WATCH THE FULL WEBINAR HERE: https://www.revulytics.com/gdpr-readiness-for-software-usage-analytics Learn what you need to know to prepare for May 2018. There have always been conflicts between a person’s right to privacy and an organization’s right to collect personal information for the protection and improvement of their intellectual property. But an organization can achieve balance by considering the laws and regulations in place within the jurisdictions where the organization’s products may be used. With increased interest and concerns around the impact of the General Data Protection Regulation (GDPR), Revulytics invites you to join a presentation from Privacy Ref that will provide an overview of the latest changes to the European privacy environment to educate you on the applicability of GDPR to the use of software usage and compliance analytics. The webinar provides insight into the EU privacy environment and shows how the Revulytics platform can be implemented in a manner that is GDPR compliant. In this webinar you will learn: * Concepts, principles, and definitions underlying GDPR * How GDPR applies to software producers deploying software analytics solutions * How the roles of Data Controllers and Data Processors apply * What approaches may be used to lawfully process personal information under GDPR

1. GDPR Readiness for Software Usage Analytics
November 7, 2017
Vic DeMarines
VP, Products & Strategy
Revulytics
Bob Siegel
President
Privacy Ref

2. Topics
• What is Software Usage Analytics?
• What is GDPR?
• Privacy Concepts, Personal Information Defined
• Data Controllers and Processors
• GDPR and Protecting and Improving Your Software
• How Revulytics Customers are Addressing These Issues
2

3. About Revulytics
Compliance Analytics
• Identify and quantify
software use and misuse
• Create actionable
intelligence
• Turn intelligence into direct
revenue
Usage Analytics
• Anonymous feature tracking
and analysis of product
usage
• Increase customer
acquisition and retention
• Generate revenue with better
products
3
• Recognized as 2017 Gartner Cool Vendor
• More than 100 customers including Fortune 500 companies
• Technology deployed to over 50M machines in more than 200 countries
• Our data has supported more than $1.8 billion in new license revenue since 2010

4. Software Usage Intelligence Solution Architecture
4
Cloud Service
Usage Intelligence
Reporting Dashboard
Data
Analytics
Engine
Integrated
Applications
Configured to focus
on feature adoption
ReachOut
In Application messaging

5. Compliance Intelligence Solution Architecture
5
Cloud Service
Compliance Dashboard
on Force.com
Integrated
Applications
Configured to
identify
organizations and
true location Gateway
Servers
Revulytics Data
Optimizer and Analysts
Revulytics Recovery
Services

6. What is GDPR?
• General Data Privacy Regulation
– Replaces the EU Privacy Directive (Directive 95/46/EC)
– A pan-EU law
– Becomes effective on May 25, 2018
• Five Principles
– Lawfulness, fairness, and transparency
– Purpose limitation
– Data minimization and proportionality
– Storage limitation
– Accountability
• Privacy Shield
6

7. Privacy Concepts, Personal Information Defined
• Data subject
• Legal basis for processing
• Data transfer
7
Personal Information…
any information related to an identified or identifiable data subject
• Privacy Policy
• Privacy Notice
Other Key Concepts
• Name
• Age/Birthdate
• Gender
• Employer
• User-id
• Email address
• User name
• Machine name
• IP Address
Revulytics
Applicable

8. Is IP Address Personal Information
• Court of Justice of the European Union opinion
– Breyer v Bundesrepublik Deutschland, Case C-582/14, 12 May 2016
– IP address combined with ISP records would constitute personal data in
the hands of the website provider
• Broader applicability: even if you’re not an ISP, it may be applicable
– “could keep [the IP address] indefinitely and could request at any time
from the Internet access service provider additional data to combine with
the IP address in order identify the user”
• Revulytics customer impact
– Usage Intelligence: IP address only collected for location and is then
deleted from system
– Compliance Intelligence: A key piece of information to track compliance
8

9. Data Controllers and Processors
9
Data Protection Authority / Supervisory Authority
Data Subject
Data
Controller
Data
Processor
End-user
Your
Company
Revulytics

10. GDPR and Protecting and Improving Your Software
Lawfulness, fairness, and transparency
• Lawfully processing information
– Consent (Article 7)
– Legitimate interest of the controller or a third party
(Article 6)
• Fairness and transparency
– Include legal basis in your privacy notice
– State that it will be shared with a third party
(Revulytics)
– State that processing may occur in the United States
10

11. GDPR and Protecting and Improving Your Software
Other principles
• Purpose limitation
• Data minimization and proportionality
• Storage limitation
• Accountability
11

12. GDPR and Protecting and Improving Your Software
Best practices and Revulytics products
• Revulytics Compliance Intelligence
– Use legitimate interests as a legal basis
• Consent not required
– Be transparent in your privacy notice
– Define a reasonable retention period with Compliance Intelligence
12

13. GDPR and Protecting and Improving Your Software
Best practices and Revulytics products
• Revulytics Usage Intelligence
– Legitimate interests as a legal basis is an option
• Consent not required: use of data to improve products
– However, sensitivity of the environment may guide you towards consent
• Example: Microsoft and Windows 10
• Consent requirements
• Separate screen (not buried in a EULA)
• Mechanism to change preference (opt-in or opt-out) at a later time
– Collecting additional information
• Avoid or limit collecting personal information
• Usage Intelligence does not retain personal information by default
– Be transparent in your privacy notice
– Define a reasonable retention period with Usage Intelligence if collecting
personal information
13

14. GDPR and Protecting and Improving Your Software
Best practices and Revulytics products
• ReachOut functionality
– You may send messages and surveys to the end-users
• You have an existing business relationship
• Contents must be related to the software being used
– An opt-out mechanism must be supplied and respected
• Allow end users to opt-in at a later time as well
14

15. GDPR and Protecting and Improving Your Software
Best practices for your privacy notice
• Privacy notice requirements will vary based on
your software
• Be transparent about the information being
collected
• Link to the privacy notice where end users will
expect to find it
15

16. How Revulytics Customers Address These Issues
Data Needed for Compliance
16
Consumer piracy
Lower product ASP
Piracy Response
In-Application Messaging
Direct Compliance
Audit
Specialize software
Enterprise organizations
Higher product ASP
SMB
Compliance Approach
Data Collection Meter

17. How Revulytics Customers Address These Issues
• Wi-Fi SSID adds to the Domain Data and provides location intelligence
17

18. Best Practices
• Compliance Intelligence
– Transparency and Privacy Policy key
• Include extent of data collected, include description of data being collected
• Note sharing of data with third party for your compliance program
• 100% focused on compliance
– Have a FAQ or whitepaper available that positions the deployment
• Usage Intelligence
– Implement opt-out functionality within the application, available to the user post-
installation
– Product related in-application messaging
– Consider custom data being collected
• Best practices - not a legal opinion
– Include your usage and compliance data collection in your own GDPR
assessment
– Revulytics assessing its business and platform for GDPR compliance
18

19. Conclusion
• To view the full webinar recording and slides, check
out the link in the comments.
• Also , read the white paper, “Privacy, Piracy, and
Product Usage GDPR Readiness for Software
Usage Analytics”
19
Vic DeMarines
VP, Products & Strategy
Revulytics
vdemarines@revulytics.com
Bob Siegel
President
Privacy Ref
bob.siegel@privacyref.com