At Revulytics, we’ve received questions from our customers on how to ensure General Data Protection Regulation (GDPR) compliance with our platform
It helps first to define the roles in the regulations. GDPR refers to the “data subject.” This is the end user – the individual you’re collecting information about. The “data controller” is your company, and the “data processor” is Revulytics. That means, as a customer of Revulytics Compliance Intelligence or Revulytics Usage Intelligence, you are a data controller. Even though Revulytics stores, works with, and augments information on your behalf, Revulytics is the data processor and you are the data controller. Revulytics may only process a data subject’s personal information based on your direction. That designation extends to information accessed through the Force.com platform. You remain the data controller, and Salesforce is a data sub-processor (a data processor who is working on behalf of another data processor) through your relationship with Revulytics.
In short, as data controller, you are accountable under GDPR to assure that the principles are met. This includes verifying that the principles and requirements of GDPR have been met by Revulytics. Revulytics can provide a summary of its GDPR readiness for its internal processes and technology upon request.
As the data controller, one of the big questions of GDPR compliance revolves around getting consent from the data subject. Under previous regulations, users of Compliance Intelligence would satisfy this requirement by gaining consent through licensing terms, click-throughs, and other means.
However, the regulations eliminate the need to obtain consent when it comes to processing data to protect the legitimate interests of the data controller or third party.
Specifically, under GDPR Article 6, there is a legal basis for processing based on preventing fraud
For Usage Intelligence customers, legitimate interests as a legal basis (the use of data to improve products) means that consent is not required. However, sensitivity to your customer base and environment may guide you towards gaining consent. The consent mechanism should not be buried in a EULA but presented in a separate screen. Additionally, users should be able to change their preference (opt-in or opt-out) at a later time.
You also need to address the fairness and transparency principle, in which you must include the legal basis in your privacy notice, state if it’s being shared with a third party, and that the processing may occur in the United States.
Another question around consent comes around the use of in-app messaging software and how it relates to GDPR. Since an existing business relationship exists with the end user (i.e. a customer, trial user, freemium user) consent is not needed to send in-app messages through ReachOut if the messages relate to the product being used. However, it is vital that you provide an opt-out mechanism for the end user to stop receiving these messages. Similar guidance applies to the sending of surveys via ReachOut. Keep in mind that if the survey collects personal information additional protections for the data may be required.
In the Court of Justice of the European Union opinion for Breyer v Bundesrepublik Deutschland, Case C-582/14, 12 May 2016, IP address combined with ISP records would constitute personal data in the hands of the website provider. But more broadly there could be applicability: even if you’re not an ISP if you “could keep [the IP address] indefinitely and could request at any time from the Internet access service provider additional data to combine with the IP address in order identify the user.”
Overall, when collecting personal information and providing it to Revulytics, only collect the minimum necessary to meet your objectives. For example, Revulytics Compliance Intelligence customers have the ability to collect organization IP address and other application and machine environment data. Collecting this data in the clear may aid in the identification of an infringing organization.
With Revulytics Usage Intelligence, IP address is only used to obtain country location and is then immediately deleted. Since it is being collected, you need to inform your users of this collection in the privacy notice, but it is recommended that you stress that it is solely used to identify a country and then no longer retained.
GDPR compliance isn’t as complex as it may seem – and it can easily be accomplished without disrupting your business practices and the value you’ve realized from leveraging data for insight-driven revenue recovery and product development. For more information on complying with GDPR, take a look at our white paper, “Privacy, Piracy and Product Usage: GDP Readiness for Software Usage Analytics,” and watch our recent webinar “GDPR Readiness for Software Usage Analytics.”
Vice President, Products & Strategy at Revulytics
Victor DeMarines brings extensive security product management and marketing experience to Revulytics, where he is responsible for product strategy and direction. He is a frequent speaker and author on topics including piracy, reverse engineering and the protection of intellectual property.
We are excited to share this guest post from our partner Connor. For companies with limited resources, deciding to start a ...
Jason speaks with Rafael Amaral, senior partner at Brazilian intellectual property law firm Kasznar Leonardos. Rafael had just ...