This article was published on June 30, 2018

GDPR is here, but it doesn’t mean your business is done prepping

GDPR is here, but it doesn’t mean your business is done prepping
Jacek Materna
Story by

Jacek Materna

Jacek Materna is a technology evangelist and cyber security expert with more than 15 years experience. As CTO of Assembla, Jacek leads the Jacek Materna is a technology evangelist and cyber security expert with more than 15 years experience. As CTO of Assembla, Jacek leads the strategic vision for the company’s technology practice. In this role Jacek consults frequently with customers to better understand needs and concerns regarding the future of Source Code Management and how Assembla can best help meet those needs. Jacek is also passionate about blockchain technology and its future applications to source code and asset management. Prior to Assembla, Jacek was the SVP of Engineering at Securelogix, where he led product development for the VoIP and SIP Security software business. He helped launch a new service platform into a Fortune 10 financial institution. Earlier in his career, Jacek founded a number of technology businesses in and around VoIP security and Fintech. Jacek holds Patents in the space and speaks frequently on topics such as Enterprise Cloud Version Control, Compliance, Data Security, Game Development and cloud software development. Jacek regularly advises South Texas incubators helping to grow the next generation of cloud based companies. Jacek holds a B.Sc. in Computer Science from the University of Toronto.

It’s been just a few weeks since the General Data Protection Regulation came into effect, and aside from some high level lawsuits from activist lawyers looking to prove a point, it’s been pretty much business as usual.

The media portrayed GDPR as the next and possibly more disruptive Y2K, like at midnight on May 25, 2018, the data breach police would be knocking down doors and shuttering businesses. This long drawn out regulation could actually take a few months to uncover non-compliant companies.

GDPR is all about putting personal data back in the hands of the citizen, the individual, the consumer and so on. It’s an attempt by the EU to drive transparency for data use and governance over what ultimately belongs to the individual.

Today, monolithic organizations are taking data and turning a profit. Inherently, this isn’t a bad thing, but there’s little oversight or transparency into how the data is being used.

In addition, consumers are signing off on onerous terms and conditions written in dense legalese, not meant for the common person. Data is currency. Our data makes money for other companies via ads, our data should belong to us and we should have control.

You’re a company and you’ve updated your Privacy Policy, so now what?

In preparation of GDPR, many organizations have updated and redistribute their privacy policy. You may have been responsible for this action in your company. But now what? What follow up steps need to be taken to stay compliant?

Well, I’ll tell you.

Manage your data — Continuously audit and assess your data control. Compliance is all about controls that are continuously reviewed.

Make the right hire — If your business is predominantly EU-based or focused, it would make sense to have this as a full time role versus part of someone’s job. If something goes wrong your business could be in deep trouble. Invest in people, tools won’t get you there.

Don’t be a datahoarderReview your data retention controls that allow you to manage how long your user and event data is held on your servers. Under GDPR, user and event data must be retained according to more strict settings; when set properly, your systems will automatically delete user and event data that is older than the retention period you select.

Having  retention control is a key way to avoiding data hoarding and it provides an easy way to demonstrate compliance to auditors. So make sure to:

  • Understand what data you’re gathering and also classify it. Understand what personal data is and what it isn’t.
  • Make sure you understand where it’s held, how it is kept and how & when to delete it.
  • Back it up, anonymize it and encrypt it.
  • Do whatever you must, just don’t avoid managing it.
  • Be open about your processes and don’t treat it as a secret. Your influencers, customers and other stakeholders will trust you as long as you prove to be trustworthy.

Deadline has passed, can we breathe easy?

GDPR is a huge shift in how business’ approach customer data. While the deadline has come and gone, the real work is actually in the months and years ahead.

The past few months may have felt like a mad dash towards compliance, but in reality, work towards shifting the culture around data is just beginning. GDPR isn’t just the responsibility of the Chief Information Security Officer (CISO). Yes, while compliance may live in that organization, data collection and usage doesn’t (not solely anyway).

Since data is the basis for making business decisions, companies need to holistically consider GDPR. Just like the new corporate mantra “security is everyone’s responsibility,” the same expectation should be set for GDPR.

So let’s dive into what different roles need to do in the wake of GDPR.

What it means for CEOs

Data privacy and proper usage is no joke. Just look at the Facebook/Cambridge Analytical debacle. Brands face real consequences by not adhering to GDPR. While we haven’t seen it yet, (as of this posting) CEO’s will carry the public brunt of the responsibility for non-compliance.

What GDPR mean for marketing and communications

PR and marketing activities depend on the ability to build and maintain meaningful and valuable relationships, and being perceived as trustworthy. The personal contact or biographic data of a journalist or social media influencer doesn’t belong to you as the PR professional, it belongs to the journalist and he/she has rights.

Remember to be proactive about it as the responsibility (and possible fines) rests with you. It doesn’t matter if you work with an external media database provider or an internal media research team.

What does it mean for sales?

Assuming all the data processed for direct marketing and sales purposes is done so lawfully, sales teams still need to address how privacy regulations impact their ability to send emails and place phone calls to prospects in Europe.

There is a sizable gray area when it comes to prospecting in Europe. With that in mind, here are a few best practices we know are tenants of European privacy law.

Pay attention to “Do Not Call” lists — Each member state may maintain its own “Do Not Call” list so it will be prudent to verify that your prospects are not on these lists prior to reaching out. Here are some helpful links to the lists for several member states: France, Netherlands, and Belgium.

Include opt-out and privacy notice links in emails to EU residents — For emails to both inbound and outbound sales, it will be critical to include notice of your company’s privacy practices as well as the opportunity for the recipient to object to receiving future communications. This will increase your transparency and reduce the intrusiveness of the message.

Use discretion with the amount/frequency of communications — Although this is somewhat ambiguous, it is advisable to use discretion with the frequency and number of touchpoints to ensure that you do not intrude on the “rights and freedoms” of the individual as mentioned above.

Use social media — Social media is a solid alternative channel to cold email that will allow reps to diversify their method of prospecting, while also remaining compliant with relevant privacy regulations.

This list is by no means exhaustive, but it should provide a helpful starting point for your sales reps. As always, review new processes with your legal and/or security teams to ensure alignment with the overall approach for GDPR.

What does GDPR mean for customer service?

As most teams use chat tools, or ticketing systems such as Zendesk, those dealing with customer data need to be especially careful about the information they see or interact with in these tools. Most particularly around sharing of information to solve problems — i.e. data portability of sensitive materials specific to a users account.

Examples could include logs or error traces that may contain sensitive privacy information. While passing this information is not necessarily a problem, it could be if the party you are “chatting” with is not the actual user. Hence it is recommend that support teams use two-factors of authentication before engaging with users who are not able to be verified over channels such as email or phone. The benefit of chat is that it is usually strongly tied to an authenticated user session.

GDPR aftermath

Now the that dust is beginning to settle, at least until the first major breach, it’s a good time to reflect on what changes GDPR will really bring. Perhaps this transparency will drive deeper and better relationships between organizations and their customers and user base. If so, we could see more win/win situations.

While those side effects maybe be muddied by whatever GDPR fine hits first, the ultimate goal for corporations should be to build trust and be the kind of company where their customers or users offer up insights and data freely.

Get the TNW newsletter

Get the most important tech news in your inbox each week.

Also tagged with