Open in app

Sign in

Write

Sign in

GDPR Opens Up Huge Opportunities for ISVs — Here’s How

Ian Gotts @iangotts
AppExchange and the Salesforce Ecosystem
Published in
5 min readFeb 6, 2018

What’s GDPR?

As of May 25, 2018, any company doing business with subjects of the European Union must comply with the General Data Protection Regulation (GDPR) — or face fines up to 4% of revenue (do I have your attention now?).

GDPR is the new data privacy regulation jointly proposed by the European Parliament, the Council of the European Union and European Commission which aims to “strengthen and unify” data protection laws for individuals within the European Union. The regulation consists of 99 Articles and 173 Recitals, and will replace the old Data Protection Directive [95/46/EC], which has been effective since 1995. Underpinning the regulations is the principle of “privacy by design,” which means compliance cannot be an add-on, but must be baked into the operational DNA of the organization.

GDPR and recent data breaches have put data privacy in the spotlight, and businesses that move fast to demonstrate “privacy by design” will earn trust, confidence and deeper engagement with their end customers.

Furthermore, ISVs can close deals faster by positioning themselves as part of the GDPR solution when customers reevaluate their data management and apps — and this article will explore how.

Who’s affected by GDPR?

GDPR applies to any and all organizations that:

  • Hold or process personal data of subjects residing in the EU
  • Offer goods or services to EU residents
  • Monitor behaviors of EU data subjects

The law applies to any company whose data processing concerns private data of EU data subjects, irrespective of the company’s (processor or controller) location.

That means most ISVs and their customers.

The biggest change (particularly for US companies) is that, under GDPR, customers must now give consent for their data to be used; essentially, they must “opt-in.” This is in stark contrast to the previous approach of “use data until the customer opts-out.”

Here’s how to think about it…

Many companies will roll their eyes at the arrival of GDPR, seeing it as the latest piece of red tape coming out of Brussels, adding more cost to operations and destroying agility. Throwing grit into the gears.

It is clear that every company needs to protect the rights of citizens and their data, especially now that the world is so interconnected and data gathering and analysis is so advanced. Personally Identifiable Information (PII) is increasingly being viewed as a valuable asset.

GDPR is a huge opportunity for businesses

GDPR is an opportunity to demonstrate that PII is being taken seriously, and can be used as a competitive differentiator. It sends the message to your customers, “You can trust us with your data.”

Revisiting customer-facing business processes to make sure they comply with GDPR will help simplify them — and that could end up driving out up a significant amount of waste to that makes marketing, sales and support teams more effective.

GDPR is an even bigger opportunity for AppExchange ISVs

Furthermore, GDPR can be used as catalyst to get customers to move their data and apps onto a trusted platform to make it easier to manage ongoing compliance with GDPR. After all, with the deadline for compliance less than 100 days away, urgency is building. Every app is being put under scrutiny.

And the fact that many app vendors have been slow to see and capitalize on this opportunity means there’s still a “first mover advantage.” So, the time to act is now.

How to capitalize on GDPR: 6 steps

First of all, it is useful to understand what a customer needs to do to implement GDPR, so an ISV can position their sales messaging and support efforts correctly. Below are the five critical steps of an GDPR implementation process for a customer:

  1. Build a data inventory of all apps down to field level. This may seem arduous, but there are ISV apps that can do this automatically and are far quicker, easier and more sustainable than spreadsheets. The data inventory includes the ISVs objects and fields that are installed within their managed package.
  2. Identify all data fields in the data inventory that hold personal data. This is a large one-off activity, but needs to be kept up-to-date as fields are added or changed. Again, it includes the ISVs customizations, so the ISV can provide the fields pre-categorized.
  3. Ensure that all end customer data has a justification for holding it. There are several reasons why data can be held (consent, contract, legal bas, etc.). This may mean going back to get explicit consent, and if consent is not obtained, then the data must be deleted. It is a great opportunity to re-engage end customers and purge obsolete data.
  4. Provide an electronic means to post a Request: This essentially means you need a web page or email address where a customer can raise one of the 6 GDPR requests; Subject Matter Access, Right to Rectification, Erasure “right to be forgotten”, Right of Restriction of Processing, Right to Receive Personal Data and finally, Right to Object. And then you need the back end processes to be able to deal with each request, which is the next point.
  5. Document the new GDPR processes and revise existing processes. There are specific processes that need to be in place to make sure that end users do not inadvertently break the rules. This may be a huge change for many marketing, sales and support teams. Pre-built process documentation is available as a starting point.
  6. Train teams on the implications of GDPR. The core principles of GDPR need to be understood by all staff. They must know how to access the operational processes that relate to their role.

The good news is, what needs to be done by ISVs is not hard:

  • Help customers understand how their app will support the customer data requirements of GDPR, leveraging the Salesforce platform messaging
  • Provide customers with guidance on how to change their operational processes to exploit the power of their app, as well as be GDPR compliant
  • Ensure that the competitive messaging is in all marketing materials, websites, blogs, webinars, events, tweets and pre-sales decks.

GDPR is a lifestyle change — not a crash diet.

For many ISVs, GDPR is now a recurring question raised by customers in pre-sales discussions or in their research. How many potential customers, who have been driven to the ISV’s website through expensive marketing activities, search for the ISV’s response to GDPR, find nothing — not even a blog post — and move on?

Take a moment to go to a couple of ISV websites, blogs and user conferences and search “GDPR”. Nothing. Nada. Zilch. Staggering.

Clearly, every ISV needs to show they are GDPR compliant when handling their own customer data. This requires Privacy by Design principles to be applied internally. It’s a perfect example of “drinking your own champagne” — customers want to hear that this is in hand, and that’s just table stakes.

The real opportunity is for an ISV to be proactive and provide tools and content to enable customers to implement their app, confident that it will support GDPR, with the minimum effort possible. Do that right, and the next 100 days (and beyond) are going to feel like Y2K all over again.

And leveraging the power of Salesforce as well as other ISVs and consulting firms is key. No one has a complete GDPR solution. GDPR is the tide that raises all boats: Working together, everybody gains.

Privacy
Gdpr
Salesforce
Data
Apps

--

--

Ian Gotts @iangotts
AppExchange and the Salesforce Ecosystem

Written by Ian Gotts @iangotts

282 Followers
Writer for

Founder & CEO Elements.cloud: OrgConfessions.com, Salesforce customer & evangelist since 2002 : Author : Speaker bit.ly/IGshowreel

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams