Note: This article is not to be treated as legal advice. We did our best to provide most accurate information about how GDPR may affect your business – however, before taking any measures, we strongly recommend you consult a professional legal advisor.
What is GDPR all about?
GDPR (General Data Protection Regulation) is the new EU regulation concerning data protection and privacy. It comes into force on 25th May 2018 and it applies to all entities within the EU which acquire, store and process personal data. Additionally, it applies to organizations based outside the EU which are involved in the processing of EU citizens’ data.
The main objective of GDPR is ensuring the security of data, as well as control over personal information to the information subjects. In practice, it means protecting customers, mobile app users, and consumers from any potential data breaches and misuse.
For business owners – especially the data-driven product owners – it means a lot of extra work, to ensure they comply with the GDPR guidelines. It might mean re-writing terms and conditions of their services, or redesigning their apps. Or re-thinking operational processes and ways of dealing with third parties. All of that might initially seem like a burden.
But many experts claim that this new strict policy towards personal data will bring a lot of long-term benefits, also for businesses. First of all, complying with GDPR forces business owners to bring more awareness to what kind of data they collect, how they acquire it and what they do it for. This can, in some instances, cause a total re-thinking of business operations and lead to their optimization.
Secondly, the rules dictated by GDPR are an opportunity to build more user-oriented digital products, as well as create transparent and meaningful relationships with customers. Especially the latter is always a good prospect for the future of any business.
Main policy changes introduced by GDPR
Before we talk about what complying with GDPR might mean for you as a data-driven product owner, let’s outline the biggest changes introduced by the new regulation.
• Data protection by design is a concept that sets the tone for creating GDPR-friendly data-driven products. Sometimes also referred to as ‘privacy by design’, this idea stresses that you have to consider the safety of personal data at all stages of developing a business, mobile app or digital service.
• Businesses should only collect data that is indispensable to perform their organizational objectives – e.g. delivering a contracted service. This data should only be stored as long as it is necessary for the business. Long story short: collect and store as little data as you can, for as short as possible.
• When acquiring data from third parties, you have to be assured that those third parties collected the data lawfully (in compliance with GDPR) and that they have users’ consent to pass it on to you.
• At any time, you should be able to demonstrate that your business stores and processes personal data in accordance with GDPR.
• You need to inform your customers about their data that you will be using. In plain and clear language, you should communicate such points as why you need their data, how you will be processing it, for how long it will be kept, etc. (find out more here) Before you start processing users’ data, you also need to receive their explicit consent to do so.
• You are obliged to report about data breaches to relevant supervising authority in your country, no later than 72 hours after you become aware of the breach.
What GDPR means for your business in practice?
The technology required to execute GDPR guidelines is one thing. You might need some new digital tools (like the ones listed here) and/or re-structured algorithms to ensure that your business uses data in accord with the new law. But, as some experts stress, this ‘GDPR shift’ is even more about updating business mindset and behaviours than the technology.
GDPR calls CEOs, product owners, marketers and developers to start approaching their jobs with users’ needs in mind – even more so than up till now. This new approach may require businesses to incorporate (or strengthen) practices that were not a priority before. Here are some of the ‘post-GDPR’ business focus points:
• Software development companies will think about data safety from the first ideation meeting about the next product they create. This will increase users’ safety even on the level of algorithm and in the way metadata is collected. Data-driven products will be safe by design, not just by secondary regulations imposed after the product is complete.
• Businesses will need to re-think their documentation systems and make them smart, to ensure two things: that they are able to account for their GDPR-compliance AND that they don’t drown in their own operational data. The direction in which documentation practices will develop is unknown – but it is certainly a good occasion for companies to optimize their documenting processes.
• The need for simplification of digital communicates will increase. For one thing, it applies to the language: GDPR states that data collectors and processors must communicate about their data policies in a clear and plain language. The other side of this simplicity will be about intuitive and flawless UX design. This is the best means to ensure that consumers understand your product and have access to their personal data information and control options (which GDPR grants them).
• Data-driven product owners and managers will learn to assess the sensitivity of the data they collect, as well as levels of breach risk. According to these assessments, they will either appoint data protection officers or manage data policies within the company by themselves. In any case, the awareness of which personal data is to be particularly protected will increase.
• What will also increase is the need for reliable business partners – especially among the companies whose digital products use data supplied by third parties (e.g. marketing agencies or acquired from digital tools like Google Analytics). Under GDPR, before processing any data sourced from third-parties (and not from users directly), businesses are obliged to make sure that this data was acquired in compliance with the new regulations. This will lead to increased significance of trust in working with a partner company or outsourcing services.
• Businesses will only be able to collect and store user data that is necessary for their operations. Any redundant data acquired before GDPR came into force will need to be erased from systems.
GDPR might mean a lot of work for product owners in the beginning. However, in the long run, we believe that this new consumer safety-oriented regulation will benefit businesses, too.
So if you are a data-driven product owner (or planning to become one) – embrace this opportunity. Make your product great and safe for your users. Put business processes in place that will ensure you are collecting, storing and processing data securely. Your customers will reward you for that.