Finance & Operations

Using Data to Improve Products in a GDPR World

Keith Fenech

August 13, 2019

Despite the flurry of activity and anxiety leading up to the May 2018 enforcement of GDPR, just over a year since its enactment, there are organizations collecting personal data that are actually taking comfort and confidence in the guidance it provides.

That notion is probably surprising considering that more than half of the US and European companies surveyed in the IAPP-EY Annual Governance Report 2018 who were subject to the regulations said they were far from compliance or would never comply. They named some of the hardest aspects of compliance as the right to be forgotten, fulfilling data subjects access requests and getting explicit consent from users – with US companies reporting higher difficulty scores, according to coverage in Corporate Counsel.

Additionally, according to Slate, nearly 60,000 breaches were reported during the first eight months of the GDPR – data Slate covered from a survey released early in 2019 by law firm DLA Piper. And during the first nine months, total penalties imposed under the statute added up to €55,955,871 (about US $62,900,554).

Despite all of this, consider the case of software companies that are leveraging data from software usage analytics to identify and address organizations that are pirating their applications, overusing licenses or otherwise infringing on their intellectual property. While many software companies have been using this approach successfully for more than a decade, there had been some conservativism in what types of data they should collect due to concerns for privacy and diverse regulatory prescriptions and precedent.

Complying under GDPR

Now, under GDPR Article 6, there is a legal basis for processing personal information based on the legitimate interests of the data controller or a third party. Recital 47 states, “The processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest of the data controller concerned.”

To provide more clarity, it helps first to define the roles in the regulations. GDPR refers to the “data subject.” This is the end user – the individual you’re collecting information about. The “data controller” is you, the software company, and the “data processor” is your software usage analytics vendor.

That means, as a user of compliance and usage intelligence, you are a data controller. Even though your solution stores, works with and augments information on your behalf, the usage intelligence vendor is the data processor and you are the data controller. That vendor may only process a data subject’s personal information based on your direction.

In short, as data controller, you are accountable under GDPR to assure that the principles are met. This includes verifying that the principles and requirements of GDPR have been met by your compliance and usage intelligence solution provider. In most cases, that provider can provide a summary of its GDPR readiness for its internal processes and technology upon request.

As the data controller, one of the bigger general questions of GDPR compliance revolves around getting consent from the data subject. Previously, users of compliance analytics would satisfy this requirement by gaining consent through licensing terms, click-throughs and other means.

However, the regulations eliminate the need to obtain consent when it comes to processing data to protect the legitimate interests of the data controller or third party.

Beyond fraud prevention, legitimate interests as a legal basis (the use of data to improve products) also means that consent is not required. However, sensitivity to your customer base and environment may guide you towards gaining consent. The consent mechanism should not be buried in a EULA, but presented in a separate screen.

Additionally, users should be able to change their preference (opt-in or opt-out) at a later time.

The fairness and transparency principle

You also need to address the fairness and transparency principle, in which you must include the legal basis in your privacy notice, state if it’s being shared with a third party, and that the processing may occur in the United States.

While these software companies still need to comply with the fairness and transparency principle (including providing appropriate notices in their external privacy policy), it is reasonable for data subjects to expect that their information will be collected and processed.

Using this legitimate interest of the data controller as the legal basis for processing data eliminates the need to obtain consent. As a result, software companies are benefiting from the definition provided by GDPR by providing more peace of mind and more direction in terms of how to use personal data to prevent fraud and improve products — an outcome some might have not predicted leading up to its enforcement.

VP Software Analytics

Keith is Revulytics’ VP, Software Analytics and was the co-founder and CEO of Trackerbird Software Analytics before the company was acquired by Revulytics in 2016. Following the acquisition, Keith joined the Revulytics team and is now responsible for the strategic direction and growth of the Usage Analytics business within the company. Prior to founding Trackerbird, Keith held senior product roles at GFI Software where he was responsible for the product roadmap and revenue growth for various security products in the company's portfolio. Keith also brings with him 10 years of IT consultancy experience in the SMB space. Keith has a Masters in Computer Science from the University of Malta, specializing in high performance computing.