GDPR… And You Thought You Were Covered!

Taking notes with pen and paper or your personal notes app? You might be in more trouble than you think.

Thank you Facebook! Much obliged Uber! Appreciate it Under Armour!

Why the gratitude? 203 million exposed personal records in the last 6 months alone from just these three companies has created more than just hype and hysteria. It’s created a problem—and a big, expensive one at that.

The first legislated time bomb that’s ticking away is in Europe, where some of the world’s most progressive countries have taken a hard line on the reckless use and securing of personal information.

Enter the General Data Protection Regulation (GDPR), geography agnostic legislation that’s mobilized anyone and everyone with customers, users, site visitors, etc. in the EU.

Right down to storing a Cookie, companies have until May 25th, 2018 to ensure that their customers’ information is not only protected from outside threats, but that ANY user has the right to be forgotten. The penalty for being caught out of compliance across any part of your business that touches customer information is a mere 4% of revenues or 20 million Euros at minimum, whichever is greater. It’s kind of a big deal.

This post isn’t to tell you about the GDPR in great detail… if you’ve read this far, chances are it’s relevant and you’ve had your fill of companies telling you how they’re protecting your data. My inbox is being hammered with emails from SaaS companies telling me about revised privacy policies, GDPR plans, data they hold of mine, blah, blah, blah. You can’t scroll through your LinkedIn feed without seeing a steady stream of companies telling you their plans, too.

Phew! Every SaaS company on the planet is on top of this, so you’re in great shape, right? Far from it!

Side Story

We did a fairly big implementation about a year ago with a company with European offices in Barcelona, Stockholm and Dublin. This is not a small company — they’re a pretty big name in the who’s who of tech. During the implementation, we like to understand the lay of the land, so we talked to some of their users. Pretty simple set of questions, of which one is, “how do you take notes today?”

The answers were the first eye-opener.

First user: “Evernote.”
Next user: “Notepad.”
Next user: “OneNote.”
Next user: “I email myself my notes.”
…“Word,” “Excel,” “Sticky Notes.”

You get the picture. Half of the notes were being taken on personal tools that the reps were using to stay organized in their deals.

My initial reaction was, “Man, think of what happens when that person quits. They literally get to take their ball home with them and continue the game at their next gig and the company is left with bread crumbs at best.” (This on its own is a blog post for another day!).

How many deals die or get drawn out because companies have to try to revive a deal with little to no knowledge of the who, what, when, where and why that was neatly logged in a personal notes app, which, by the way, they take with them to their next job with your competitor?

I fed this information back to the fella who was managing the implementation (who had a very thick Irish accent… I’m guessing from Dingle or Galway) and his response said it all —

“F#$@” (pr. fock with a touch of the Irish).

I asked him about his reaction to find out more about his concerns (with the selfish hope of hearing more Irish swearing) and his answer was equally fascinating. It turns out there was a bigger worry than just lost deals!

“We’ve never even thought about this.”

GDPR was less than 12 months away and our customer hadn’t even thought about it. Needless to say, I became very interested in business continuity, compliance and privacy protection at this point. Nearly every part of the corporate IT infrastructure is hardened — managed by the business and made available to the user. You can’t walk into a company that uses Salesforce and say, “Meh, I’m gonna use Dynamics.”

However, when we transitioned from pen and paper to digital, we didn’t pay much attention to the personal productivity tools people were using to take their meeting notes, manage their to-do’s, etc.

For years, front line people have had carte blanche access to whatever they feel like using, while the business is accruing a liability it may not even be aware of. I’m not sure how well ignorance holds up as a defence when the 20 million Euro fine shows up in the mail, but I’ll take a stab and say, “not very well.”

Here’s the thing… the GDPR covers more than just your company’s equivalent of a Facebook profile, the customer records held in a database at Under Armour, etc. It literally covers every customer touchpoint, right down to the Post-It note that Bob in accounting jotted down your customer’s credit card number on.

If your customer-facing teams are taking notes today, I’m going to hazard a guess that your exposure to GDPR non-compliance is growing by the day.

At Dooly, to be GDPR compliant, we thought about our responsibilities as both a Controller of data and a Processor of data—both carry their own requirements.

Our customers are Controllers of the information they capture during their conversations with customers and prospects. As such, we need to give them the ability to remove those conversations from Dooly and any system leveraged by Dooly to make the magic of our platform happen. Pretty easy (as we had planned for this from inception). As a Processor, we need to ensure that those conversations are kept safe from data breach.

Turns out, that wasn’t very hard either given the way we’d architected the platform. The Digital Processing Agreement (DPA) we had to craft was probably the biggest headache in the whole readiness plan. But we’re a startup with fresh code and less complexity than a Facebook or an Atlassian.

We started Dooly because we wanted to give customer-facing teams the freedom to sell.

Essentially, we wanted to reverse the flow of data in an organization, making it easier for those teams to stay, well… customer-facing. We wanted to get rid of the need to update corporate systems (CRM being the primary early focus of our platform) and enable companies to find what they need from the users—without asking them to take their eye off the prize and, frankly, do so without headache. It turns out that this was a pretty good bet because it led to the ability to manage customer data in a way that isn’t compromised to even remotely the same extent as it is when users are left quite literally to their own devices.

Obviously we have an angle in this post (buy Dooly for your sales and customer success teams — they’ll love you for it and you can breathe a sigh of relief! 🙌🏼), but we also want our customers and others in the corporate community to think about the myriad of personal apps that touch customer data within their business on a regular basis. This goes far beyond notes and GDPR is just the tip of the iceberg. The rest of the world isn’t far behind!

Kris Hartvigsen is the CEO & Co-Founder of Dooly and a leader in the tech industry with over twenty years of experience. Before founding Dooly, he held senior consulting and management positions in sales for companies like Mobify and led Vision Critical as their EVP Sales from its early startup days to revenues in excess of $100 million.