At Flexera, we’ve received questions from our customers on how to ensure General Data Protection Regulation (GDPR) compliance with our platform, and worked with Privacy Ref to put together some resources on best practices to that end. I’ll preview the highlights here. This does not serve as legal advice, but simply as guidance and best practices we have garnered from internal and external experts on the matter. The bottom line for Flexera customers: our software usage and intelligence analytics platform can be leveraged in a manner that is GDPR compliant.
Who Is Responsible For Ensuring Compliance?
It helps first to define the roles in the regulations. GDPR refers to the “data subject.” This is the end user – the individual you’re collecting information about. The “data controller” is your company, and the “data processor” is Flexera. That means, as a customer of Flexera Compliance Intelligence or Flexera Usage Intelligence, you are a data controller. Even though Flexera stores, works with, and augments information on your behalf, Flexera is the data processor and you are the data controller. Flexera may only process a data subject’s personal information based on your direction. That designation extends to information accessed through the Force.com platform. You remain the data controller, and Salesforce is a data sub-processor (a data processor who is working on behalf of another data processor) through your relationship with Flexera.
In short, as data controller, you are accountable under GDPR to assure that the principles are met. This includes verifying that the principles and requirements of GDPR have been met by Flexera. Flexera can provide a summary of its GDPR readiness for its internal processes and technology upon request.
Do We Need Consent From the Data Subject?
As the data controller, one of the big questions of GDPR compliance revolves around getting consent from the data subject. Under previous regulations, users of Compliance Intelligence would satisfy this requirement by gaining consent through licensing terms, click-throughs, and other means.
However, the regulations eliminate the need to obtain consent when it comes to processing data to protect the legitimate interests of the data controller or third party.
Specifically, under GDPR Article 6, there is a legal basis for processing based on preventing fraud, and protecting the legitimate interests of the data controller or a third party. Recital 47 states “The processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest of the data controller concerned.”
For Usage Intelligence customers, legitimate interests as a legal basis (the use of data to improve products) means that consent is not required. However, sensitivity to your customer base and environment may guide you towards gaining consent. The consent mechanism should not be buried in a EULA but presented in a separate screen. Additionally, users should be able to change their preference (opt-in or opt-out) at a later time.
You also need to address the fairness and transparency principle, in which you must include the legal basis in your privacy notice, state if it’s being shared with a third party, and that the processing may occur in the United States.
Another question around consent comes around the use of in-app messaging software and how it relates to GDPR. Since an existing business relationship exists with the end user (i.e. a customer, trial user, freemium user) consent is not needed to send in-app messages through ReachOut if the messages relate to the product being used. However, it is vital that you provide an opt-out mechanism for the end user to stop receiving these messages. Similar guidance applies to the sending of surveys via ReachOut. Keep in mind that if the survey collects personal information additional protections for the data may be required.
Minimizing Your Risk
In the Court of Justice of the European Union opinion for Breyer v Bundesrepublik Deutschland, Case C-582/14, 12 May 2016, IP address combined with ISP records would constitute personal data in the hands of the website provider. But more broadly there could be applicability: even if you’re not an ISP if you “could keep [the IP address] indefinitely and could request at any time from the Internet access service provider additional data to combine with the IP address in order identify the user.”
Overall, when collecting personal information and providing it to Flexera, only collect the minimum necessary to meet your objectives. For example, Flexera Compliance Intelligence customers have the ability to collect organization IP address and other application and machine environment data. Collecting this data in the clear may aid in the identification of an infringing organization.
With Flexera Usage Intelligence, IP address is only used to obtain country location and is then immediately deleted. Since it is being collected, you need to inform your users of this collection in the privacy notice, but it is recommended that you stress that it is solely used to identify a country and then no longer retained.
GDPR compliance isn’t as complex as it may seem – and it can easily be accomplished without disrupting your business practices and the value you’ve realized from leveraging data for insight-driven revenue recovery and product development. For more information on complying with GDPR, take a look at our white paper, “Privacy, Piracy and Product Usage: GDP Readiness for Software Usage Analytics,” and watch our recent webinar “GDPR Readiness for Software Usage Analytics.”