GDPR 101 for Product Managers — What you need to know

GDPR is one of the most comprehensive privacy regulation enacted to date. There is a lot of discussion about it, lot of information/misinformation being floated around. What is it? Why does it matter? Does it apply to your product? Product Managers have all these questions and more around GDRP. I could not find any easy to get started guide to the world of GDPR so basis my research, this documents outlines some of the points that I think are relevant to Product Managers of Digital Products in India. The goal of the document is not to act as a legal counsel for the matters of GDPR — please reach out to a certified legal professional for the same. Having said that, the goal of the document is to help Product Managers of Digital Products understand the main components of GDPR and prepare to make the necessary changes to the products that they are managing.

So what is GDPR after all and what’s the big deal about it?

• GDPR stands for General Data Protection Regulation
• The regulation has gone in effect for all EU member states as of 25 May 2018
• It is the most comprehensive privacy regulation enacted to date by the European Union.
• Consists of 99 Articles in Total — of these 64 outline general provisions for governance, management and 35 are actionable and applicable to data management.

In a nutshell, it requires businesses to protect the personal data and privacy of EU citizens for transactions that occur within the EU. Yes, if your product has users in EU then you need to be compliant.

It is a big deal because past decade the world has seen worrying trend towards an increase in the number of breaches and the number of records compromised because of that. To give a sense of the scale of the problem, consider the following stats:-

In 2016 there were ~ 1100 Breaches and ~36 Million records were compromised

In 2017 there were ~ 1200 Breaches and ~ 172 Million records were compromised

Given these staggering figures, a comprehensive privacy regulation was badly needed and this will also act as a basis for other countries around the world as they formulate their own privacy regulations.

What happens if you are not ready?

Non-Compliance is not an option and unlike a lot of scenarios where the fines are equivalent to a $1 Parking Ticket for violation of $1,000,000 the fines here are severe.

Fines: Lower Limit

• 2% of a company’s annual revenue
• or Euro 10 Million Whichever is higher

Fines: Upper Limit

• 4% of a company’s annual revenue
• or Euro 20 Million Whichever is higher

PS: These fines would be detrimental to companies that are non-compliant.

What do PM’s and Businesses need to do?

There is an urgent need to align the products data requirements with the need of the business and it is crucial to answering questions like:-

• What is the personal data that is being managed by your product for the business?
• What is the exact source of the personal data coming into the product and how exactly it is being used?
• Can you search through personal data?
• Can oversight requirements of supervisory authorities be met?