Implementing GDPR — a Product Manager’s Perspective
Originally published on the Freshdesk (by Freshworks) blog.
The General Data Protection Regulation (GDPR) got enforced yesterday. And companies across the globe have spent a lot of time and effort over the last few months interpreting privacy policies and legal documents, assessing product, processes and marketing strategies, and reviewing vendor relationships to make their products and businesses complaint to the new regulation.
While it puts a lot of pressure on businesses, GDPR is not the monster it is touted to be. People have been increasingly spending a lot of time online — communicating with friends and family, shopping, reading, even handling their finances. This has allowed apps and websites to capture customer behavior and enabled businesses to provide personalized experiences to their customers. Enforcement of GDPR has given EU citizens more control over this information. GDPR states (and repeats multiple times!) that this information belongs to your customers. They own it and they have the right to decide who consumes it and how. On the other hand, it helps businesses be customer-centric and build trust.
‘Privacy by design’ is not a catch-phrase, it needs to be the MO.
With a product like Freshdesk that is shipped out to over 150,000 businesses, who in turn use it to support their customers, the pressure is only doubled. As a product manager, when I started looking at GDPR compliance for Freshdesk, I’ll admit I was a little lost. There was a lot left to interpretation and it was hard to determine where to begin. Unlike a regular feature that we build, there were no customers on the other side providing use-cases or validating what we were doing. Deadlines were non-negotiable. Almost every meeting I attended left me drenched in cold sweat. However, with time and (a lot of) persistence, clarity set in.
Here’s everything I’ve learned in the process of making Freshdesk (by Freshworks) GDPR compliant. I hope these notes will come in handy when you have to implement such legislations in your product in the future.
#1 Read and Research About GDPR Like There’s No Tomorrow
As a product manager, you know your product best. This also makes you the best person to translate the GDPR requirements into new enhancements that should be built or mapped to features within the product.
With something as big a regulation as GDPR, I’d recommend that you start by reading and researching about it. It helps to acquaint yourself with the law. I first read the summarised versions written by industry experts before I dove into the legislation itself. This provided context and a basic understanding of what GDPR meant — something that I could work with and then I went on to the read the more comprehensive version of it. You must do both — start with a simple version to get an overview and then move to the publicly accessible formal version. That would be your source of truth.
You are also going to be the front for all kinds of questions — product, architecture, the new regulation itself. This indepth research helps answer the relentless stream of questions coming your way from different sources both inside and outside the organization (your customers).
#2 Familiarize Yourself with the Product’s Architecture
If you have not already done this, use this opportunity to understand the company’s technology stack. Find out all about the product’s architectural layout, what frameworks are in place, and what components of the system have access to customer data.
If you are a product manager like me, here are some of the key questions this exercise would help you answer —
- Where is my customers’ data stored?
- What is the purpose of storing the data? Do we need the data we store?
- Is my product storing personally identifiable data like social security number?
- What kind of third-party apps are integrated with my product? How are they using my customers’ data?
- What are the implications if the data is deleted from my product?
- Do we have all the functionalities we needed in the product to help our customers respond to data requests?
- Are external sub-processors that we use GDPR compliant?
- Were we sending any personal or sensitive data to external sub-processors?
- How often were we taking data back-ups and when were we purging them?
- Were there sufficient security systems built for data in rest, and in transit?
#3 Think About How GDPR Affects Your Customers
With all this information at hand, you may be ready to write user stories and start implementing solutions. But before that, spare a thought for your customers.
With B2B SaaS, it was important to realize early on that not only does your product have to be compliant, but you have to enable your businesses who use your software to also be complaint. This subtle difference changes how you approach enhancements to the product and what you make available to your customers. For instance, if you are a B2C business, you can run a script in the background to remove data when a customer requests for it. But with a B2B business, it was crucial that businesses who used our products had the affordance to delete their users’ data on our systems.
Freshdesk being a B2B SaaS product, a big part of our effort has been to develop tools and guidelines for our customers to be compliant. If you are like us in the B2B SaaS industry, it is essential that you enable customers using your software to be GDPR compliant as well.
#4 Work Closely with Your Legal Team.
Your organization’s legal team is your best buddy as you embark on this cryptic journey. They are the ones who are most familiar with the legal implications of GDPR. It is necessary that you work with them closely to understand relevant legal terms so that you can explain them to your team. You also need to team up with them to log why you took certain calls related to data within the product.
At the same time, you’ll also have to outline product and technical details for them as you together make some tough decisions. It’d be great if you have someone on the legal team who fully understand the goals and outcomes of this compliance and who also has experience handling projects this big.
Back in Freshworks, to make ensure that we are fully familiar with this international regulation, our legal team visited Netherlands to be thoroughly trained on everything that is GDPR. Once back, they were able to handhold different internal teams and answer any questions that we had. This helped us to better understand GDPR and how we can go about making the necessary changes to make Freshdesk and the rest of Freshworks’ products GDPR complaint.
#5 Document Everything.
Leave behind a paper trail. It’s going to be a long and arduous journey with changes along the way. Make sure you chronicle steps, progress, and decisions. This is good practice in general for any project, but absolutely vital when reasons are regulatory.
At Freshdesk, we used JIRA and Google Sheets to manage the project. We created a master plan on Google Sheets that provided a high-level overview across different verticals. This helped us with keeping a track of action items lined up for the marketing, finance, support, IT and security teams. These were then back-linked to detailed stories on JIRA for the engineering teams.
Automatic versioning and easy accountability were big factors in determining what tools we chose.
#6 Keep an Eye on Competitors and Industry Experts.
It always helps to know what the industry is doing, so sign-up for newsletters and blog posts. Follow their support forums, read their support articles and help documentations, listen to their talks and PR announcements, and keep an eye out for their updated terms and privacy documents.
Plenty of industry leaders, like Microsoft, also start conducting GDPR webinars early on. Attending these not only helps understand how they are tackling the regulation, but listening to attendees’ questions gives a fair idea of what the market is expecting. Both are crucial, and is the best validation you can get.
#7 Start Implementing GDPR Early.
Give yourself enough time for last-minute changes and any edge-cases that arise during testing or reflection. If you have a team who has understood the significance of the regulation, it is easier to make decisions and quicker to get them implemented. Or to course-correct.
Before the D-day, do end-to-end test runs to ensure the process does not break at any point. During one such test run, we found that while we had the APIs to fetch all data belonging to a customer, we could not fetch their forum contributions, which can also be deemed as data they own. We had enough time though, to fix, test and deploy our changes. We have one week release cycles, which allows this agility. You need to be even more careful if you have longer release cycles.
It is also important to start early if you’re a B2B company, because your customers have to be compliant on the date the regulation gets enforced. This means questions will start to pour in much earlier, and you need to give customers sufficient time to trial what you’ve built for them.
#8 Remember, There is More.
We did not look at May 25 as a deadline. This is a continued initiative, and the focus on privacy needs to be deeply ingrained in your company as you build more features or expand your suite of products. It is easy to slip back into old habits. If you do not have sufficient processes in place to recognize data breaches, start setting them up now. Make sure you have a regulation champion (or be one), who builds a checklist for all teams — marketing, product, engineering, support, to refer to. Perform regular audits to ensure no data breaches have occurred.
Also, over time, our collective understanding of GDPR will evolve. Continue to be cognizant of what you may have missed, and keep adapting.
Looking Ahead
Like I said earlier, compliance to a new regulation is difficult. But it isn’t something that you can brush past. At the start of it, there were many challenges because the legislation was new. But it can be done right if you have the clarity and the right set of people to help you with the task. Though there may be many speculations on how to interpret this regulation, you will gradually get a hold of it.
I believe that GDPR is paving the way for a safer online environment; it is the flag-bearer for good things to come. They say it takes a village, and it did. But that’s a small price to pay.
