GDPR: Data Privacy in the EU

Approved in 2016 by the EU Parliament, the General Data Protection Regulation (GDPR) takes effect on May 25, 2018, and is the most significant update to data privacy regulations with profound implications for any organization that engages with and collects personal data from European Union (EU) residents.

In 99 articles that regulate the collection and use of personal data (information that can be used to identify individuals), the GDPR unifies privacy laws across the EU’s 28 member states and empowers its 500+ million citizens with stronger rights to privacy. Serious violations can incur a penalty of 2-4% of a company’s gross revenue or €20 million, whichever is greater. This regulation applies to any company that handles data on EU citizens, regardless of the company’s location worldwide, and the liability is shared by the organization that owns the data as well as any organizations that help manage that data, even if third-party.

The GDPR principles are meant to ensure user information is limited to what is needed for specific business purposes, for only as long as it is needed, and only accessed by necessary parties. It is significant in a few areas:

• Data accessibility: individuals can demand details on information collected, its use/purpose, the period data will be stored and safeguards in place if transferred outside of the EU
• Data erasure: individuals can revoke permission for the use of their data or demand its deletion (aka “right to be forgotten”)
• Compliance: rather than enforcement commissions proving a violation, organizations must now demonstrate technical and organizational practices are in line with GDPR’s data collection principles
• Privacy by design and default: protection and privacy features must be integrated throughout products and services by design and privacy settings are automatically enacted by default
• Consent for minors: GDPR requires parental consent to process data if a user is below the age of 16 although EU states have an option to lower this to 13 years
• Breach notification: organizations must notify individuals of data breaches within 72 hours after becoming aware of the incident

For such a major regulation, there have been few publications written on its effect on the games industry, but we have found a few worth highlighting:

• Law firm Purewal & Partners wrote a comprehensive three-part overview on GDPR for Gamesindustry.biz covering “What does GDPR do?” “What does GDPR mean for digital entertainment businesses?” and “GDPR: Frequently Asked Questions”
• Though targeting marketers, analytics company Treasure Data released The Marketer’s Guide to GDPR which includes specific examples and tips for opt-out forms, running opt-in campaigns, managing inbound leads and outbound marketing tactics
• Oculus’ recent blog article is a great example of updates the company has made to be GDPR compliant

The GDPR replaces the UK’s Data Protection Act. The EU has taken the lead on data privacy, but other countries such as Australia are in the process of updating their privacy regulations, and more are expected to follow as privacy concerns increase worldwide.