December 13, 2017

Getting Ready for GDPR in a Software Usage Analytics World

Like many in the software world these days, as you fix your eyes on your monitor and begin to go about your day, the many ways in which General Data Protection Regulation (GDPR) compliance will touch your company likely swirl around in your head. Every product, every service, and every part of your business that in some way will be affected by the regulations has of course been on your mind for quite some time, but as that May 25, 2018 deadline inches closer, it has taken on increased urgency.

Download Free White Paper Privacy, Piracy, and Product Usage: GDPR Readiness for Software Usage Analytics

At Revulytics, we’ve received questions from our customers on how to ensure GDPR compliance with our platform, and recently worked with Privacy Ref to put together some resources on best practices to that end. I’ll preview the highlights here. This does not serve as legal advice, but simply as guidance and best practices we have garnered from internal and external experts on the matter.

The bottom line for Revulytics customers: our software usage and intelligence analytics platform can be leveraged in a manner that is GDPR compliant.

Who Is Responsible For Ensuring Compliance?

It helps first to define the roles in the new regulations. GDPR refers to the “data subject.” This is the end user – the individual you’re collecting information about. The “data controller” is your company, and the “data processor” is Revulytics. That means, as a customer of Revulytics Compliance Intelligence or Revulytics Usage Intelligence, you are a data controller. Even though Revulytics stores, works with, and augments information on your behalf, Revulytics is the data processor and you are the data controller. Revulytics may only process a data subject’s personal information based on your direction. That designation extends to information accessed through the Force.com platform. You remain the data controller, and Salesforce is a data sub-processor (a data processor who is working on behalf of another data processor) through your relationship with Revulytics.

In short, as data controller, you are accountable under GDPR to assure that the principles are met. This includes verifying that the principles and requirements of GDPR have been met by Revulytics. Revulytics can provide a summary of its GDPR readiness for its internal processes and technology upon request.

Do We Need Consent From the Data Subject?

As the data controller, one of the big questions of GDPR compliance revolves around getting consent from the data subject. Under previous regulations, users of Compliance Intelligence would satisfy this requirement by gaining consent through licensing terms, click-throughs, and other means.

However, the new regulations eliminate the need to obtain consent when it comes to processing data to protect the legitimate interests of the data controller or third party.

Specifically, under GDPR Article 6, there is a legal basis for processing based on preventing fraud, and protecting the legitimate interests of the data controller or a third party. Recital 47 states “The processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest of the data controller concerned.”

For Usage Intelligence customers, legitimate interests as a legal basis (the use of data to improve products) means that consent is not required. However, sensitivity to your customer base and environment may guide you towards gaining consent. The consent mechanism should not be buried in a EULA but presented in a separate screen. Additionally, users should be able to change their preference (opt-in or opt-out) at a later time.

You also need to address the fairness and transparency principle, in which you must include the legal basis in your privacy notice, state if it’s being shared with a third party, and that the processing may occur in the United States.

Another question around consent comes around the use of in-app messaging software and how it relates to GDPR. Since an existing business relationship exists with the end user (i.e. a customer, trial user, freemium user) consent is not needed to send in-app messages through ReachOut if the messages relate to the product being used. However, it is vital that you provide an opt-out mechanism for the end user to stop receiving these messages. Similar guidance applies to the sending of surveys via ReachOut. Keep in mind that if the survey collects personal information additional protections for the data may be required.

Minimizing Your Risk

In the Court of Justice of the European Union opinion for Breyer v Bundesrepublik Deutschland, Case C-582/14, 12 May 2016, IP address combined with ISP records would constitute personal data in the hands of the website provider. But more broadly there could be applicability: even if you’re not an ISP if you “could keep [the IP address] indefinitely and could request at any time from the Internet access service provider additional data to combine with the IP address in order identify the user.”

Overall, when collecting personal information and providing it to Revulytics, only collect the minimum necessary to meet your objectives. For example, Revulytics Compliance Intelligence customers have the ability to collect organization IP address and other application and machine environment data.  Collecting this data in the clear may aid in the identification of an infringing organization.

With Revulytics Usage Intelligence, IP address is only used to obtain country location and is then immediately deleted. Since it is being collected, you need to inform your users of this collection in the privacy notice, but it is recommended that you stress that it is solely used to identify a country and then no longer retained.

GDPR compliance isn’t as complex as it may seem – and it can easily be accomplished without disrupting your business practices and the value you’ve realized from leveraging data for insight-driven revenue recovery and product development. For more information and advice on complying with GDPR, take a look at our white paper, “Privacy, Piracy and Product Usage: GDP Readiness for Software Usage Analytics,” and watch our recent webinar “GDPR Readiness for Software Usage Analytics.”

Get Started with Usage Analytics

Register a free account and start touring analytics immediately. Then, simply integrate the SDK into your app to start your free trial. Start making data-driven decisions.

Victor DeMarines

Post written by Victor DeMarines

Vice President, Products & Strategy at Revulytics

Victor DeMarines brings extensive security product management and marketing experience to Revulytics, where he is responsible for product strategy and direction. He is a frequent speaker and author on topics including piracy, reverse engineering and the protection of intellectual property.

Subscribe to Our Blog