84%

are less likely to click on an online ad

74%

are less likely to enable location tracking

6 out 10 people

say they do not trust online business

90%+

say they want the same data protection rights across all EU countries

Eurobarometer survey & Harris Interactive and TRUSTe study

Trust is gone

Core concepts

Lawfulness, transparency & fairness

Give people information about what you do with their data

Responsability & Accountability

Data Controller vs Data Processor

Controller:

Determines the purpose and the means of the processing

Processor: 

Process the data on behalf of the Controller.

Shared responsibilities

Choose processors that guarantee compliance with the GDPR

Only on documented instructions from the controller

Assists & alert the controller

Personal data of people inside EU

People rights

Access 

Information 

Rectification

Suppression

Portability (in some cases)

Object/ restriction (in some cases)

Data breach notification

Security

Within 72 hours

To people if likely to affect their freedom & rights

Data protection compliance ‘baked in’ data processing activities.

It’s data gouvernance &

trust building

OPPORTUNITY

Now is the best time

Own the data privacy space

Show your customer that you care

8 out of 10 people

feel they do not have complete control of their personal data

89% of consumers

won’t do business with a company that doesn’t do a good enough job protecting them online

76%

likely to check websites and apps for a privacy certification seal

Eurobarometer survey & Harris Interactive and TRUSTe study

Competitive advantage

Compagnies are seeking GDPR compliant providers

Easier for pure service/data companies

Healthy relationship with providers

Follow Data Protection Authorities guidelines

Your business foundation is data

Protect your data

Make your data safe 

& your customers happy

Put responsability in the business

EU unified law

Same for 27 countries

One stop shop

Worldwide standard

The sooner you start, the better

Other countries are carrying out studies to pass privacy laws

MYTHS

25th May: hammer falls

2. Importance of showing that you started

1. Compliance is about process and documentation

3. Begining of a 2 years transition period

Fines if not compliant

3rd step : Stop collecting and/or processing

1st step : Inquiry 

2nd step : Warning

DPO

Only in certains cases

Size of the company

Categories of data being processed

Scale of processing

Only for 

Big corporations

EU compagnies

B2C

No direct marketing anymore

Yes, you can

Legal ground: legitimate interest

No need for Record of Processing Activities

Keep track of consent

Know what data to export/disclose/erase

Keep track of data Processing Agreement

Document next feature privacy

Tool

7 Actionnable Steps to get started

Limited in scope

1. Update your sign up form 

Explicit acceptation of ToS

Checkbox for newsletter / marketing purposes

Add links to information

2. Anonymize data from Analytics 

Remove last 4 digits of IP address

or

use privacy friendly software

3. Add a cookie & tracker consent 

Tools

• civicuk.com/cookie-control
• cookiebot.com
• cookie-script.com
• cookieconsent.insites.com
• OneTrust Cookie Compliance
• youronlinechoices.com
• consently.co
• userdatatrust.com

4. Add information when offering lead magnet 

Layered information

Link to privacy notice

Legitimate Interest Balancing test

Consent if running ads/retargeting

5. Assign a “point of contact”

and add its contact information in your Privacy Notice

6. Publish a “GDPR commitment” blog post

This is what we are going to do

This is the estimated date 

7. Research your providers

Are they GDPR compliant?

GDPR friendly providers directory

gdpr4saas.eu/providers-list

PLAN OF ACTION

Broad steps for the next 6 months

Needs attention of top management

Bring in CIO, CTO & CMO

Put someone in charge

Audit and map your data

Customer

Analytics

Support

Sales

Marketing

Operations

HR

Where the data flows
what are the purposes

You want to know

Who is responsible

What purpose / categories of data

Is there a transfer outside EU

How long you keep it

What legal ground

How you mitigate the risks

Train your teams

People’s rights

Security

Privacy by design & by default

Support

Sales & marketing

Development

Product Design

HR

Review how consent is given

Conduct tests (in some cases)

• Legitimate interest balancing  test
• Privacy Impact test

Clearly distinguishable

Intelligible & easily accessible form

Clear & plain language

As easy to withdraw

Assess security & technical stack

Storage (electronic / paper / archive)

Access control & logs

Consent management (proof / withdrawal)

Erasure management of personal data 

Review your providers

Assess ability to fulfill obligations

Check data breach procedure

Check features for user rights

Sign Data Processing Agreement

Review & update privacy notice

Point of contact

Categories of data being collected

Legal basis for processing & consequences

Outside EU transfer

How long the data will be stored

How to exercise users’ rights

Write procedures

Report data breach

Data Subject Access Request :

- show

- rectify

- suppress

- export data

STRATEGY

What is your likeliest situation?

Are your customers asking for compliance ?

Draft a Data Processing Agreement 

Review your privacy policy

Customers are likely to fill a resquest

Access RectificationErasure

Portability

Write procedure,

Provide privacy center

You're harvesting a lot of personnal data

Review how you ask for consent

Check with legal team if relying on legitimate interest

Provide advanced privacy center

Use tool to manage consent

Update privacy notice

You've got holes in your security

Review process for data breach notification

Enforce security  :

- use encryption for storage & transfer

- enforce user access control

- review code for data leaks

- train your technical team

Thanks :)