Trickle Down GDPR — Why Every ISV is Impacted

Published in

AppExchange and the Salesforce Ecosystem

5 min readMar 15, 2018

A Little Background

We’ve been talking a lot about GDPR compliance lately, but in case you’ve missed the headlines, here are a few things you need to know about GDPR. May 25, 2018, any company doing business with subjects of the European Union must comply with the GDPR’s stringent rules or face fines up to 4% of revenue. Underpinning the regulations is the principle of “Privacy by design” which means compliance cannot be an add-on, but must be baked into the operational DNA of the organization.

The General Data Protection Regulation (GDPR) is the new data privacy regulation jointly proposed by the European Parliament, the Council of the European Union and European Commission, aiming to “strengthen and unify” data protection laws for individuals within the European Union. GDPR consists of 99 Articles, plus 173 Recitals, which provide explanatory text to aid interpretation of the Articles. The new regulation will replace the old Data Protection Directive [95/46/EC], which has been effective since 1995.

GDPR applies to organizations…

Holding or processing personal data of subjects residing in EU
Offering goods or services to EU residents
Monitoring behaviors of EU data subjects

The law applies to any company whose data processing concerns private data of EU data subjects, irrespective of the company’s (processor or controller) location.

That means most ISVs and their customers.

The biggest change, particularly for US companies, is that customers must give consent for their data to be used — “opt-in”. This is in stark contrast to the US approach of “use data until the customer opts-out”.

“Why should I worry? We’re a small company.”

Many ISVs, even though they hold EU data and clearly need to comply with GDPR, are adopting a “keep your head down” strategy.

I got a junk email from a multi-national lead generation company that claims that Google, Box, and Square have used them for over three years to build a contact and account data for their reps. But when I emailed back asking how they were intending to comply with GDPR the email, I got back was somewhat surprising:

“Great question, we’re following our clients’ lead in most cases, and taking a wait- and-see approach to the new policy. We have many Fortune 1000 clients that are not taking an active approach to the policy and are continuing their outbound efforts.”

I can see that companies are considering GDPR as yet more unnecessary red tape foisted on them by the EU. But what many don’t appreciate is that this the new normal. The data privacy laws are catching up with how customer data is distributed and used. And whilst it is being driven from the EU, similar standards will be created in the next few years in every developed country. In summary GDPR is “about being honest with customer data.”

There can be benefits from the effort required to comply with GDPR so it should have a positive ROI. The benefits are focused around three areas: reputation, data clean up, and process improvement. And if you accept that you are going to need to comply then why not get ahead of the herd and turn it to your advantage. This is explored in this article on benefits of the change.

“We’ll never need to comply.”

GDPR doesn’t seem like a priority item. Revenue is more important. Closing that next big customer logo.

Which is why GDPR is going to be an issue. Those big-name customers you want to win are definitely worrying how they comply with GDPR. They are looking at where their customer data is stored and how it is processed. They know that they are under the spotlight of the regulators who want a couple of high profile scalps — and fines of 4% of global revenue — to drive home the message that GDPR is serious.

As an ISV, you are probably holding their data. You are definitely processing it. So you are the “data processor” in the relationship. The customers will want to know how you are going to support them in complying with GDPR. As you think about that, you will turn around to your app providers and ask them the same question — and so on down the levels.

Everyone in the food chain from the largest multi-national to the most innovative startup in the tech space are going to get caught up in this. Which is good for all of us as consumers who are fed up of being constantly spammed.

OK, I get it. So how should I comply?

The good news is it’s not hard. The major activities are:

Build a Data Inventory of all apps down to field level: This may seem arduous but there are ISVs apps (elements.cloud) that can do this automatically, and are far quicker, easier and more sustainable than spreadsheets.
Identify all data fields in the Data Inventory that hold Personal Data: This is a large one-off activity, but needs to be kept up-to-date as fields are added or changed. Some of these fields can be pre-categorized.
Ensure that all end customer data has a justification for holding it: There are several reasons why data can be held (consent, contract, legal basis…). This may mean going back to get explicit consent, and if consent is not obtained, then the data must be deleted. It is a great opportunity to re-engage end customers and purge obsolete data.
Provide an electronic means to post a Request: This essentially means you need a web page or email address where a customer can raise one of the 6 GDPR requests; Subject Matter Access, Right to Rectification, Erasure “right to be forgotten”, Right of Restriction of Processing, Right to Receive Personal Data and finally, Right to Object. And then you need the back end processes to be able to deal with each request, which is the next point.
Document the new GDPR processes and revise existing processes: There are specific processes that need to be in place to make sure that your staff do not inadvertently break the rules. This may be a huge change for many marketing, sales and support teams.
Train teams on the implications of GDPR: The core principles of GDPR need to be understood by all staff. They must know how to access the operational processes that relate to their role.

Below is a more detailed GDPR implementation plan.

The final word…

GDPR and recent data breaches have put data privacy in the spotlight. Customers that move fast to demonstrate “Privacy by Design” will earn trust, confidence and deeper engagement with their end customers. ISVs can close deals faster by positioning themselves as part of the GDPR solution when customers reevaluate their data management and apps.