Leverage

GDPR requirements

to

your advantage

gdpr4saas.eu

@pl4n3th

@LTVConf

84%

are less likely to click on an online ad

74%

are less likely to enable location tracking

6 out 10 people

say they do not trust online business

90%+

say they want the same data protection rights across all EU countries

Eurobarometer survey & Harris Interactive and TRUSTe study

Trust is gone

gdpr4saas.eu

@pl4n3th

@LTVConf

Core concepts

Lawfulness, transparency & fairness

Give people information about what you do with their data

Responsability & Accountability

gdpr4saas.eu

@pl4n3th

@LTVConf

Data Controller vs Data Processor

Controller:

Determines the purpose and the means of the processing

Processor: 

Process the data on behalf of the Controller.

Shared responsibilities

Choose processors that guarantee compliance with the GDPR

Only on documented instructions from the controller

Assists & alert the controller

gdpr4saas.eu

@pl4n3th

@LTVConf

Personal data of people inside EU

EU company: applies everywhere

Non EU company: applies when processing personal data of people inside EU

                                   designate a representative in EU

gdpr4saas.eu

@pl4n3th

@LTVConf

People rights

Access 

Information 

Rectification

Suppression

Portability (in some cases)

Object/ restriction (in some cases)

gdpr4saas.eu

@pl4n3th

@LTVConf

Data breach notification

Security

Within 72 hours

To people if likely to affect their freedom & rights

Data protection compliance ‘baked in’ data processing activities.

gdpr4saas.eu

@pl4n3th

@LTVConf

It’s data gouvernance &

trust building

gdpr4saas.eu

@pl4n3th

@LTVConf

OPPORTUNITY

Now is the best time

gdpr4saas.eu

@pl4n3th

@LTVConf

Own the data privacy space

Show your customer that you care

8 out of 10 people

feel they do not have complete control of their personal data

89% of consumers

won’t do business with a company that doesn’t do a good enough job protecting them online

76%

likely to check websites and apps for a privacy certification seal

Eurobarometer survey & Harris Interactive and TRUSTe study

gdpr4saas.eu

@pl4n3th

@LTVConf

Competitive advantage

Compagnies are seeking GDPR compliant providers

Easier for pure service/data companies

Healthy relationship with providers

gdpr4saas.eu

@pl4n3th

@LTVConf

Follow Data Protection Authorities guidelines

Your business foundation is data

Protect your data

Make your data safe 

& your customers happy

Put responsability in the business

gdpr4saas.eu

@pl4n3th

@LTVConf

EU unified law

Same for 27 countries

One stop shop

Worldwide standard

gdpr4saas.eu

@pl4n3th

@LTVConf

The sooner you start, the better

Other countries are carrying out studies to pass privacy laws

gdpr4saas.eu

@pl4n3th

@LTVConf

MYTHS

gdpr4saas.eu

@pl4n3th

@LTVConf

25th May: hammer falls

2. Importance of showing that you started

1. Compliance is about process and documentation

3. Begining of a 2 years transition period

gdpr4saas.eu

@pl4n3th

@LTVConf

Fines if not compliant

3rd step : Stop collecting and/or processing

1st step : Inquiry 

2nd step : Warning

gdpr4saas.eu

@pl4n3th

@LTVConf

DPO

Only in certains cases

Size of the company

Categories of data being processed

Scale of processing

gdpr4saas.eu

@pl4n3th

@LTVConf

Only for 

Big corporations

EU compagnies

B2C

gdpr4saas.eu

@pl4n3th

@LTVConf

No direct marketing anymore

Yes, you can

Legal ground: legitimate interest

gdpr4saas.eu

@pl4n3th

@LTVConf

No need for Record of Processing Activities

Keep track of consent

Know what data to export/disclose/erase

Keep track of data Processing Agreement

Document next feature privacy

Tool

gdpr4saas.eu

@pl4n3th

@LTVConf

7 Actionnable Steps to get started

Limited in scope

gdpr4saas.eu

@pl4n3th

@LTVConf

1. Update your sign up form 

Explicit acceptation of ToS

Checkbox for newsletter / marketing purposes

Add links to information

gdpr4saas.eu

@pl4n3th

@LTVConf

2. Anonymize data from Analytics 

Remove last 4 digits of IP address

or

use privacy friendly software

gdpr4saas.eu

@pl4n3th

@LTVConf

3. Add a cookie & tracker consent 

Tools

  • civicuk.com/cookie-control
  • cookiebot.com
  • cookie-script.com
  • cookieconsent.insites.com
  • OneTrust Cookie Compliance
  • youronlinechoices.com
  • consently.co
  • userdatatrust.com

gdpr4saas.eu

@pl4n3th

@LTVConf

4. Add information when offering lead magnet 

Layered information

Link to privacy notice

Legitimate Interest Balancing test

Consent if running ads/retargeting

gdpr4saas.eu

@pl4n3th

@LTVConf

5. Assign a “point of contact”

and add its contact information in your Privacy Notice

gdpr4saas.eu

@pl4n3th

@LTVConf

6. Publish a “GDPR commitment” blog post

This is what we are going to do

This is the estimated date 

gdpr4saas.eu

@pl4n3th

@LTVConf

7. Research your providers

Are they GDPR compliant?

GDPR friendly providers directory

gdpr4saas.eu/providers-list

gdpr4saas.eu

@pl4n3th

@LTVConf

PLAN OF ACTION

Broad steps for the next 6 months

gdpr4saas.eu

@pl4n3th

@LTVConf

Needs attention of top management

Bring in CIO, CTO & CMO

Put someone in charge

gdpr4saas.eu

@pl4n3th

@LTVConf

Audit and map your data

Customer

Analytics

Support

Sales

Marketing

Operations

HR

Where the data flows
what are the purposes

gdpr4saas.eu

@pl4n3th

@LTVConf

You want to know

Who is responsible

What purpose / categories of data

Is there a transfer outside EU

How long you keep it

What legal ground

How you mitigate the risks

gdpr4saas.eu

@pl4n3th

@LTVConf

Train your teams

People’s rights

Security

Privacy by design & by default

Support

Sales & marketing

Development

Product Design

HR

gdpr4saas.eu

@pl4n3th

@LTVConf

Review how consent is given

Conduct tests (in some cases)

  • Legitimate interest balancing  test
  • Privacy Impact test

Clearly distinguishable

Intelligible & easily accessible form

Clear & plain language

As easy to withdraw

gdpr4saas.eu

@pl4n3th

@LTVConf

Assess security & technical stack

Storage (electronic / paper / archive)

Access control & logs

Consent management (proof / withdrawal)

Erasure management of personal data 

gdpr4saas.eu

@pl4n3th

@LTVConf

Review your providers

Assess ability to fulfill obligations

Check data breach procedure

Check features for user rights

Sign Data Processing Agreement

gdpr4saas.eu

@pl4n3th

@LTVConf

Review & update privacy notice

Point of contact

Categories of data being collected

Legal basis for processing & consequences

Outside EU transfer

How long the data will be stored

How to exercise users’ rights

gdpr4saas.eu

@pl4n3th

@LTVConf

Write procedures

Report data breach

Data Subject Access Request :

- show

- rectify

- suppress

- export data

gdpr4saas.eu

@pl4n3th

@LTVConf

STRATEGY

What is your likeliest situation?

gdpr4saas.eu

@pl4n3th

@LTVConf

Are your customers asking for compliance ?

Draft a Data Processing Agreement 

Review your privacy policy

gdpr4saas.eu

@pl4n3th

@LTVConf

Customers are likely to fill a resquest

Access RectificationErasure

Portability

Write procedure,

Provide privacy center

gdpr4saas.eu

@pl4n3th

@LTVConf

You're harvesting a lot of personnal data

Review how you ask for consent

Check with legal team if relying on legitimate interest

Provide advanced privacy center

Use tool to manage consent

Update privacy notice

gdpr4saas.eu

@pl4n3th

@LTVConf

You've got holes in your security

Review process for data breach notification

Enforce security  :

- use encryption for storage & transfer

- enforce user access control

- review code for data leaks

- train your technical team

gdpr4saas.eu

@pl4n3th

@LTVConf

Thanks :)

gdpr4saas.eu

@pl4n3th

@LTVConf

Leverage GDPR

By Aleth @ smarttleads

Leverage GDPR

A talk at LTVConf 2018

  • 943