Despite the flurry of activity and anxiety leading up to the May 2018 enforcement of GDPR, just over a year since its enactment, there are organizations collecting personal data that are actually taking comfort and confidence in the guidance it provides.
That notion is probably surprising considering that more than half of the US and European companies surveyed in the IAPP-EY Annual Governance Report 2018 who were subject to the regulations said they were far from compliance or would never comply. They named some of the hardest aspects of compliance as the right to be forgotten, fulfilling data subjects access requests and getting explicit consent from users – with US companies reporting higher difficulty scores, according to coverage in Corporate Counsel.
law firm DLA Piper. And during the first nine months, total penalties imposed under the statute added up to €55,955,871 (about US $62,900,554).
Despite all of this, consider the case of software companies that are leveraging data from software usage analytics to identify and address organizations that are pirating their applications, overusing licenses or otherwise infringing on their intellectual property. While many software companies have been using this approach successfully for more than a decade, there had been some conservativism in what types of data they should collect due to concerns for privacy and diverse regulatory prescriptions and precedent.
Complying under GDPR
Now, under GDPR Article 6, there is a legal basis for processing personal information based on the legitimate interests of the data controller or a third party. Recital 47 states, “The processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest of the data controller concerned.”
To provide more clarity, it helps first to define the roles in the regulations. GDPR refers to the “data subject.” This is the end user – the individual you’re collecting information about. The “data controller” is you, the software company, and the “data processor” is your software usage analytics vendor.
That means, as a user of compliance and usage intelligence, you are a data controller. Even though your solution stores, works with and augments information on your behalf, the usage intelligence vendor is the data processor and you are the data controller. That vendor may only process a data subject’s personal information based on your direction.
In short, as data controller, you are accountable under GDPR to assure that the principles are met. This includes verifying that the principles and requirements of GDPR have been met by your compliance and usage intelligence solution provider. In most cases, that provider can provide a summary of its GDPR readiness for its internal processes and technology upon request.
As the data controller, one of the bigger general questions of GDPR compliance revolves around getting consent from the data subject. Previously, users of compliance analytics would satisfy this requirement by gaining consent through licensing terms, click-throughs and other means.
However, the regulations eliminate the need to obtain consent when it comes to processing data to protect the legitimate interests of the data controller or third party.
Beyond fraud prevention, legitimate interests as a legal basis (the use of data to improve products) also means that consent is not required. However, sensitivity to your customer base and environment may guide you towards gaining consent. The consent mechanism should not be buried in a EULA, but presented in a separate screen.
Additionally, users should be able to change their preference (opt-in or opt-out) at a later time.
The fairness and transparency principle
You also need to address the fairness and transparency principle, in which you must include the legal basis in your privacy notice, state if it’s being shared with a third party, and that the processing may occur in the United States.
Using this legitimate interest of the data controller as the legal basis for processing data eliminates the need to obtain consent. As a result, software companies are benefiting from the definition provided by GDPR by providing more peace of mind and more direction in terms of how to use personal data to prevent fraud and improve products — an outcome some might have not predicted leading up to its enforcement.