Leverage
GDPR requirements
to
your advantage
gdpr4saas.eu
@pl4n3th
@LTVConf
84%
are less likely to click on an online ad
74%
are less likely to enable location tracking
6 out 10 people
say they do not trust online business
90%+
say they want the same data protection rights across all EU countries
Eurobarometer survey & Harris Interactive and TRUSTe study
gdpr4saas.eu
@pl4n3th
@LTVConf
Lawfulness, transparency & fairness
Give people information about what you do with their data
Responsability & Accountability
gdpr4saas.eu
@pl4n3th
@LTVConf
Controller:
Determines the purpose and the means of the processing
Processor:
Process the data on behalf of the Controller.
Shared responsibilities
Choose processors that guarantee compliance with the GDPR
Only on documented instructions from the controller
Assists & alert the controller
gdpr4saas.eu
@pl4n3th
@LTVConf
EU company: applies everywhere
Non EU company: applies when processing personal data of people inside EU
designate a representative in EU
gdpr4saas.eu
@pl4n3th
@LTVConf
Access
Information
Rectification
Suppression
Portability (in some cases)
Object/ restriction (in some cases)
gdpr4saas.eu
@pl4n3th
@LTVConf
Within 72 hours
To people if likely to affect their freedom & rights
Data protection compliance ‘baked in’ data processing activities.
gdpr4saas.eu
@pl4n3th
@LTVConf
gdpr4saas.eu
@pl4n3th
@LTVConf
Now is the best time
gdpr4saas.eu
@pl4n3th
@LTVConf
Show your customer that you care
8 out of 10 people
feel they do not have complete control of their personal data
89% of consumers
won’t do business with a company that doesn’t do a good enough job protecting them online
76%
likely to check websites and apps for a privacy certification seal
Eurobarometer survey & Harris Interactive and TRUSTe study
gdpr4saas.eu
@pl4n3th
@LTVConf
Compagnies are seeking GDPR compliant providers
Easier for pure service/data companies
Healthy relationship with providers
gdpr4saas.eu
@pl4n3th
@LTVConf
Your business foundation is data
Protect your data
Make your data safe
& your customers happy
gdpr4saas.eu
@pl4n3th
@LTVConf
Same for 27 countries
One stop shop
Worldwide standard
gdpr4saas.eu
@pl4n3th
@LTVConf
Other countries are carrying out studies to pass privacy laws
gdpr4saas.eu
@pl4n3th
@LTVConf
gdpr4saas.eu
@pl4n3th
@LTVConf
2. Importance of showing that you started
1. Compliance is about process and documentation
3. Begining of a 2 years transition period
gdpr4saas.eu
@pl4n3th
@LTVConf
3rd step : Stop collecting and/or processing
1st step : Inquiry
2nd step : Warning
gdpr4saas.eu
@pl4n3th
@LTVConf
Only in certains cases
Size of the company
Categories of data being processed
Scale of processing
gdpr4saas.eu
@pl4n3th
@LTVConf
Big corporations
EU compagnies
B2C
gdpr4saas.eu
@pl4n3th
@LTVConf
Yes, you can
Legal ground: legitimate interest
gdpr4saas.eu
@pl4n3th
@LTVConf
Keep track of consent
Know what data to export/disclose/erase
Keep track of data Processing Agreement
Document next feature privacy
gdpr4saas.eu
@pl4n3th
@LTVConf
Limited in scope
gdpr4saas.eu
@pl4n3th
@LTVConf
Explicit acceptation of ToS
Checkbox for newsletter / marketing purposes
Add links to information
gdpr4saas.eu
@pl4n3th
@LTVConf
Remove last 4 digits of IP address
or
use privacy friendly software
gdpr4saas.eu
@pl4n3th
@LTVConf
Tools
gdpr4saas.eu
@pl4n3th
@LTVConf
Layered information
Link to privacy notice
Legitimate Interest Balancing test
Consent if running ads/retargeting
gdpr4saas.eu
@pl4n3th
@LTVConf
and add its contact information in your Privacy Notice
gdpr4saas.eu
@pl4n3th
@LTVConf
This is what we are going to do
This is the estimated date
gdpr4saas.eu
@pl4n3th
@LTVConf
Are they GDPR compliant?
GDPR friendly providers directory
gdpr4saas.eu/providers-list
gdpr4saas.eu
@pl4n3th
@LTVConf
Broad steps for the next 6 months
gdpr4saas.eu
@pl4n3th
@LTVConf
Bring in CIO, CTO & CMO
Put someone in charge
gdpr4saas.eu
@pl4n3th
@LTVConf
Customer
Analytics
Support
Sales
Marketing
Operations
HR
Where the data flows
what are the purposes
gdpr4saas.eu
@pl4n3th
@LTVConf
Who is responsible
What purpose / categories of data
Is there a transfer outside EU
How long you keep it
What legal ground
How you mitigate the risks
gdpr4saas.eu
@pl4n3th
@LTVConf
People’s rights
Security
Privacy by design & by default
Support
Sales & marketing
Development
Product Design
HR
gdpr4saas.eu
@pl4n3th
@LTVConf
Conduct tests (in some cases)
Clearly distinguishable
Intelligible & easily accessible form
Clear & plain language
As easy to withdraw
gdpr4saas.eu
@pl4n3th
@LTVConf
Storage (electronic / paper / archive)
Access control & logs
Consent management (proof / withdrawal)
Erasure management of personal data
gdpr4saas.eu
@pl4n3th
@LTVConf
Assess ability to fulfill obligations
Check data breach procedure
Check features for user rights
Sign Data Processing Agreement
gdpr4saas.eu
@pl4n3th
@LTVConf
Point of contact
Categories of data being collected
Legal basis for processing & consequences
Outside EU transfer
How long the data will be stored
How to exercise users’ rights
gdpr4saas.eu
@pl4n3th
@LTVConf
Report data breach
Data Subject Access Request :
- show
- rectify
- suppress
- export data
gdpr4saas.eu
@pl4n3th
@LTVConf
What is your likeliest situation?
gdpr4saas.eu
@pl4n3th
@LTVConf
Draft a Data Processing Agreement
Review your privacy policy
gdpr4saas.eu
@pl4n3th
@LTVConf
Access RectificationErasure
Portability
Write procedure,
Provide privacy center
gdpr4saas.eu
@pl4n3th
@LTVConf
Review how you ask for consent
Check with legal team if relying on legitimate interest
Provide advanced privacy center
Use tool to manage consent
Update privacy notice
gdpr4saas.eu
@pl4n3th
@LTVConf
Review process for data breach notification
Enforce security :
- use encryption for storage & transfer
- enforce user access control
- review code for data leaks
- train your technical team
gdpr4saas.eu
@pl4n3th
@LTVConf
gdpr4saas.eu
@pl4n3th
@LTVConf