During my 20 years as a CIO I’ve been confronted with numerous Software License Audits of which some were more aggressive than others but when it concerns transparency they were all equally mysterious on the (personal) data used during or in preparation of the audit. Well GDPR will change all this and I would like to discuss with you my personal vision on this matter. Any comment is welcome.
I will not be discussing the specific audit activity of organisations like the BSA but specifically those License Audits that are foreseen in license contracts with partners like Oracle, SAP, Microsoft and many other software companies.
For those who are not that familiar with this type of activities a Software License Audit is included in most of the License agreements and surely with the major suppliers as Oracle, SAP or Microsoft. The licensor has the right to audit the licensee to verify the use of the license agreement and as most of the licenses are ‘named user’ licenses auditing is on a user level and thus personal data is processed. (Remark : there are also server based audits, database audits and some other types but these are not the subject of this article)
Software license audits are by themselves of course totally legitimate and are a means by which the licensor is able to check if the license agreements are respected. But it’s clear that closing an agreement still requires that it is executed within the boundaries of the law. And in my honest opinion GDPR has changed the process of the audit; an opnion I will try to explain in the following paragraphs.
The impact of GDPR
When we talk about personal data processing there is quite some GDPR impact on this kind of processing meaning that among many other things information requirements or legal grounds are to be defined and responsibilities are to be made clear and are to be communicated. Today end-users/data-subjects are not always aware of a audit being conducted and what personal data has been collected over time and will be used during the audit. They are not informed on how long the licensor will keep the data and what processing will be done with all that personal data after the audit has finished. The fact is that the data collection might also based on monitoring or logging activities not mentioned in (privacy policies). Since the 25th of May 2018 this type of information should to communicated to the the data subjects (employees) of the controller (employer)
WP29 in it’s latest HR guidance also clearly stipulates that all monitoring activities that are done or can/could be done need to be communicated to the (WP29 definition of) employees meaning that the licensor needs to be very transparent on which monitoring processes take place in the background and what the data will be used for. These monitoring activities are mostly unknown to the licensee/employer/controller as most of them are specifically designed for the purpose of auditing. They could contain : userid, name, personal identifiers, time of use (start and end) what has been done (read, write, modify, delete), and many other activities we may not even know about. In case the licensor does not (want to) disclose this detailed information he will be breaking the GDPR and he should not be allowed to conduct the audit. As we all known transparency is a very important principle within GDPR.
As well the licensor as the licensee are controllers as both determine the purposes and means of their specific processing. You may all know the drill : the licensee receives a script (beforehand or on the day of audit) that needs to be run on the systems of the licensee. The report is read, send or given to the licensor (or its mandated firm) and/or data is imported in a licensor tool. The licensee doesn’t always have a real idea what the script has been doing, where it gets its information from or what it could be used for other than the license audit activity.
I would as such certainly propose that a controller-to-controller contract addendum is defined as both companies have responsibilities towards the data subject : information obligations, legal grounds, possible impact (if any), data subject rights,…
The minimum information requirements for the licensee are that he informs the data subjects that by using the application specific records are generated that will or may be used in software license audits by a third party. This third party may be the licensor or a mandated partner. You will need to inform the data subjects on some processing details, retention periods of the records and other information as required by GDPR.
The licensor being a controller itself will also be required to inform the licensee (also a controller as you know) about the details of the processing activities in order for the licensee to inform the data subjects / employees in a transparent way (as the licensor will most probabbly don’t do it). This is of course a very important aspect as it may be that in case the licensor doesn’t inform the licensee as required the licensor might need to inform the data subjects himself about the personal data processing. One more reason to define a controller-to-controller agreement.
As you can imagine the licensor may not be happy to reveal all of the details of the personal data processing for the purposes of the audit and closing a controller-to-controller agreement might prove not to come easy but as long there’s no agreement you should not be required to undergo the license audit. The license audit is defined and agreed on in the existing License Agreement but does not overrule the GDPR. Even this type of agreed and approved activities can only be executed when aligned with the law.
In the end it will need to be executed but only when all legal obligations are met : defining the responsibilities of each of the controllers, information activities, personal data processing activities, monitoring activities, retention time, legal grounds and all of the rest of the information as mentioned in the GDPR. And as long that all is not clear I would presume that the licensee has a legal ground not to approve execution of the software license audit.
Furthermore when during the definition of the agreement the licensor would inform the licensee on certain processing activities or personal data to be used that by the licensee would be considered as not required for the purpose described the licensee or the data subject should be able object to the processing. The right to audit is defined in the license agreement but this does not allow the licensor to do whatever it wants with data that
Conclusion (personal opinion)
The GDPR has a significant impact on Software License Audits (specifically on user license use audits). The licensor will be required to be far more transparent in their data processing and more communication to the data subject is required from both the licensor and the licensee who are both controllers. This type of audits does not overrule the GDPR requirements and a controller-to-controller agreement may be necessary to frame the audit and as long as the agreement is not closed the licensee should not give a ‘Go’ for the execution of the audit.