Assessing And Planning For GDPR's Impact On Software Companies

A conversation with Brian Hyman, product manager, Helpshift

With 10 years of experience as a product management, analytics, and technology entrepreneur, Brian Hyman, product manager for Helpshift, focuses on both strategy and delivery of digital analytics, marketing technology solutions, and data products for Software, Internet, and SaaS companies. He also delivers practical advice for tailoring and implementing agile analytics into daily business operations.

Hyman took time recently to share with ISV Insights his take on The General Data Protection Regulation (GDPR), how GDPR is going to disrupt the industry, strategies for GDPR planning, and more.

Q: How long has Helpshift been preparing for GDPR and what advice do you have for other software companies trying to determine how long the process takes?

Hyman: Helpshift embraced GDPR in Q2 2016 and began laying the foundation for compliance in Q3 2016. Knowing our product and services would evolve significantly between then when the deadline rolls around this May, our Customer Success and Customer Support teams meticulously documented use cases and workflow paradigms which brands often structure around the Helpshift product portfolio.

In Q3 2017, Helpshift's Product and Design teams synthesized the feedback and set out to craft self-serve and programmatic redaction functionality which will be presented in a well-designed User Interface.

The process and path to GDPR compliance will vary between software companies and largely depend on the complexity of a company’s infrastructure, the philosophy/form/evolution of the codebase architecture, as well as raw creative energy. For many companies, this may be the most pressing and important refactoring work their teams and products have ever undergone.

Advice for companies trying to determine how long the process takes: It takes a very long time and great deal of legal assistance to figure out all the touchpoints under this regulation. If you do not have an in-house legal team, you should partner with one ASAP. Do take into account that, if you are partnering with a firm, it will also take them time to understand the details of your software to suggest the right plan of action. The financial recourse for GDPR penalties is extremely severe, so do not shy away from giving more details than required to your legal advisor about how your software functions, captures data, and renders that data to users.

Q: What policies has Helpshift had to implement and what have you had to change in order to become compliant?

Hyman: We have developed various policies and procedures along the two-year path toward GDPR compliance, of which some are companywide and others are department/client/feature specific. Most notably, we formed a Compliance Committee to spearhead and embody the authoritative positions on GDPR and related compliance matters.

From Helpshift’s leadership perspective, the more notable policies pertain to our amended DPAs and the inclusion of DPIAs — or Data Protection Impact Assessment (as per article 35 of GDPR) — in addition to formally committing to a “Privacy by Design” and “Privacy by Default” approach for our software:

• Privacy by design is a broad principle which requires data controllers to embed privacy considerations and safeguards into the process of designing or developing new products or services. This usually means ensuring Helpshift consults with privacy lawyers when designing or building new products to ensure they are designed in such a way as to protect an end-user's privacy in accordance with privacy laws.
• Privacy by default is a principle stating only the personal data that is “necessary” for the purposes of a product or service should be collected and processed. Extraneous data is not to be collected. Also, the principle states personal data about an individual will not be made available to the general public automatically, without first allowing the individual some agency.

Q: Were there any particular resources you found particularly helpful in forming your game plan?

Hyman: Helpshift took a three pronged approach toward developing the company’s strategy:

1. Retain the preeminent global data privacy and GDPR legal firm — Fieldfisher.
2. Informally connected and soundboarded with other software companies, executives, product leaders, engineers, designers, and attorneys throughout the San Francisco Bay Area and Pune, India.
3. Regularly reference the GDPR Portal.

Q: What else did you consider while formulating your GDPR strategy that other software companies could learn from?

Hyman: As a company and thought leader, we had to shift our mindset with regards to data. Historically, Helpshift embodied the perspective that data is a commodity and the more we have the better, period. Our distributed systems log over 15,000 lines of output every second, coupled with real-time event stream processing for analytics dispersed across multiple datastores posed serious optimization challenges while formulating our GDPR strategies. In the process of becoming GDPR compliant, we now have to consider the increased liability this commodity entails and exercise elegance and prudence while solutioning independent and dependent features.

Q: What is the most frustrating aspect from your point of view as a leader of a software company as it relates to GDPR?

Hyman: Initially equipped with only a list of guidelines which were open to interpretation, we blazed into the unknown; it was frustrating to figure out the nitty gritties of GDPR. Defining the requirements and connecting the dots laid out by the legislation took an immense effort and we rallied input from over a third of the company’s workforce, only then did we loop in our legal partners to begin their evaluation.

On a more intimate note, the most frustrating aspects of GDPR for Helpshift are the costs associated with data redaction and data portability from both a financial and performance perspective. The GDPR requirements have impacted various cloud optimization processes we have orchestrated to work in concert across a very large and distributed technology stack. These optimization interruptions, at scale, come at a fiscal and computational cost which is not insignificant for the business.

To add context, Helpshift provides brands the ability to capture, customize, and ingest mobile data at very granular levels across approximately 2 billion end-user devices at any given time, wherein our systems are banking petabytes of data daily.

Q: What is your strategy for communicating to customers the steps your company is taking to comply with GPDR?

Hyman: Helpshift is taking a comprehensive approach toward GDPR communication with customers by providing personal conversations with customers, issuing press releases, drafting FAQs, hosting webinars, and sending out email communications with updates.

Q: Have you come across any misconceptions related to GDPR that you’d like to clear up?

Hyman: With poise and grace we have set out to clear up a handful of misconceptions from clients relating to GDPR. A couple of misconceptions that were shared with us pertained to “proactive” and “automated” strategies toward exercising data redactions. A few of the strategies shared would decrease a company’s risk for a specific article in the GDPR while concurrently violating end-user rights as per other articles. As such, the product, engineering, and design teams devised safeguards to insulate customers from potentially risky redaction processes.