be an IP address. There’s a ton of stuff that could be identifiable. A lot of times companies have questions. “Well, what about like if I have like this user clicked on this thing during this time or this users associated with this other user or account or organization, is that personal data?”
00:16:47 The answer is yeah. If you can identify a specific person that data is about and that data is personal data. If that data is de-identified and it’s not possible even with another data set to re-identify that person that’s no longer personal data. That’s a tricky sort of distinction, and then, there’s a middle sort of tier of data [inaudible 00:17:10] data or key data where you can like re-identify that personal but you need access to some other data source and that’s still personal data under GDPR but it makes some things easier.
00:17:22 It gets lower risk data if you can show that data is breached but the key, the source isn’t breached you’ll have an easier time with some of your obligations like breach reporting for example, and you’ll probably be exposed to less risk. Personal data, any kind of identifiable data is what throws you into the material scope of GDPR and the material scope doesn’t make a distinction between EU citizens or EU or anything, it just says this applies to all personal data.
00:17:53 Then, there’s another limiting factor which is the territorial scope of GDPR and that really this determines what kind of businesses get pulled in or what kind of organizations get pulled in and regulated under GDPR. It’s pretty obvious if you’re what’s called established in EU so if you have like some kind of business presence in the EU, if you’re going to be pulled in I’m not going to talk too much about that. There is some trickiness like if you have a PO Box or a bank account or a lawyer in like the EU, is that an establishment?
00:18:22 The threshold is probably lower than you think it would be but a lot of companies almost [inaudible 00:18:26] not going to be established. You probably don’t have an EU office or something so it’s not that direct. The question is are you doing one of two things, are you doing what’s called targeting customers in the EU? This is contained, if you want to read this I’ll actually … I’m going to give you guys a link real quick to this site. I’ll drop this in the chat as well to all attendees.
00:18:51 This site is a pretty good reference for GDPR and if you want to read this stuff for yourself, I’ll actually jump back and forth between here. Now, if you want to read this stuff for yourself, you can read about the territorial scope and what it means to target. Real quick primer here, GDPR is organized into 99 articles. Those are the actual like [inaudible 00:19:11] like sections of a law that are actual law.
00:19:14 Then, there’s all this color commentary kind of where it’s the guidance and sort of commentary around. It’s not binding but it’s informative. These are called recitals. If you want to read more about like what does it mean to offer goods and services, you can read Recital 23, which talks about targeting. This is where the language targeting is used and it’ll explain like just having a website in a language is not enough. There has to be some like what a lot of people today call go-to-market motion.
00:19:45 You have to have some kind of like indicator that you’re trying to target customers in the EU. It doesn’t matter if you’re trying to sell them something, you can have like Facebook, trying to sign users up in the EU, it’s targeting. Then, the other thing is called, aside from targeting is profiling or tracking or monitoring behavior so any kind of like analytics, anything like that, and that’s called profiling. You can read more about that in Article 24 here.
00:20:11 These are the two main things for a lot of you, United States companies, that will pull you into GDPR. If you’re trying to go to market at all in Europe or if you’re profiling. I see a question here. Is the seminar recorded? Yeah. It’s being recorded so you can catch you up on this later. A lot of questions come up. A lot of this can be alleviated if you decide that you’re not targeting and you’re definitely not profiling anybody in the EU. You might be able to avoid GDPR entirely, in which case that’s great. Grab a coffee or something and watch the recording later.
00:20:47 But many of you are probably on here because you probably are targeting or profiling and going to market in the EU or at least you want to know what would happen. Here’s what happens. Here’s what you have to do. The way that GDPR rebalances between people and companies and rebalances between natural rights of humans and the free flow of data, as it says if you are the right kind of organization. Meaning, that you’re doing, you’re establishing in EU, you’re doing one of these things and you’re processing personal data, you have to abide by some rules of the road here.
00:21:21 This is like putting up speed limits and putting dotted lines and solid lines in the middle of the road and laying control. These are the rules of the road. These are laid out in Article 5 if you want to read about these at a general level, and then, they’re sort of fleshed out through the rest of GDPR, the articles but the basic idea is that before you use, as a company, before you use or collect, collecting as a use of data, any data that’s personal data that’s regulated by GDPR, you have to do some planning and you have to get organized before you start using your collecting this data.
00:22:02 If you have this data already, you need to get organized in the next nine days before May 25th, before it goes in reinforcement. The good news is that a lot of this stuff is stuff you should probably be doing anyways. The bad news is sometimes can conflict with existing business models and existing technology. We can talk bit about that but this is kind of, these things are not like groundbreaking. These principles even have been around as I mentioned since basically the early 80s in European law.
00:22:34 What are these things? First of all, you need to have what’s called a lawful basis like a legal reason why it’s permissible for you to use data. You actually have to track each use that you’re making of data, which is something not a lot of companies are used to especially in the US. They’re used to just like, “Oh, give me all this data. I’m going to collect this data and I’ll stick it in a data warehouse or a data lake or data skyscraper or whatever the hell” I’m just getting all this data, and then, we’ll figure out what to do with it later because it’s useful but I don’t know what it’s useful for yet so I’ll just hold off and I’ll answer that later.
00:23:10 It’s like, no. You can’t do that anymore. You actually have to specify what you’re going to do with the data and how you’re going to use it up front, and you have to tell people about it. You have to make sure that that’s communicated to them in a fair way and that you collect data in a fair way. We’ll talk more about that in a sec.
00:23:26 You’re only, the purpose limitation piece means you’re only allowed to use data for the purpose for which you collected it in the first place and if you use it for other purposes there’s kind of a test to see whether you can, whether those purposes are compatible or not, but generally, you’re not allowed to use it for something totally [inaudible 00:23:45]. If you collect it for like your product, you’re not allowed to turn around and use it for like marketing, for example.
00:23:51 You’re only supposed to collect as much data as you need to fulfill the purpose, so it’s kind of like the purpose, the reason why you’re going to use this data drives all of the other principles. You have to make sure that it is accurate. You have to get people rights around being able to correct or delete data if it’s not accurate. You’re only supposed to keep personal data around as long as you need it to fulfill the purpose although, again, you have a lot of flexibility around defining how long you need it.
00:24:18 You have to make sure it stays unbreached and it has these, stays confidential essentially and you’re able to protect it. Then, you’re basically responsible for being, accountable for being able to show that you’ve done all this stuff ahead of time at any point and on demand if a regulator comes to you, a Data Protection Authority comes to you or, and says, “Show me your evidence that you’re complying.” You’re responsible for being accountable upfront for that.
00:24:46 You can’t just say, “Oh, yeah. We were getting around to that.” You actually have to be able to produce evidence that you’ve gone through. For most companies that’s evidence that you’ve done a data use inventory and that you’ve specified all of the relevant sort of parameters around usage for data, things like that.
00:25:06 I mentioned this before so every time, every use you want to make up data, every time you want to use data so you want to use data to provide your product or use data to do marketing or use data because you want to hire somebody, a contractor in Europe, you want to hire a Polish dev shop or something or you have employee or contractor in France or Germany or somewhere. How are you allowed to do that?
00:25:31 Remember, before you collect that data and use, that data you have to specify a valid, what they call lawful basis, lawful basis or basis for processing. There are six of them basically. If you have what are called special categories of data, I’m not going to talk about that here, but if you have any data that’s race, sex, politics, genetics, health, anything like that, you’re going to need two lawful basis. You need one of the original six, and then, you need an extra one to go with it, but the basic idea is that each one of these six, you can have multiple lawful basis for a use of data but everything goes back to being able to specify what the use of data is.
00:26:13 So some of the ways that you can be allowed to use data. Number one, if you have the data subjects consent. If they said, “Yes. You can use my data for this way.” But consent is really tricky under GDPR. There’s actually a whole article here around consent and what Article 7 is the definitions of consent. Consent has to be very clear. It has to be specific. It has to be, you have to be able to withdraw consent.
00:26:40 A lot of times consent is not the best basis to process data on because it’s, there’s a lot of rights that spring to the data subject. So just saying, “Okay, you consent to [inaudible 00:26:51] is not super useful, and then, also there, that’s also even more tricky because in some situations, I mentioned this before like with the ePrivacy directive if you’re doing cookies like web tracking or sending unsolicited emails, you need consent before you do that, so even though consent is not the best basis to use under GDPR sometimes you have to use it because there’s some additional law that’s more specific than GDPR that makes you use it, so that comes up.
00:27:22 Ideally, any one of these other ones would be easier than consent because less rights spring to data subject. If you need to process that data strictly to perform a contract with the data subject or it’s necessary to enter into a contract, you can use this contract performance basis but it’s really strictly limited to just being able to provide a service. A lot of times people are like, "Oh, sign up for our service and we will subscribe you to our newsletter.”
00:27:52 Companies try to convince themselves like that’s strictly necessary because we have to communicate updates to you. It’s like, “Ah, that would be a tough one to defend.” That’s probably not true. On the other hand, if it’s like we need to send you security updates and awareness pieces that might be closer to the mark, certainly, but contract performance the way you’re going to use data it needs to strictly be necessary for the performance of that contract. It doesn’t have to be a contract between you and the data subject it just has to exist.
00:28:24 I should mention here that the controller of data, we’re going to talk about this. We talked about it briefly but there are two base, two sort of concepts under GDPR. There’s something called the data controller, which is where when you’re the data controller and you’re collecting and deciding what data do we collect and what data do we use, you have to make sure that all of these principles are followed and you have to make sure that, the lawful basis, you have the most work to do.
00:28:53 There’s the second concept, the secondary concept called being a processor where you just like follow instructions. You don’t really decide what to do with the data, you’re very limited and a lot of SaaS companies … We’ll talk about this in the next section. A lot of SaaS companies are going to try to be processors but will get pulled into being a controller like when you’re doing marketing and sales or when you doing recruiting in HR, you probably get pulled into being the controller, but if you keep things really, really strict you don’t use a lot of data outside of strictly providing your product and you provide your product directly to a data subject, you might be able to rely on contract performance or at least show that your processing is necessary to fulfill a contract somewhere along the line of the data subject.
00:29:39 You can process data if you’re subject to a legal obligation, but it can’t be an obligation you just made up like a contract that you made up. It has to be an obligation that arises from like EU law or like GDPR itself. GDPR requires that you keep records. For example, for accountability, so if somebody comes to you and has, says, “Delete all my data and I want to exercise what they call the right to erasure, the right to be forgotten.”
00:30:01 You’re allowed to keep the data that shows that you received the request and complied with that because that’s necessary for you to show that you complied with GDPR. That’s a good example of where you’d be able to say, “Okay. We need to retain this for legal obligation to show our compliance.” What you can’t do is you can’t just go like sign a contract with some other company and be like, “Oh, now we have a legal obligation to process this data because we made it up.” That will not fly.
00:30:27 Vital interest is basically like life or death, probably not for most companies. If there’s like an earthquake and you need to find people in the earthquake or something or there’s an outbreak, an epidemic or something. Yeah, you can process data but it’s really, it’s life-or-death stuff so probably not to be used very often. If you’re performing some public task that you’ve been delegated, some kind of authority by the government or an EU body, you can do that but, again, most of the time you will not be operating under those.
00:30:58 Then, the final ones, the ones that most companies are going to use are consent contract performance and this last one, which is called legitimate interest. Legitimate interest just basically means that it’s like the, because I want to reason under GDPR. It’s like I’m going to process this data because I want to, because I feel like it’s, we have a legitimate interest as a business in processing this data.
00:31:54 Article 6 here talks about this lawful basis, and then, at the bottom they talk about network and information security as an overriding legitimate interest or like other ways, the things that qualify as legitimate interest so like that’s a good example if you need to process data for security or to lock a network down or things like that. Those are considered legitimate interests.
00:32:17 The reason why all this stuff matters; number one, is because every time you process data you have to have one of these reasons identified before you collect the data if you’re a data controller; and the second reason is because data subjects have all these rights under GDPR and they’ve had a bunch of these rights before. Again, there’s not really a whole lot that’s truly new about GDPR but these rights are things like you have to give people, you have transparency, you have to tell people what data you’re processing about them and give them recourse to like find out.
00:32:50 You have to give them access in a lot of cases to that data. You have to correct the data if they want you to. You have to erase it in some cases, not all cases. If they want to restrict you from processing it. They say, “Don’t send my data to Allstate,” or something. You may have to comply with that. In certain cases, if they want to move their data or if they want to stop you just, “Don’t send me any more emails,” for example [inaudible 00:33:15] stop sending me these emails. They can do that.
00:33:19 They’re also free to be, so there’s this sense of like you can’t use, you cannot be subject to a fully automated decision that affects your rights in Europe without some human intervention or process, even if you are subject to that, the data subject, for example, if you’re doing like a credit screening online, and you’re like, “Oh, I’m going to check your credit and see if you can apply, if I’m going to give you a loan.”
00:33:45 You might use a form and just process that automatically. If you do that you have to give somebody an option to have a human review at some point that’s an example of data subject right. Not all of these rights, this is the important part. Not all of these rights apply in every situation, so depending … This is why the lawful basis is so important.
00:34:04 Depending on the reason that you pick that you’re going to justify your processing under, some of these rights apply and some of them don’t. We can send a broader table. There’s a really good set of guidance from the UK’s Information Commissioner’s Office, the UK ICO, that publishes more guidance around this stuff. But you can see here it’s not true that everybody gets the right to erase data and the right to be forgotten in every circumstance. It’s not true that everybody can object to processing.
00:34:36 For example, it’s only in certain circumstances. Again, most of the time you’re going to be processing based on legitimate interest, contract performance or consent, and not on the other ones. For example, if you’re like keeping records to comply with your own GDPR compliance and your keeping records of like your master suppression list or your master deletion list, that’s going to fall under legal obligation and so we can’t, they don’t have a right to like request you delete your own compliance records, for example, or take those records from you and put them out. Those rights just don’t apply in those situations.
00:35:13 There’s way more than I can cover and talk about here. I want to move on to the really good stuff, which is talking about the practical applications but just be aware that this is the basic framework. Anytime you process data, you have to have a reason. You have to be able to give rights in certain situations when those rights apply. Then, there’s a bunch of other legwork that you need to be able to do.
00:35:36 I mentioned accountability before, you need to be able to keep records and show that you’re complying with GDPR. A big part of that, a big keystone for that is being able to map out where all of your data is and how you’re using data across different assets or databases or pieces of your architecture. Then, be able to explain, okay, for each use that we’re making of data, what systems and vendors and components do we have and what is the legal basis? What rights do we need to be able to give data subjects either as a controller or what rights do we need to be able to let our customers as controllers if we’re a processor to let our customers as controllers [inaudible 00:36:17]?
00:36:54 That’s separate from the need to actually get a contract in place with the, to be their processor. There’s two provisions here with the unique contracts for, and this can be tricky because a lot of times companies will put this in one contract, but you need a contract with any processor that you have, anybody who’s processing data at your behalf. That’s Article 28, data processing agreement. You may have heard of these.
00:37:21 But if you’re hopping data, if you’re moving data outside of Europe, whoever does that first hop needs to also be thinking about Chapter 5 here, which is transfers of personal data to certain countries like outside the EU. There are a couple of different ways you can do this. I don’t have enough time to go into them. Privacy shield is a good thing to offer if you’re a United States company and can explain in the GDPR Slack or something or later but people have questions about that, but probably, you’re going to end up using either what they call the model clauses or privacy shield and I probably recommend in most cases privacy shield.
00:37:55 You’re going to need to be able to offer that so that customers in the EU or data subjects in the EU can send data to you. Then, once data is in the United States you need to still make sure that you have contracts in place with all of you processors. Amazon Web Services and Mixpanel and Slack, and whoever else is going to be storing and processing data for you.
00:38:14 You’re going to need to stand up and run a whole security management program. This is the Pandora’s box of GDPR. It’s on Article 32 and it just, it has all of these other articles are like kind of ambiguous or sometimes they’re very specific or sometimes they’re very clear. Article 32 is just like taking into account everything and all of your risks, ensure appropriate security. Good luck.
00:38:41 There’s actually a lot that goes into running like a formal best practices security program. We don’t have super strong guidance around what that’s going to look like but early indications are that ISO 27001 it’s going to be a really important standard lying around for security management. I think we’re going to see a lot of companies choosing the stand-up and run ISO 27001 aligned security programs and use that as sort of the skeleton to run a security management program for GDPR.
00:39:14 You have to notify if you have, if you fail to protect data. If you have breaches of data, you definitely have to notify the data production authorities and you might have to notify individuals. That’s, again, one of these cases where if you used [inaudible 00:39:27]and you keep the data out or the data was encrypted, you’ll definitely have to notify the DPA but you might not have to notify the individuals because there might be real life risk or harm to the individuals if nobody can make use of that data but that’s something where you immediately, you go lawyer up. You’ll get a lawyer when you need to go into that situation.
00:39:48 You might need to appoint a data protection officer. That’s not totally clear what, there are exceptions for a lot of firms but it’s not clear which firms do and which firms don’t. There’s guidance on this. Basically, if you’re processing any data at web scale, you’re probably going to need a production officer. If you’re processing data like infrequently in small amounts occasionally and not really, you might not need one.
00:40:15 A lot of SaaS companies are going to need one, and there’s a huge shortage of good ones, so it’s an issue today. You’re going to need to tell everybody [inaudible 00:40:25]. Of course, we’ll talk about this but you’re actually going to, there’s nothing in GDPR that says specifically, “You need to train people.” But obviously, if you’re listening to this webinar there’s a ton of information here you’re going to need to like be able to communicate and train people.
00:40:38 I mentioned transfers at their countries before, you also need to, if you’re outside the EU, you’ll need to appoint what they call an Article 27 representative, which right now looks like a registered agent. It’s not really super clear. They’re used in the recital that says the agent should be liable, but it says should be and it’s in the recital which, again, is not binding and the article doesn’t say that there’s any liability so a lot of companies are going to offer this service and just act like just like a registered agent. If you have a Delaware C Corps and you have employees like … I’m in Oregon right now so like we have an employee in Oregon, we need to be registered as a foreign entity in Oregon, and then, we need to have a registered agent.
00:41:23 It’s that type of thing. It’s not exactly the same thing but it’s that type of thing and until we get more guidance that’s not that type of thing that it’s something more, but until now a lot of companies are treating that just as a registered agent. There’s more to this. It’s just an overview. These are the big moving parts I think.
00:41:42 A lot of questions about this. Everybody has heard about that there are these potential 20 million euros, 4% of global turnover. We’ve heard a lot about the potential for big administrative fines. Yeah. We’ll see. I don’t know. Maybe. Definitely, Facebook should probably be sweating this stuff. Google is sweating this stuff. Are smaller companies going to need to sweat it? We’ll see what are the standards going to be. We don’t know yet.
00:42:07 There are two other things that should probably concern you though, but one is that under Article 58, the Data Protection Authority can just shut you down. They have the power to just make you stop processing. There’s a bunch of other stuff in Article 58 but that’s including the ability just to pull the plug on you. There’s also fact under Article 82, data subjects can sue you for certain things, and that when they sue you, even if you’re just the processor or it’s not totally your fault there is joint liability so any liability that you have, you are responsible for 100% between you and the data subject, and then, you can go get indemnification from others who are jointly liable.
00:42:49 That has not really been talked about a ton and we’re going to see how the European courts enforce it. There’s a lot of GDPR that’s actually really similar to HIPAA in a lot of ways in the United States and we have a lot of experience with HIPAA. This is one of the big differences. HIPAA doesn’t allow some patients to just go sue you as a company, GDPR does, so we’ll see how that plays out.
00:43:13 Okay. Good stuff. I’m going to flag a bunch of issues. These are things that like companies do, and now, that you’ve heard about all this other stuff and sort of the approach to how we look at GDPR, a lot of these things will make more sense. First, we’ll talk about marketing and sales teams. If you’re trying to get new business and you’re trying to get new customers, what do you need to know?
00:43:36 GDPR doesn’t define the term Direct Marketing. There’s a law in the UK called the Data Protection Act and there’s a lot of guidance. It’s a really good piece of guidance about direct marketing for the UK ICO. Again, if you want links to this stuff I’ll be able to link you in the Slack channel later or if you just email me, but basically there’s restrictions on what you can do when you’re trying to grow and market and two big [inaudible 00:44:01] categories and tactics that get regulated that are even more specific than GDPR, our web analytics and kind of the way that the relevant law right now, the relevant piece of law is called the Data Protection, or sorry.
00:44:19 The ePrivacy directive and that has been passed into law in every state and they have different rules a bit but the general idea is that any time you’re going to store and retrieve data on a client’s device like a browser that you need to get consent to do that. You can’t use legitimate interest. You can’t use any of the other sort of loopholes there or legal basis for processing. You have to get consent.
00:44:45 Right now one of the problems, we’ll talk with this on the product engineering piece. The law does not draw a difference between like first-party cookies, a cookie that you need to let people log in and log out and a third party cookie like add dropping a tracking pixel or an add network pixel or something like that. It doesn’t make a difference right now. That’s going to get fixed because up there is a difference there, should be a difference. That will get fixed probably next year when the ePrivacy regulation goes into effect, but for now just be aware that if you’re using web analytics.
00:45:18 This is why you see those cookie pop-ups, so if you’ve decided that you’re in scope for GDPR, you’re probably going to end up doing like a cookie pop-up, and there’s some problems with these if you want more analysis of why the cookie pop-ups are kind of not really compliant with the law but they’re pretty much what everybody does and they’re the best sort of solution right now probably. Why that is the case? There’s more discussion of this in the GDPR Slack.
00:45:46 The other thing too is if you’re sending a lot of companies especially B2B companies rely on email and direct marketing over email, generating lists or buying lists or something, and then, sending email campaigns. You need to be able to get consent or show that you got consent to some of those emails. You can’t just build a list, scrape LinkedIn or whatever, and then, just go bomb a bunch of people with emails and say, “Oh, if you want to opt-out, opt out here.” You need to offer the opt-out but you can’t send the first email without consent, so it really restricts what you’re able to do in terms of direct marketing.
00:46:18 The other thing too is if you’re not, if you’re building a list you have to get the consent from subjects in the EU to build the list. If you’re buying a list, you need to be able to show that you made sure that the list was assembled properly. It’s almost like a providence or like a chain of custody type of requirement. You’re going to need to be able to collect and retain metadata around that list showing that the whole list was obtained with consent.
00:46:48 You can’t just buy a list and send emails to people, and be like, “Oh, I didn’t make this list. I don’t know where it came from.” That’s not … You won’t be able to do that. You can’t do that today. You won’t be able to do that in the future. You need to make sure that however you’re building your audiences and your funnels and your campaigns here for marketing that you’ve thought about, “Okay. Where is this data coming from? Where are these leads coming from? How did we acquire that lead and do we have the right kind of permission? Are we tracking that permission?”
00:47:17 This is also, I call it suppression source of truth here but it’s really being able to track whether, in what systems you’re able to send people emails or who’s opted in to push notifications, things like that. You’re going to want like a master source of truth for that. You can use the CRM system. You can use autopilot. You can use a bunch of pieces of technology. Ultimately, it’s less important which specific piece of technology you use and much more important that it is like becomes your actual source of truth and that you can actually use it on an ongoing basis.
00:47:50 The last thing, I mentioned this before but it’s really important because this is a big change for marketing and sales teams. A lot of times marketing and sales teams don’t necessarily pay a lot of attention. They’re just like, “Oh, cool a new tool. I will sign up for it.” They just go and they plug it in or you just go into segment, you’re just click, enable, enable. Like, “Yeah. Awesome. We’ll try it out.”
00:48:11 You can’t do that anymore if you have GDPR data, personal data in scope. You have to look before you leap. Again, business rebalancing [inaudible 00:48:20] it’s awesome to be able to do that as a company but GDPR says, “No. No. No. Hold up. Wait on. You got to get a contract in place with that processor so that we know that they’ll protect that data too.” That’s why I like segments and Mixpanel and all these marketing and analytics companies are offering data protection agreements now just because of this to get an agreement in place with these vendors, but that means for [inaudible 00:48:46] companies you need a process in place where your marketing, your growth teams, and your sales teams know ahead of time, “Hey, wait. Don’t just enable that in segment. You got to talk to whoever’s running your compliance program first to make sure you can get the right agreement and make sure that we go before we start sending them data.”
00:49:05 Because if you send them data and you don’t have that agreement in place, you just breached GDPR and you probably, you want to talk to a lawyer about this but you probably have a reportable breach. You probably have to report that and if you don’t report that, man, [inaudible 00:49:20] you’re going to get, you don’t want to go down that road. You really want, it like pays a lot more dividends to get in front of this stuff.
00:49:29 Okay. Product teams that’s growth and marketing, what about legacy product team? You mentioned this before, the difference between being a controller and a processor is really, really important. A lot of SaaS companies are just going to say, “Oh, we’re just a processor. We don’t do anything except process data, just according to your instructions. Here’s our software use it.” Go ahead. That’s fine if you can actually do that, that’s great.
00:49:54 The guidance around this from the, I mentioned before GDPR is replacing something called the Data Protection Directive. There’s a bunch of guidance around, from official guidance around the data production directive and a lot of that like, “What’s a controller? What’s a processor?” That guidance is still applicable under GDPR because GDPR is using the same terms and the same concepts. It’s just kind of cranking up the liability and also regulating processors directly but it didn’t do before.
00:50:23 But if you are a controller, you had a lot more obligations. You’re responsible for keeping track of all of your uses of data and making sure that each one has a legal basis and making sure that you can show all of your records. You have to show records anyways if you’re a processor. It look like the records are different and more detailed around like, “What are you doing with this data? What are you going to do with it? How long are you going to keep it for if you’re a controller?”
00:50:46 For instance, if you’re a processor it’s a little more limited set of obligations, so I’ll just flag this. A lot of companies are like, “Yeah. We’re a processor. We’re going to be a processor.” It’s like, “Okay. Maybe. Probably, in a lot of cases.” But if you’re doing, if you’re exercising, and then, kind of like discretion or control or deciding what to do with this data, it may not be clear. Either way, you’re going to want to make decisions that allow you, either you or your customers to facilitate the exercise of rights by the data subjects, and you’re going to have to make architectural decisions.
00:51:22 One example, for example, that comes up a ton is you have, okay, your personal data in your main database, in your users table and you may have like user IDs and email addresses and logs, you may be sending container logs or database logs or SSH logs or who knows, all kinds of metadata across your infrastructure. You’re going to need to get in front of that and understand what is, what PII is going where in our infrastructure, and then, make sure that you either have the right processing agreement in place with those logging providers or that you’re able to like restrict and get rid of that PHI or PII across your infrastructure.
00:52:02 Maybe de-identify it [inaudible 00:52:05] it, so that you can, you don’t have identifiable data sitting directly in the logging provider. Logs are just one example. It’s basically any kind of leakage of PII across your structure. I mentioned this before in the other one but the law doesn’t draw a distinction right now between tracking and cookies for doing sessions and log in and functionality and cookies for tracking ads and behavioral, online behavioral advertising and targeting.
00:52:35 You’re still going to need some kind of consent or like in product. You can, there’s different ways you can deal with this. If you want to know more about this jump in the Slack channel, but this is an issue you’re going to need to deal with even on the product side, so even if your marketing property is separate from your product, you have a separate web dashboard or a mobile client or something, you’re still going to need to address this [inaudible 00:52:58].
00:52:59 Any kind of location data that you’re using, this is really popular today and there are a lot of sources for this data. Just be aware that location data is also treated separately just like cookies and email and direct marketing. Location data is treated separately under GDPR under the ePrivacy rules. You have to, again, you got to get consent and you can’t just be like, “We’re using your location data because we want to for legitimate interests because it makes the product better,” or something like that. That’s not going to be, that’s not going to cut it. You’re going to need more explicit consent.
00:53:32 You’re going to want to think about how long you’re retaining data and where are these various systems are retaining data, so if you have, if you’re retaining logs and you have PII in your logs, how long are you going to keep those logs? Have you thought about why you need to keep them? Maybe you archive them indefinitely now. You’re going to need to revisit that and really force yourself to think like, “How long do we need this?”
00:53:55 GDPR doesn’t tell you how long it’s acceptable but this is where it comes back to that accountability piece. It does require that ahead of time you’ve decided how long you’ve written down somewhere, what the appropriate data retention is supposed to be, and then, later they can check if he actually did that, but it’s more important that you make the decision of that, around data retention rather than what the specific decision is. A lot of times you have discretion to do that.
00:54:25 Finally, these two encryption and pseudo anonymization. I never pronounce that right. Pseudo anon- who knows? If only there was somebody who knew the right way to pronounce this word, but the encryption and pseudo anonymization allow you to transform data in a way where it’s not immediately like usable or accessible. It’s still PII for purposes of reporting a breach today to protection authority but, again, it may make breach reporting or liability under GDPR much lower.
00:54:57 It also allows you some flexibility. Although I believe for pseudo anonymize data even if the data is key and you have a vendor who you want to send that key data to, but you still have to get a data protection agreement, same with encrypted data. If you’re just sending encrypted data to a vendor, you still have to get a data protection agreement in place with that vendor and go through the whole vendor management process.
00:55:21 These are some things. There’s more on this that we actually have a separate course on basically product design and engineering for data protection in GDPR. If you want more on that let me know in the Slack channel or over email. These are some issues to think about as a product team. From a support and customer success team, you’re thinking of like, “Okay. Expansion revenue, upselling, cross-selling, getting our customers, finding out what makes them happy? What makes them not happy?”
00:55:49 One thing that comes up often is the ability to communicate with customers who are existing customers, so you already know and we already covered the fact that if you want to track somebody or send somebody an email and they’re not your customer, it’s totally unsolicited. You need to get permission from them, you need to get consent, and then, there’s this whole thing around how you manage consent and all these rights that come when you have consent.
00:56:12 Setting that aside, what about in the situation where you have an existing customer or somebody who you were talking to and negotiating a sale with. There’s actually an exception to that under the ePrivacy rule that allows you to use basically an opt-out. We call it a soft opt-in or an opt-out where basically if somebody’s in a signup flow and it’s different in different countries. In the UK, it’s easier to do this. If somebody just request a quote from you, you’re allowed to basically show them a checkbox and says, “Hey, uncheck, check here if you don’t want to receive emails.”
00:56:47 By default, you’re allowed to subscribe them to some, there’s rules on this. It has to be from you, it can’t be from a third party. It has to be related to the product and service that they were like buying or talk to you about it. It can’t be for like you come to me for a mattress and I get you an offer to refinance your home or something like it can’t be that. There’s some other rules around this but basically it’s easier to communicate with existing customers as long as you follow a process to notify them when they sign up or when you interact with them before that you’re going to communicate with them later, and you have to keep that record, but it’s a lower bar. You’re allowed to default [inaudible 00:57:27].
00:57:29 The other stuff, again, just like your support systems and desk, intercom, any messaging system that you’re using, drift, whatever. If that’s going to have PII in it of customers, even if it’s a B2B customer, and you’re selling like, I don’t know, some manufacturing company in Germany and that’s your customer, and it’s a user who’s a member of a business in Germany. That’s still personal data and their data in your support system, you’re going to need to deal with that, whether your support system is like Gmail and Front or whether it’s [inaudible 00:58:08] or whatever.
00:58:08 You’re going to need to get DPAs in place with all of those vendors to be able to track those and basically treat them as in scope for GDPR. The other thing that comes up a bunch is companies are like, “Well, I know I can’t send an email with somebody without consent just because, but what if I do like a research survey or something or what if I, I’m not trying to market to them, but I’m trying to get feedback,” or a lot of times this comes up with business intelligence tools. I want to use the data to improve our services.
00:58:45 That is something where like actually legitimate interest is a really good lawful basis to use because consent would be great but then what do you do if they opt out? Are you going to deal with that? Under legitimate interest you can just basically give them the right to object rather than have to worry about withdrawing consent and managing consent but, on the other hand, if you’re doing some kind of user survey or satisfaction survey and you cross over into marketing, you’re definitely going to need consent if you’re doing any marketing you’re going to need consent.
00:59:18 You’re not going to be able to like … In the UK they call it [inaudible 00:59:22] or something, [inaudible 00:59:23]. I forget what it is, but it’s basically doing marketing under the guise of doing research or custom satisfaction surveys or something. You just want to make sure that if you’re doing one or the other that you’re really clear about what you’re doing. Again, I don’t have enough time to go into details about this, but I can talk about this more in the Slack channel.
00:59:44 The last thing too is if you’re … We talked about like marketing and growing leads. We talked about products. The last thing is if you have any kind of like employees or contractors or anybody in the EU, at all that’s part of your workforce, you’re going to need to … That data counts too, so anytime you process data as an employer, for example, or recruiting contractors or anything like that, that is data that’s in scope.
01:00:11 There’s a lot of companies, are definitely thinking about the products that, but maybe not so much about growth or support or HR, but they’re all functions of a company that are in scope potentially if you have data from data subjects in EU. They don’t need to necessarily be citizens of the EU they just have to be, you have to be performing some kind of activity that’s subject to EU law so like, some kind of like doing business in the EU or going to market or things like that.
01:00:46 I can talk more about other … People have questions of like, “Well, can I, do I have to identify e-users when they come to my website?” I’ll talk about that with Q&A, but definitely for recruiting. For example, if you’re using an ATS system, an applicant tracking system, you’re going to want to make sure that you get a data production agreement in place with that vendor or make sure that you know how to use subjects going there.
01:01:09 Real quick question, can you avoid GDPR for recruitment in HR if you don’t hire at EU? Yeah. Exactly. Yes. If your HR processes and recruiting processes have explicitly nothing to do with EU even if somebody like applies for a job and ends up in the EU and you know that they’re from EU, that doesn’t necessarily … That’s like having a website visitor. A lot of it … This is a popular subject on Hacker News. Everybody’s like, “Is Hacker News GDPR compliant?” “I don’t know. I’m not sure. Nobody knows.”
01:01:42 It’s like there’s nothing, Hacker News is not doing anything specific to go to market or target people in the EU. Likewise, if you’re a company, you’re not going to fall in to territorial scope of EU for HR, at least, if you don’t have anything to do, and if you got incidental employees or applicants who are applying, it’s not totally clear if GDPR purports to regulate that, at least, in terms of material scope but it’s like, “What are you going to do?” You can inform them …
01:02:43 A lot of times getting an employment contract in place with the employee, that will be your legal basis to do all your other processing and it doesn’t give you a basis to do anything outside of that processing. For example, when we’re talking about employee monitoring like if you’re putting antivirus or device management on people’s laptops and you have the ability to like turn on like web monitoring or tracking, huge heads-up, talk to a lawyer before you do that. Do not just like, be aware that could be a third rail for you. That’s the kind of thing where, if you’re saying, “Oh, what’s the legal basis for that?”
01:03:19 Because I want to is probably not going to fly because I need to in our employment contract. I don’t know, that may not fly either. You’re definitely going to want to talk to a lawyer or at least get more information around potential consequences. There have been companies that have been already said, “GDPR is not new.” There have been companies that have been, gotten into serious trouble for basically spying on employees without their consent, without letting me know.
01:03:44 There are ways if you, again, like everything if you deal with it upfront and you put in your employment contract all of your data on all your work devices is subject to monitoring and here’s the acceptable use policy, here’s training on it, just be aware that the stuff is happening if you go on. You have an easier time if you just like get a bright idea and flip a switch or worse realize that you’ve been tracking a bunch of employee behavior but you didn’t mean to, you’re going to have, you’re going to be up to … I’d say your waste but you probably be up to your neck. It’s going to ruin your month. Dealing with it is going to really be inconvenient for you.
01:04:22 Same stuff, all this stuff applies to contractors as well if you’re dealing with contractors. If you are, if you have employees and you and you’re using like Slack or like Gmail, all of a sudden their personal data is going to be in your productivity software and your tooling and your internal tooling, you need to make sure that you have data production agreements in place even if it’s like, you have an ops employee on PagerDuty and their emails just in PagerDuty and PagerDuty pages them when you have an issue, that counts because you’re sending their PII to PagerDuty, so they’re a vendor you need to be able to get the agreements in place. Employees have data subject rights too and including the right to know like how long you’re going to keep their data and for why you’re retaining data if you’re retaining it. You basically have to be able to go in a lot of cases be able to explain what you’re going to do with their personnel data, like their employee files and records, and then, get rid of it if you no longer need it, so the same rules that apply upfront to collecting and processing data for your product or for growing your customer base [inaudible 01:05:28] to your employees [inaudible 01:05:29] you need to make sure like internally you have a list of like, “Here are all why we need to process data because we’re a controller of the state. The reasons why we need to process data, here are the systems and here in Europe, here are your rights basically.”
01:05:45 Okay. I do not have enough time and now we’re over seven minutes over to go over this. Basically, how would you get started doing all of this? We’ll have a SaaS guide and we can do another webinar if people want. Basically, you’re going to pick one person to be responsible for this and you’re going to train them and empower them. You’re going to make a list of all the things you need to do, which is probably going to be based on materials that we give you or the materials that you can assemble but stuff like identifying that you have to get data processing agreements in place.
01:06:13 For example, with vendors stuff like that. Make a list of all that stuff. You’re going to have to track all of the data and the uses that you’re putting that data to, to be able to organize that cleanly. You can do that in an Excel sheet if you want. If you jump on the [inaudible 01:06:27] Slack, I can give you a template for it. There’s all kinds of other software and systems to track those stuff but then you like basically, you need to get organized. Get all of the things that you care about that are in scope for you for GDPR.
01:06:41 If it’s like, again, Slack and Gmail for productivity, okay. Great. If it’s Mixpanel and autopilot for marketing, great. If it’s AWS and [inaudible 01:06:51] and whatever for product, okay, great. You just need to be able to like organize that stuff and write it down. Then, from there once you have your requirements and all of the systems that you’re using in processing, you can start making a plan for like, “Okay, how do I map these sort of people and data and uses and technology to these requirements?” It gets easier from there.
01:07:12 You’re also going to have to do a bunch of stuff that’s not specifically called out in GDPR. Article 32 is the biggest example of this where there’s a lot of stuff. I called it the Pandora’s Box earlier, where it’s like, “Oh, you have to apply reasonable safeguards to protect data.” It’s like, “Oh, what are those?” Well, that’s where like risk analysis and being able to look at, especially look at like what has happened to other companies and companies like you, and be like, “Yeah. Okay, using the laptop maybe that would be bad.”
01:07:40 But like you should probably have some controls in place to plan ahead and be like, “Okay, how bad would it be if we, if that happened? How likely would it be to happen?” Writing it down and being able to say, “Okay, these are why we’re doing these controls and these are why we’re not doing these other controls.” Doing that in a formal way is good. Then, telling, you’re going to have to come up with, once you have all of this plan and these rules and these requirements and everything, you’re going to have to tell people about it and tell everybody in your organization what they need to know to do their job. For example, your sales team needs to know, don’t just sign up for Salesforce without letting the privacy officer or the DPO go in and the person who’s governing the program be able to go in and say, “Hey, can we do this or not?” Stuff like that, just you need to like spread awareness.
01:08:29 Then, finally, you’re going to want to make sure that you’re actually doing the things you’re supposed to be doing and you’re going to set up processes to measure and monitor those. [inaudible 01:08:39] and we’ll give you, if anybody wants like a written guide to how to do all this stuff in the context of GDPR, just follow along in the Slack channel or email me or something. Just get in touch with me.
01:08:54 So real quick before we do Q&A. We talked a bit about how there’s not a lot new under GDPR. There are a few things that are new, but most of this stuff is actually going, goes back a while, and there’s actually a bunch of guidance around GDPR that comes from prior guidance that’s really helpful. Again, if you want links to any of this stuff, I am more than happy. I have so many links for all of you. If you’re curious to see what is the guidance on controller versus processor. Well, there’s a whitepaper on that I can show you.
01:09:24 We talk about the structure of GDPR, most importantly, probably most of your questions are like, “Okay, what does it actually mean for different things we need to do? Really, I’ve probably raised more questions than I have answer but hopefully, I’ve given you a range of red flags or yellow flags or whatever markers. Things to be aware of in your business to be thinking about, "Okay, how are we going to answer these questions around things like marketing, sales, products?”
01:09:51 Then, we talked a bit about how to do management through all this stuff but that’s a much bigger topic. So Q&A here. I get some questions. I’m just going to answer these questions, so I know we’re going over. If you have to drop, go ahead and drop. I’m recording this and we’ll send you a recording later. All right. First question. Nick submitted this before we got started a few days ago. He said, “Can you really adjust things based on whether users IP addresses in the EU or do you have to worry about EU residents traveling to other countries or using the VPN?”
01:10:25 Really good question. The scope of your GDPR compliance is going to be determined by those two things before; material scope and territorial scope. If you have, if you’re trying to segment your user base and only apply GDPR to users who are based in the EU, you can do that for sure. That sounds like I would probably suggest if it’s possible just deciding, this is what the EU really wants, is making everybody just kind of like apply GDPR to their entire business if it’s possible. You could certainly use IP block. That would be totally reasonable. I do not think you need to worry about EU residents traveling to other countries or using a VPN or something because the material scope covers personally identifiable information. The territorial scope covers, if you’re going to market in EU and if an EU user just happens to be like in San Francisco or something, using your product like that’s not, you can’t be held sort of responsible for knowing that but that’s, there is an open question of like, “How much work do you have to do to know your customer?”
01:11:35 Realistically, I tell people, “I’m a lawyer. I’m not your lawyer. If you have questions about this, you should really talk to somebody who can give you legal advice.” But realistically, the first companies up for enforcement around GDPR are going to be companies that are like going to market in EU. We’ll probably get more guidance around this later, but I wouldn’t worry about, I wouldn’t worry about that.
01:11:59 Related to liability. Can any people or companies troll you for non-compliance or do you actually have to piss off some EU government mad enough to go after you? Yeah. This is related to what we talked about before around basically liability … Where did that go? Liability to enforcement. TBD, I don’t know. Certainly, people can file complaints against you. How are those complaints going to be followed up on? Who knows? I’m not really sure. Ultimately, if they really want to go after you they have to sue you. They have to use, they have the courts to do that, so we’ll see I guess. I think the fear of trolling is probably greater than the actual risk, but we’ll see. I’m not super, super worried about it but I’m also spending a lot of time getting ready for GDPR. If US companies haven’t cared about cookie warnings so far, should we really care about them now? Good question. I don’t know. If you are going to market and representing yourself in Europe and you fall within the territorial scope, you should certainly be thinking about this. If you’re just totally determined not to have any, if you’re not doing any advertising, you’re not doing any like special like go to market motion for Europe and you’re just like, “Hey, we’re a SaaS company. We have a tool. You can use it.” You have nothing to do with anything specific about Europe, I would probably talk to a lawyer if it makes you feel better but I wouldn’t be worrying about this a ton right now because you’re not really in scope for GDPR unless you’re doing something that indicates that you’re going to market in Europe generally.
01:13:50 That said though if you have like [inaudible 01:13:52] some web page on your site that says like, “Hey, here’s how to use our site in Paris,” or something, you should definitely be thinking about this. What kind of emails to registered users you need consent for and which can you use legitimate interest for? In general, any kind of unsolicited communication you can’t use legitimate interest for it. You have to use consent.
01:14:22 That said if you have emails that are necessary for functionality of somebody’s account, for example, and you have like it’s necessary for me to send you like a password reset email, it’s necessary for me to send you a security alert that you need to change your password, stuff like that, you can send those, you don’t need consent for those. If you have a contract with the data subject you can just use the contract [inaudible 01:14:46].
01:14:48 So like purely transactional, purely functional emails that are necessary to provide your service those would be fine, and then, we talked about this before the soft opt-in or the opt-out rule, where if you want to send newsletters or non-necessary emails, if they’re already your customer or they’re registered user, you may be able to do that on an opt-out basis but, again, you have to do some legwork upfront to get that and if you have a bunch of users historically who are not, you don’t have consent on record for, this is like why you’re seeing probably a lot of, there’s a whole, all of the emails that companies are sending there’s a whole discussion in the GDPR Slack about this and how it’s probably like off-base.
01:15:35 But basically, if you don’t have a lawful basis and you want to communicate with somebody or even store their data after May 25th, you’re going to need to go back and get a basis and if your only basis is consent, you’re going to need to go get consent from users. Okay. I’m going to go through a couple more of these, this Q&A tool.
01:15:59 Yeah. I mentioned PHI, I assume even PII? Correct. I meant PII. That was just a slip from years of doing HIPAA compliance as well [inaudible 01:16:11]. If somebody filled out a lead form and our website at some point, does that count as consent to [inaudible 01:16:17] until they opt out? No. That’s what I was just saying before, so unless it, under GDPR consent has some specific requirements and if you’re wondering what those are, look in Article 7 here, conditions for concern.
01:16:29 So if you don’t meet these conditions, you don’t have consent. If somebody just signed up for a lead form on your website in the past and with no other information, you probably don’t have consent because there’s specific things you need to do. You need to tell them what you’re going to do with their data. You need to give them the ability to withdraw that consent, so if they can’t do that, you don’t have consent. That doesn’t count as consent to answer that question.
01:16:56 On the other hand, if you collected data in the past and you have an opt-out for, the opt-out for an existing customer and you should, you gave them the ability to opt out before and you have that, you might be able to use that exception, so you wouldn’t need consent so there are lead forms or ways that you may have collected that data that don’t require consent in the past but, again, if it’s just a purely, you’re not a marketing website, you’re probably not just going to be able to like send them an email again.
01:17:29 You should probably think about either contacting them. It depends. If you want … I’m not going to say your name here but if you want more context on this, hop on the Slack channel and … It’s get.aptible.com/gdpr-Slack and I can tell you, I’ll be able to tell you more about this, but basically, no. It doesn’t [inaudible 01:17:53].
01:17:53 I’ve talked about the avoiding GDPR for HR recruitments. Okay, so somebody asks here, our Facebook custom audience is dead or Facebook obtained consent from a subset of its users or all of its users by [inaudible 01:18:07] Facebook in which case custom audiences can still be created. That is a great question for Facebook. Facebook has spent a lot of time and effort complying with this and I would definitely talk to Facebook first.
01:18:21 That said, I could talk about the general case and not the Facebook-specific case but the general case here, which is what do I do if I’m using an analytics tool or a platform or an ad platform and I want to, I’m not sure if we have consent from the users? You need to go talk to that platform and be like, “Did you, what’s your story around GDPR, guys? What’s the deal? Can I use your platform?”
01:18:46 AdRoll, for example, is rolling out a bunch of like GDPR tools and how-to guides in marketing and stuff like that. This honestly is one of the areas which we’re going to see small companies, especially ad tech companies are going to get shaken out by this. This really consolidates the market and you see news articles about people talking about like Facebook and Google. GDPR is actually going to benefit them. This is an example of why, it’s because it requires a lot of investment and legwork in order to be able to run an ad tech company, for example, and stay compliant with GDPR.
01:19:20 If you’re not able to do that investment, you’re going to have a tough time. You’re going to be exposed to a lot of risk, and so, this is definitely, regulation definitely creates winners and losers and certainly, although Facebook and Google have been in the spotlight for substantive-ish human rights issues and privacy issues, they’re also going to be in the best position to actually comply with this stuff, so I’d definitely talk to them. The answer depends on whether … Basically, whether they have obtained sufficient consent or whether they can prove it or not.
01:19:57 Okay, so another question here. Our product is translated into 50-plus languages and we let customers in EU countries buy it if they ask. We don’t advertise or spend that much time in it. It’s like 5% of revenue. Sounds like we’re going to market enough to fall under territory of scope, correct? Yeah. Tricky one, right? So it’s not enough if you look, as I mentioned before these recitals for Article 3, specifically Recital 23, which deals with targeting. I’ll drop this link in the chat just because it’s good enough to read. If you just have like a website that’s in the language of a company or a country like if you have a website that’s in French, you’re not necessarily regulated. It’s not the same as like being in France or doing business in France. You might be in Haiti. Having a website in Spanish, you might be in Mexico. That’s not enough to trigger GDPR.
01:20:52 On the other hand, if you are, if you know that you’re selling into EU countries already, yeah. That definitely looks like you might be in scope. Tricky questions here on both fronts. Again, I would advise you go talk to a lawyer around this, but like, yeah. How much risk you actually have? I can’t give you [inaudible 01:21:16] that would be specific advice applied to a specific situation that tells you about your liability and risk in that situation, would be legal advice and I can’t give you legal advice because I’m not your lawyer, but that’s the kind of thing where it’s going to be a tough call for you because this is close. That’s on the line.
01:21:35 I think the thing that tips it for me is probably that you have, you know you have EU customers already. You know that you’ve already gone to market there and I would for now, at least, be better safe than sorry. Okay. We’re receiving two more, three more, four more. Holy cow. We’re receiving data protection agreements from existing customers that have identified us as the processor of personal information, is there any reason we should not sign these assuming we are GDPR compliant?
01:22:03 Again, you got to talk to a lawyer about whether you’re going to sign a specific contract, but if assuming that you are fully GDPR compliant, yeah, you should probably sign those. Again, you’d have to look at the specific DPA and the specific contract to make a better, give you better advice here, and ultimately, that would probably be legal advice but like in general, yeah, if you’re saying your GDPR compliant and that you’re a processor, your customers have to get processing agreements with you in order to be able to use you, and whether you draft in it or they draft it or you call it a DPA or it’s just in your terms of service or whatever that is, you’re going to have to figure that out.
01:22:46 The specific question here, is there any reason we should not sign these assuming we’re GDPR compliant? Well, you should definitely be signing something because Article 28 of GDPR requires that you do, specifically, should you sign exactly what they give you? I don’t know. That would depend on a specific situation, but certainly something.
01:23:06 Okay. Next one, when listing all subprocessors publicly most companies just seem to be listing the name of the company, maybe the location, and I’ve seen guidance at this [inaudible 01:23:17] table should include exactly what is shared with those subprocessors or [inaudible 01:23:21] private in our internal data mapping. Really good question. I think I know who asks this question. I’m glad that you did. It’s a great question. Under GDPR there are two things, two areas which you might be using. Remember, I said you’re going to want to put together that list of data uses and like what you’re using data for, what the lawful basis is if you’re a controller, what vendors you’re using for each use? There are two areas where that comes into play. First is if you are a controller, right? You have to make sure that you can play with Article 13 or Article 14 depending on whether the data is collected directly from a subject or indirectly like you’ve done a list or something.
01:24:41 Then, this has the recipients or category [inaudible 01:24:44] for personal data, and here, this goes to your question, which is like if most companies are listing just a name of the company that it should include what data? It doesn’t exactly say that you need to share what data is shared exactly with which companies. But it’s definitely a good idea. I’ll show you, to make this a bit more concrete, let’s look at Slack, and then, we’ll look at PayPal as two examples.
01:25:15 Slack’s approach to this has been basically that we are going to, where’s our sub-processor? It’s not here. Where is it? There’s a page on Slack where basically they go through, if anybody has the link feel free to drop it to me. They basically go through and they say here are subprocessors. GitHub has one. Where is it? I feel like [inaudible 01:25:43] a lot of companies have this stuff, but they don’t necessarily, they just say like, “Oh, yeah. We’re using.” We’re using Amazon or something.
01:25:56 Yeah. Where is it? It’s around here somewhere. Yeah, thank you. Subprocessors, thank you for that. Here they just say, “Oh, these are our subprocessors.” They don’t actually say like okay specifically what data is going on which one of these. On the other hand, PayPal takes a very different … PayPal takes a very different approach. Honestly, I would lean towards this, we’re about to release our own Aptible privacy statement. We’re going to take a much more detail approach, but you can see here like they go through in detail saying, “Okay, what’s the purpose? What data is going with the …”
01:26:31 You probably, if you’re a web company and you’re processing data on a regular basis, you probably need to keep these records under a different part of GDPR Article 30, which is the other thing, so internally, you probably need to be keeping these records and there’s a section for controllers and a section for processors and that is going to look a lot like the PayPal list here where you have very specific processors and names and geographic locations, a very specific purpose, inventory of what data was disclosed.
01:27:04 Do you need to make this list public? No. Not necessarily. Will we see more companies do that? Probably. That’s my guess but we’ll see. To go back and answer the question, can that info stay private or internal data mapping? To say specifically this information in Article 30 can stay private unless somebody, unless you’re required to produce it.
01:27:32 For example, by a DPA or your customers might ask you for evidence or if you try to hire like an Article 27 representative, they’ll probably be like, “All right, give me your Article 30 data usage mapping and the inventory.” The stuff that needs to be public or needs to be provided to the data subject somehow are in Article 13 and Article 14 and it doesn’t cover the same level of detail. No. I hope that answers that question. Great. Three more.
01:28:05 We run webinars promoted on social media inviting folks to sign up via free web form, we would like to follow up with these guys after the webinar. Congratulations. All of you this is the greatest example because it’s the example of we’re doing right now. Can we process their details using legitimate interests if we state on the forum, we have a legitimate interest to use it for this reason? So the law for this, the relevant law here is going to be basically assuming that it’s an email. It doesn’t explicitly specify this but, yeah, if you’re collecting email addresses and you want to contact these users again, in the UK, which has softer rules around this, you’d be able to, instead of providing an opt-in or, you can provide an opt-out and say, “Hey, when you sign up for this webinar we will sign you up for further emails. Let us know if you don’t want to receive these check out here.”
01:29:09 Then, every time you email them again, you have to let them opt-out. That said, the basis, the proper legal basis for this is not legitimate interests because you’re going to be using this basically for communications with them, which may or may not have been solicited, and even if they … So this is going by the ePrivacy Directive and the, all of the national legislation and it’s implemented differently in each country. I would avoid using legitimate interests for that. You’re going to have to use consent most likely, and then, you have to deal with the rules around consent.
01:29:47 That’s why when you guys signed up for this webinar there’s a thing that basically said, we’re going to send you emails, do you consent to this or not, and if you didn’t consent to that, you will not receive a follow-up from us. There’s a bit more. I can go into more detail, whoever asked this question if you want to talk about this a bit more, again, my advice would be the GDPR Slack is a great place to go into more detail, but I can explain this a little bit more and give you some references.
01:30:16 Okay. In terms of product design and engineering, are there any specific requirements to how data is handled? Articles 25, which is data protection by design, 30, which is record-keeping, and 32, which is data protection security of processing. Briefly mention some things but they’re also vaguely defined. This is a great question because it is a question that gets to the landscape of GDPR, so GDPR itself is divided into articles, which are binding in recitals. The articles themselves are not super helpful. They’re basically written to be technology neutral because they don’t want to go have to pass GDPR again every time that technology changes.
01:30:55 The recitals have more color commentary and guidance and there’s also official guidance from the Data Protection Directives are Article 29 working party, which is becoming and basically being turned into something called the European Data Protection Board and they’re going to continue to issue guidance. There’s going to be court decisions about this stuff, although they probably won’t be as specific, and there’s also guidance, let’s see. There’s also guidance from existing principles so like this is, there’s some guidance here. This is not super helpful.
01:31:33 There’s some Canadian guidance. There’s some ICO guidance. The ICO is in a bit of a different situation because it’s not clear whether the UK is actually going to be part of Europe in like six months, but there is some guidance around here, more specific stuff. Again, is it finding guidance? No, not really but there is more information around this stuff.
01:31:57 We have a product design and engineer training course with our company. If you want more information on this, you can go into more information or if that’s something that people would want like as another webinar, just let us know and we’ll be happy to throw like a product design specific webinar and go into more detail here but, yeah, there are some, there is places for more detail. Unfortunately, none of it is super, super specific and they’re mostly dealt with in terms of principles.
01:32:28 Okay. Last question. Are pictures with GPS, metadata, human identifiable if they do not have people in the photo? It depends what the metadata is. If it’s identifying who took it, GPS coordinates for somebody’s house, the answer is it really depends. GDPR is not written in a way where it says specifically, “Oh, here’s the criteria for GPS metadata or any other type of technology.” GDPR basically says, “If there’s any way …” and it’s subjective. “If you know that you can identify this data on its own or in conjunction with other data then it’s personally identifiable.”
01:33:05 It really depends if they do not have people in this photo. There’s actually, I will say that there’s actually some, it’s not always clear that just pictures of people’s faces are identifiable for the purposes of GDPR unless you can actually like extract that data and take action on it, so just like putting up photos or something might not actually be personal data but that’s a wrinkle. That’s not the question you ask, that’s just like a separate side note but really it gets to the question of what is in the metadata. What can you get? Do you know that you can identify people in the metadata?
01:33:43 Last question here, is location data still sensitive if you limit it to high-level country only or country [inaudible 01:33:50] as opposed to like very specific like location data or address? Again, it depends on would you be comfortable going in front of a regulator and saying, “This is no longer identifiable.” It really depends on the context of the data. If you’re looking at just like, how many users do we have from France? If that’s the only thing that you’re retaining and collecting that on its own that’s not identifiable.
01:34:18 On the other hand, where did you, how did you get that data? Where did it come from? Did you discard or destroy it? Did you collect other data to get that data, and then, discard it or destroy it? What are the, sort of what rights or in what obligations do you have with regard to collecting that data in the first place? That’s a threshold question but if you get it down to a point where like you really cannot identify an individual, there’s no way that you could, it’s probably de-identified and out of scope for GDPR.
01:35:24 If you want, you can contact [inaudible 01:35:26] Aptible.com and you can also just feel free to reach out to me. My email address is just email@example.com and I’m happy to answer any other questions or get into some of the questions that are asked they need more details to answer or to get you in the right direction, so feel free to email me too.
01:35:45 Okay. That’s it. That’s the last slide. It clicks no further. Thank you, everybody. Again, this is recorded and we’ll post the slides. Unless you opted out, we post the slides and send you an email of the recording and the transcripts and everything. Thanks for joining. Appreciate it. Goodbye.
Defense in Brief
Sign up to get the best in security and compliance delivered monthly.
From the Blog
Webinar Recap: GDPR - Practical Advice for SaaS Companies
During this webinar we covered the practical, actionable steps to take to actually become GDPR compliant. Get the recap, recording, and slides.Read more
Aptible Enclave and Gridiron are HITRUST CSF Certified
Aptible has achieved HITRUST CSF Certification for Enclave and Gridiron. This post shares a bit more about what this means and how you can think about your own path to certification.Read more
Aptible SOC 2 Type 2 Report Now Available
Aptible has achieved SOC 2 Type 2 compliance for the security and availability Trust Service Principles. This post shares a bit more about what this means and why this type of compliance is so valuable to B2B SaaS companies in specific. We’ll also share how you can start building a security program that meets SOC 2 requirements and is audit-ready.Read more