post

B2B product management

Artificial Intelligence (AI) & Machine Learning (ML)

Building Product Teams

Business Strategy

Data Driven Product Management

Digital Transformation

Diversity and Inclusion

Minimum Viable Product

OKRs

Prioritisation

Product Design

Product Research

Product Development Process

Product Ethics

Product Discovery

Product Leadership

Product Management Career

Product Strategy

Stakeholder Management

🌎 <a href="https://www.mindtheproduct.com/world-product-day/" style="color:#FFFFFF;text-decoration:underline;">Happy World Product Day!</a> Be sure to celebrate product, yourself, and your peers today! 🎉

Successful product management in companies where it’s least understood

Measuring critical user journeys – Javier Andrés Bargas-Avila (UX Director, Google)

A new way to look at applied experiments

Product survey findings: Only 15% of users are embracing AI features 

Building high-performing product teams: The PDLC approach

Footer About

Footer Contribute

Footer Get Involved

Footer Links

Mind the Product

Guest Post

Overcoming the 20% feature usage challenge

Product Management

Three product leaders to learn from at #mtpcon inside Pendomonium

Owen has 15 years experience in tech running experiential, digital production and startup teams. He's done installations for CERN, Audi and Cadbury, worldwide advertising campaigns for Durex, Red Bull and Range Rover, and now in the startup world works as Head of Product at Crowdfunder.co.uk.

Owen Wallis

<p>On May 25th 2018 something big is happening which needs your attention. In what is the <a href="http://www.bbc.co.uk/news/technology-36037324">biggest shake-up to data protection legislation</a> in 20 years, the EU’s General Data Protection Regulation (GDPR) will come into force.</p>
<p>The aim of the GDPR is to strengthen data protection for EU citizens and residents, to give them greater control of their personal data, and to simplify the regulatory environment. The GDPR will also apply to countries outside the EU who have customers within the EU. And even though the UK is leaving the union, the <a href="http://www.computerweekly.com/news/450412141/UK-legislation-will-mirror-EUs-GDPR-says-Matt-Hancock">UK government has confirmed that the GDPR is here to</a><a href="http://www.computerweekly.com/news/450412141/UK-legislation-will-mirror-EUs-GDPR-says-Matt-Hancock"> stay</a>.</p>
<h3>The Cost of Getting it Wrong Will go up</h3>
<p>The GDPR will mean heavier fines for companies where a data breach occurs. The maximum fine currently for a breach is £500,000 ($625,000), but this will rise to the larger of up to £17 million ($21 million) or 4% of global annual turnover for the preceding financial year. <a href="https://www.lawyer-monthly.com/2016/10/fine-represents-highest-ever-for-data-protection-breaches-in-the-uk/">TalkTalk was fined £400,000 in 2016 </a>for failing to have appropriate technical and organisational measures in place to secure its customers’ personal data, and for keeping their personal data for longer than necessary. Under the GDPR this fine could have risen to £73.5 million.</p>
<p>The GDPR will require a solid understanding of current data protection rules. If you see yourself as a data processor (meaning you process personal data on behalf of a data controller) rather than a controller (meaning you determine the purposes for which and the manner in which any personal data is processed) then GDPR is still relevant because data controllers will be coming to you to make sure you are ready. In the UK some data processors are already being asked for<a href="http://privacylawblog.fieldfisher.com/2017/managing-unlimited-demands-for-unlimited-liability-in-gdpr-contracts/"> unlimited liability in their contracts</a>.</p>
<h3>Why Product Needs to Care</h3>
<p>Why am I writing about this for the Mind the Product blog? The GDPR introduces the statutory position of Data Protection Officer (DPO), with the task of ensuring that a business complies with GDPR. As the newly crowned DPO at my company I believe a product person is the best placed to help a business implement a strong data protection policy in readiness for GDPR next year: after all, a product person should have an overview of the business and know where data is used.</p>
<p>Set out below are the lessons I’ve learned as our DPO, and some of the steps we’ve taken to get ready for the new regulations.</p>
<h3>Do you Need a Data Protection Officer?</h3>
<p>If your organisation is a public authority, or you deal with special categories of data like criminal convictions, or you carry out large-scale monitoring of data, then you will need a DPO. There are other recommendations which are relevant for startups and tech companies; if you process a large amount of personal data, for example more than 5,000 personal data records in a 12-month period, then I think you should have a DPO. I imagine many of you get more than 5,000 people signing up and using your service each year.</p>
<h3>How Will GDPR Affect Your Customers?</h3>
<p>The GDPR strengthens the rights of your customers in a number of ways, including:</p>
<ul>
<li>The right to object. A customer can object if their details are being used for direct marketing, or if they have legitimate grounds to object on how their data is being processed.</li>
<li>The right of access. A customer can request access to their data. You need to know where the data you took came from, to whom it might be disclosed, and be able to tell the customer about any logic involved in any automated decision. You must reply to a request for data within one month, and a customer can also authorise a third party to get the data. A useful <a href="https://ico.org.uk/media/for-organisations/access-aware/2435/access-aware-toolkit-health.pdf">toolkit for subject access is here</a>.</li>
<li>The right to be forgotten. If the processing of the customer is not in compliance with the GDPR the customer can ask for their data to be erased.</li>
<li>The right not to be subjected to purely automated processes. For example if a customer is refused insurance by an automated system they can call and ask for a manual review.</li>
</ul>
<p>Clearly if your current IT processes don’t allow for the above you’ll need to do some work to prepare for this. Likewise your privacy policies and data protection policies may need to be reviewed.</p>
<h3>What Does a Data Protection Officer do?</h3>
<p>According to <a href="http://ec.europa.eu/information_society/newsroom/image/document/2016-51/wp243_en_40855.pdf">Article 39 of the GDPR</a>, a DPO should:</p>
<ul>
<li>Inform and advise the organisation and its employees about their obligations to comply with the GDPR and other data protection laws</li>
<li>Monitor compliance with the GDPR and other data protection laws, including managing internal data protection activities, advise on data protection impact assessments; train staff and conduct internal audits</li>
<li>Be the first point of contact for supervisory authorities and for individuals whose data is processed (employees, customers etc)</li>
</ul>
<p>A DPO must be allowed to operate independently and report to the board. For example, if the DPO finds that the VP of marketing needs to remove data from their machine they should be able ask them to do this &#8211; and if they don’t, be able to report them to the board without fear of reprisal.</p>
<p>They should also be given adequate time and resources to do their job &#8211; this may mean extra training, time with the tech team to enforce secure passwords on key systems, and so on. An existing employee can serve as the DPO, or you are also allowed to get an external consultant in to cover this role. There are some restrictions if an internal employee is your DPO &#8211; they can’t, for example, be a head of HR, head of IT or a member of the senior leadership team. The DPO should have a good professional experience of, and knowledge of, data protection law.</p>
<p>If you don’t appoint a DPO where one is required, the fine can be as high as €10,000,000 or 2% of your company’s worldwide turnover, depending on which is higher.</p>
<p>A product person should already have a good knowledge of data protection. They will have worked with everyone in the organisation &#8211; the finance teams, customer support, marketing, tech, and growth. They will know where the data in their company lives and how it moves around. They are also likely best placed to write the data protection policies and risk assessments needed to show that the company is paying attention to GDPR requirements.</p>
<h3>Do you need a Data Protection Impact Assessment?</h3>
<p>A data protection impact assessment (DPIA) &#8211; also known as a privacy impact assessment or PIA &#8211; is a risk assessment when you propose to process personal data. Its aim is to help an organisation identify the most effective way of complying with data protection obligations and meet individuals’ expectations of privacy.</p>
<p>A DPIA can be used in a variety of situations. Those which I think are particularly relevant to product management include:</p>
<ul>
<li>A new database system for storing and accessing personal data</li>
<li>A project where two or more organisations look to pool or link sets of personal data</li>
<li>A proposal to identify people in a particular group or demographic and initiate a course of action</li>
<li>Using existing data for a new and unexpected or more intrusive process</li>
<li>A new surveillance system or the application of new technology to an existing system (like adding automatic number plate recognition to an existing CCTV system)</li>
<li>A new database which consolidates information held by separate parts of an organisation</li>
</ul>
<p>As I understand it, the requirement for a DPIA under the new legislation is still under discussion, though I imagine what will transpire is that any organisation dealing with “sensitive” data will need to <a href="https://www.taylorwessing.com/globaldatahub/article-exploring-data-protection-impact-assessments.html">show evidence of a DPIA</a>. By sensitive data I mean a data set containing health information, disability, ethnicity, sexual orientation, political or religious affiliations or criminal records.</p>
<p>That said, even if you aren’t processing this kind of data, I think it’s still worth carrying out a DPIA. It can only help your company to handle data more securely and give your customers faith in your ability to look after their data.</p>
<p>Based on my experience, if you’re a data controller then I think you should start working with your data processors now to make sure they comply with the GDPR and include their responses in your DPIA.</p>
<p>I’ve already started this process and it’s a little scary how some of the data processors we use did not understand their responsibilities, and we will stop using them if they can’t show they comply with the GDPR in time. You may need to start entering into data processing agreements (DPA) with your data processors, especially if you process data in the EU which then leaves the EU, Amazon for example offers a <a href="https://aws.amazon.com/blogs/security/aws-and-the-general-data-protection-regulation/">DPA to AWS customers</a>.</p>
<p>You should include in the DPIA:</p>
<ul>
<li>The respective responsibilities of the data controller and the data processors you use</li>
<li>The purpose and means of the processing (i.e. I’m capturing address details to fulfill product delivery)</li>
<li>Flows on how user information is used (i.e. how personal information will be obtained, used, and retained)</li>
<li>The measures and safeguards you have put in place to protect the data</li>
<li>Details of your Privacy Impact Assessment (the ICO has great <a href="https://ico.org.uk/media/for-organisations/documents/1595/pia-code-of-practice.pdf">guidance on PIAs here</a>)</li>
<li>The contact details of the DPO</li>
</ul>
<h3>Responding to a Breach</h3>
<p>There is an excellent article on the <a href="https://www.taylorwessing.com/globaldatahub/article-data-security-and-breach-reporting-under-the-gdpr-and-nisd.html">Taylor Wessing blog</a> which gives a full rundown of your responsibilities under the GDPR when responding to a breach.</p>
<p>As per data protection best practices you should be prepared for a breach with a recovery plan, a strategy for how to reassess risks associated with the breach. If the worst happens and you have a breach, you should perform a review of your response and update your security policies accordingly. The GDPR doesn’t require a full report about a breach from the outset, but I would recommend that you prepare the potential scope and the cause of the breach, mitigation actions you plan to take, and how you plan to address the problem.</p>
<h3>Opt-ins and Consent</h3>
<p>Some opt-in boxes are banned with GDPR, so you couldn’t have a form which says “by clicking the purchase button you agree to be sent marketing information”, you would always need to provide a tick box. Consent must be freely given with a clear affirmative action used. Consent must always be specific, informed and unambiguous. You need to keep good records of when and where people gave consent. People must always be able to withdraw consent, and be given the ability to withdraw easily. The ICO has an <a href="https://ico.org.uk/media/about-the-ico/consultations/2013551/draft-gdpr-consent-guidance-for-consultation-201703.pdf">in-depth article</a> on how to get consent, along with a useful checklist at the end. Since publication Rob Pomeroy has added some excellent advice on opt-in consent in the comments section below.</p>
<h3>Next Steps</h3>
<p>If you’re still not sure if you need a data protection officer or if you need to carry out a data protection impact assessment then the ICO has a good article with 12 initial steps you can take to <a href="https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf">get ready for GDPR</a>. However if you’re still reading this article I’d hazard a guess that you are already dealing with sensitive customer data across multiple territories. I would recommend you do the following:</p>
<ol>
<li>Choose a data protection officer. This can be an existing employee, or you can hire an external consultant. If you choose an employee you are legally obliged to give them support, training and resources, and you should give them time to do their job. It’s taken me a couple of weeks to do the data protection and get my head round all the policies and procedures, plus I’ve set a morning each week aside to make sure any issues raised in my risk assessments are addressed</li>
<li>Start thinking about how you ask for consent, stay away from pre-ticked boxes or opt-out form fields</li>
<li>Carry out a Data Protection Impact Assessment &#8211; mainly to make sure that any data processors you use are also GDPR ready</li>
<li>Following data protection best practice I would review all your company’s policies and risk assessments and make sure they are up to date &#8211; I would make sure they are all collated in once central place that all staff have access to. The GDPR requires evidence of this</li>
</ol>
<p>&nbsp;</p>
<p>Well done for getting this far, hopefully my experience has proved useful. If there is appetite I’ll add some sample policies and risk registers to the Mind the Product Slack channels.</p>
<div class="g g-21"><div class="g-single a-170"><a class="gofollow" data-track="MTcwLDIxLDEsNjA=" href="https://www.pendo.io/pendomonium/"><img decoding="async" src="https://www.mindtheproduct.com/wp-content/uploads/2024/06/MTP-Footer_ad.png" /></a></div></div>

core/freeform

Common transformation pitfalls by Marty Cagan

Using principles to make better decisions faster by Martin Eriksson

How to build for creators by Peter Yang

How to navigate tricky work relationships

Organizing around complex products at the intersection of physical and digital by Matthew Cornford

GDPR: Who Should be Your Data Protection Officer?

Owen Wallis

Comments

Read next