GDPR Compliance for App Developers
It’s no secret that we live in an era both defined and driven by big data.
With the rapid evolution of smart devices, the Internet of Things, and AI infused technologies, businesses are increasingly relying on actionable intelligence to better meet the needs of consumers. And yet, with data breaches and scandals having become something of a digital age norm (i.e., Facebook, Equifax, Adult Friend Finder, etc.), consumers and lawmakers alike are raising important questions regarding confidentiality, transparency, and consumer privacy. This heightened focus on the data rights of consumers and app users recently peaked with the passing of the May 25, 2018 implementation deadline for the EU’s General Data Protection Regulation (or GDPR).
Although primarily concerned with businesses operating within the European Union and post-Brexit UK, the GDPR has the potential to mark a significant shift in data privacy regulation for U.S.-based app-developers with EU consumers. As many mobile app developers (and businesses generally) continue to remain both perplexed and non-compliant with the 11 chapter, 99 article GDPR, this post will provide a brief overview of what the GDPR is, and how U.S. businesses/app-developers can get on the path to compliance.
Let’s take a look.
What is the GDPR?
As a replacement for the EU’s 1995 Data Protection Directive, the GDPR was first envisioned in January 2012 by the European Commission as a robust legal framework for data protection reform across the EU. Agreed to in December 2015, businesses were given two years to update their practices and policies to ensure compliance with the new regulation. The GDPR applies to all organizations and companies (regardless of geographic location) that are storing and processing the personal data of EU residents. Some of the GDPR’s key provisions include:
The Right to be Forgotten: Under the GDPR, EU citizens have the right to request the deletion of their data from data controllers should 1) it become irrelevant, or 2) consent to process the data is withdrawn. While this right is not absolute, it’s a radical departure for the prevailing data storage norms in the United States, and could potentially impact how third-parties process app user data.
Explicit Consent: The GDPR also states that businesses must request explicit consent from EU citizens before collecting, using, and transferring personal data. The request must explain (among other requirements) why the data is needed and for how long it will be kept. Consent must be conveyed through a clear and intelligible “opt-in,” and absent the legalese typical of many “terms & conditions” provisions
Compulsory Data Breach Notifications: In what is perhaps the most radical deviation from U.S. law (and one motivated in by the inherent “risk for the rights and freedoms of individuals”), the GDPR requires businesses to report data breaches to regulators (and in some instances, users) within 72 hours.
While there are other essential GDPR provisions to note (including the notion of “privacy by design” and the introduction of data protection officers), the three listed above are important for the startling degree to which they differ from U.S. data protection policy. With non-compliance fines and sanctions for both controllers and processors reaching as high as €20 million or 4% of annual global revenue turnover (whichever is higher), U.S. companies engaging in the collection of EU resident data should make a concerted effort to understand the differences between U.S. and EU regulations. This summary from PricewaterhouseCoopers is a great place to start.
Who Needs to Comply?
As noted above, the GDPR only applies with respect to residents of the EU. However, given the sheer scale of the EU market, the GDPR is likely to impact not only organizations operating within the EU, but those companies located within the United States that offer goods/services/apps to EU residents. What does this mean for your app or website? Let’s further illustrate:
- Does Apply: Article 3 of the GDPR dictates that it will apply to your mobile app or website if you collect the personal data of an EU resident physically located in the EU while providing a product or service. An example would be if an EU resident (again, physically located in the EU) downloads your app from the U.S. Google Play Store. The GDPR will also apply even in the absence of a final transaction. For example, if a U.S. company is collecting personally identifiable information (i.e., PII) in the EU as part of a marketing survey, that data would be subject to the protections of the GDPR.
- Does Not Apply: The “territorial scope” of the GDPR will not apply to your mobile app or website if you are collecting data from an EU citizen who happens to be outside of the EU at the time of collection.
Given the potential breadth and depth of the GDPR, it’s somewhat surprising that businesses both at home and abroad have been slow to act. As recently as 2017, studies indicated that an overwhelming majority of U.S. businesses did not have a GDPR plan in place. Fast forward a year later, and, in the face of the May 25, 2018 implementation deadline, more than half of all global businesses surveyed indicated that they would not meet the deadline. While some U.S. based businesses choose to either abandon their EU operations (i.e., Drawbridge and Verve) or restrict EU resident access (i.e., LA Times) rather than face the potential risks of non-compliance, the vast majority, in fact, missed the implementation deadline altogether.
Compliance: Getting Started
If you are an app developer and you missed the May 25, 2018 implementation deadline, rest assured that you’re not alone. In fact, Gartner predicts that even as late as December 2018, more than 50% of businesses affected by the GDPR will still not be in compliance with its requirements (including 55% of mobile apps). If you find yourself in this position of non-compliance, the first step towards GDPR implementation is to further explore the potential impact of the regulation within the context of your business. As the aim of the GDPR is to ensure clear, streamlined, and secure data collection activities, begin by addressing the following compliance issues:
Data Necessity: Look to determine if, as an app-developer, your business must collect/use the personal data of app users. If your app collects personal data or user information, it should directly pertain to the user experience and value proposition of your mobile app. If you don’t collect personal data, then you are unlikely to have any GDPR compliance-related issues.
Data Transparency: Next, if you are collecting data, make sure your app-users know what data you are collecting and why. Under the GDPR, “terms & conditions” must clearly explain the “why” and “how” behind your data collection. Users must also give their full and explicit consent.
Data Protection: Finally, look to determine how well you are currently protecting user data. Are using data encryption? If not, you should explore it and other advanced protection techniques to fully guarantee the security of user data.
While GDPR compliance may appear to be an arduous and time-consuming task, for the majority of U.S. based app developers, compliance (if even necessary) should make for a smooth transition. Most analysts expect the Information Commissioner’s Office to only come down hard on organizations that cannot demonstrate a good-faith effort with compliance. Given the fact that most GDPR violators will be identified through data breaches, there is still time to make a concerted effort to understand, implement, and adjust to the new regulation.