Here is a quick study on GDPR from a Product Managers perspective and an example backlog for starters.
As most of you would be aware, GDPR is replacing the data protection directive of 1995 for EU. In general, there are six data protection principles set out in the GDPR that each processing activity must comply with. It is bound to change the way we capture, use and store data across the world.
Note: It is only from product perspective and is not a legal advise.
2. › IMPACT OF GDPR ON BUSINESSES
› GDPR SDLC
› PRODUCT MANAGER’S STRATEGY FOR GDPR
› KEY PODUCT FEATURES FOR GDPR
› EXAMPLE GDPR PRODUCT BACKLOG
AGENDA
Ankita Kapoor
3. IMPACT OF GDPR ON BUSINESSES
GDPR Compliance – Benefits
› No additional spending on Customer Acquisition Cost (CAC) and Customer Retention Cost (CRC)
› Competitive edge over businesses who aren’t compliant or marketing enough
› Expansion of customers base around the world because of additional trust
› Availability of consented and dependable customer data
› Intelligent digital marketing campaigns and hyper-personalization
GDPR Non-compliance – Loss
› Loss of EU customer base worldwide
› Loss of revenue and profits from the EU region
› Fines of up to 4% of annual global turnover, or 20 million EURO
Ankita Kapoor
4. GDPR SDLC
› Privacy by Design and Default
› Threat Modelling
› Secure Development Lifecycle
› Dynamic Testing
› Penetration Testing
› Configuration Guidelines
Design
Development
Testing
Release
Ankita Kapoor
5. PRODUCT MANAGER’S STRATEGY FOR GDPR
› Interface with the Legal team and DPO
› Fresh look at Customer and Customer Data
› Understanding what data 3rd Party Service Providers/Vendors have
› GDPR Compliant Product Backlog
› GDPR focused Non-functional Documentation
› Configuration Guidelines for every Release / Production
› Testing is the key!
Ankita Kapoor
6. MAIN PRODUCT FEATURES FOR GDPR
Right to data
portability – Import/
export
Right to access
and
accuracy
Erasure (right to be
forgotten)
Redefine customer
data
mapping
Vendor onboarding
and complianceRight to restrict
processing
Security
and encryption
Consent
management
platform
Ankita Kapoor
7. EXAMPLE GDPR PRODUCT BACKLOG
# Epics Stories
1 Redefine customer data
mapping
› Create new database system for storing and accessing data
› Interface for internal users to interact with data and retrieve it
2 Right to access and accuracy › Interface for customers to view data
› Interface for customers to request for rectification
3 Right to data portability – Import
customer data
› Create central repository to host data from different data storage
locations
› Define mapping, file extensions, sources
› Interface for internal users to view and process data
4 Right to data portability – Export
customer data
› Convert imported data into a human readable format
› Define file structure and extension
› Interface for internal users to process the request
› Interface for customers to request data
Ankita Kapoor
8. # Epics Stories
5 Erasure (right to be forgotten) › Impact on internal applications and customer facing applications
› Impact on backend/database
› Auto-delete once data is no longer required
› Exempted data – what cannot be deleted (UI and DB handling)
6 Right to restrict processing › Add ‘data private’ option – impact of blocking and suppressing data
7 Consent management platform › Robust cookie policy – detailed consent form for customers
› Add ‘opt-in’ option
› Update agreement policies in all applications
8 Vendor onboarding and
compliance
› Checklist of compliance and necessary certificates
› Awareness program, DIY tutorials videos and support team
› Interface for processing customer requests (to view, edit, delete or port
customer data)
EXAMPLE GDPR PRODUCT BACKLOG (CONTD…)
Ankita Kapoor
9. # Epics Stories
9 Workspace setting center › Interface for team collaboration and administrator
› Data consolidation from different departments
10 Register of data processing
activities
› Audit trails and change logs to be maintained – DB and UI
11 Login and password policies › Revisit login and password policies
› Evaluate different options like cryptography hash functions etc.
12 Security and encryption › Revisit data security and encryption layer through out the application
13 Marketing GDPR › Mention GDPR compliance on all possible places in the application
14 Technical Debt › Assessment and scoping for the same
Ankita Kapoor
EXAMPLE GDPR PRODUCT BACKLOG (CONTD…)