Twenty years ago, if you’d been asked whether you had the right to control who had access to your personal data, you’d most likely have given a blank look and muttered something like, “Well yeah. No duh.” Fast forward to present day, when data breaches are everywhere, our personal data is traded like currency, and ownership of that data is a matter for debate. Should Facebook be held responsible for compromising the personal data of more than 87 million people. If yes, how? Should Equifax be held responsible for compromising the personal data of more than 143 million people. If yes, how? Given the general murkiness of existing US law governing the use of personal data, we still don’t have answers to these questions.
With the General Data Protection Regulation (GDPR) going live on May 25, 2018, the European Union (EU) has taken a strong stand in favor of individual rights. The GDPR is black-and-white about the fact that individuals own their data and thus have enforceable rights with respect to it. It sets rules about how businesses are permitted to use that data, as well as what the consequences will be if they fail to comply. The GDPR marks the biggest change in data privacy regulation in more than two decades.
The GDPR was first made public in May 2016, giving impacted businesses and organizations two years to comply. While most businesses and public organizations in the EU have already spent those years focusing on updating their systems, protocols, and processes to ensure compliance, many US-based companies are still confused about what the GDPR means for their businesses. To understand how the GDPR may impact your mobile app or website, read on.
Would an EU or UK citizen potentially use your mobile app or website while they are in the EU or the UK? If yes, the GDPR does apply. (When it goes into effect, the UK will still be a member of the EU; thus, the GDPR will be written into UK law, remaining in effect post-Brexit.) To keep things simple, from this point forward, please understand “EU citizen” to cover citizens of both the EU and the UK.
- The GDPR applies to your mobile app or website if, in the process of providing your services, you collect personal data from someone physically located in an EU country. For example, if someone downloads your app from the US App Store but they reside in the EU, it still applies.
- The GDPR does not apply, however, if you are collecting personal data from an EU citizen *who is outside of the EU when that data is collected*.
- The GDPR also applies if you’re conducting targeted marketing to people in the EU, even if no financial transaction is involved. (Check out this article by Yaki Faitelson for a great summary with illustrative examples that help explain how this complex matter will be decided.)
Bottom line, the GDPR dictates that:
- Businesses must obtain explicit consent for the processing of personal data from EU citizens. To gain that consent, you must explain why you need the data, for what specific purposes that data will be used, and how long you plan to keep that data, among other requirements. The EU citizen must give consent via a positive opt-in (i.e., there must be no “default” setting granting access, and you can’t point to a set of terms and conditions a user may or may not have read).
- EU citizens are granted the “right to be forgotten.” If an EU citizen has previously granted consent to process their personal data, they have the right to withdraw that consent. This right, however, is not absolute.
- Businesses must report data breaches within 72 hours. The GDPR promises fines of up to 20M euros (nearly $24M in US dollars) or up to 4% of a company’s past-year global revenues for not reporting a qualifying breach to regulators within 72 hours. In some cases, businesses are also required to directly notify impacted users within 72 hours, or to notify impacted clients immediately. In addition, businesses may be reprimanded and/or receive temporary or permanent bans on the processing of personal data. That said, the GDPR does indicate that they may elect to first issue “warnings” in certain cases.
- Citizens may sue for compensation. If a business hasn’t respected the data protection law and as a result an EU citizen has been caused material (e.g., financial) or non-material (e.g., reputational) damages, the citizen has the right to make a claim for compensation in court.
These policies, as well as the definitions used within them, are markedly different from existing US policies in several ways. Though we’ll cover a few of these items in more detail below, this helpful summary provides a succinct look at the major differences.
In the US, we talk about “personally identifiable information,” or PII. The EU refers to this type of data as “personal data” and defines it much more broadly. Specifically, the GDPR defines personal data as:
- Information that may enable direct or indirect identification of a living individual.
- The more typical items you’d think of, including names, home addresses, email addresses containing someone’s name, and ID card numbers.
- Items you may not necessarily think of, including an individual’s biometric data, location data, IP address, RFID tag, cookie ID, or phone advertising identifier.
- Information that has been anonymized, captured under a pseudonym, and/or encrypted *but which can be used to re-identify a person*. In other words, in order for data to be truly made anonymous, the process by which the anonymization occurs must be irreversible. This, too, marks a departure from current US law regulating the use of anonymized data.
The GDPR does not cover personal data relating to people who are deceased, or data about companies or legal entities.
In overview, the GDPR encourages covered businesses to implement protective measures “corresponding to the level of risk of their data processing activities.” In other words, what you should do depends in part on how much personal data you process, as well as the nature of that data. For example, if your mobile app or website gathers personal health-related data, the GDPR would encourage more stringent measures. If it gathers only a small amount of less sensitive data, however, less stringent measures may be sufficient.
The bottom line, however, is that, under the GDPR, all businesses and public organizations — regardless of size or scope — are held responsible for ensuring the security of EU citizens’ personal data. With that in mind, the GDPR gives the following requirements for all covered companies:
Lawful, Transparent Use of Data for Specific, Stated Purposes
The GDPR’s stipulations in this area are essentially focused on achieving two key objectives:
- You are processing personal data in a lawful, transparent, and fair manner for specific, well-defined purposes. Your purposes must be lawful and appropriate, and you must state those purposes clearly when you gain users’ consent. Personal data that isn’t required to achieve the defined purposes should not be collected.
- You are protecting any personal data you collect from being compromised. This means that you are installing appropriate safeguards in your mobile app or website to ensure its security (see below). In addition, the GDPR requires that personal data should be stored for the “shortest time possible” to achieve the purpose for which the data was collected.
Adoption of Appropriate Organizational Safeguards
Again, what’s appropriate for your business would depend on how much personal data you process, as well as the specific nature of that data. Example requirements are as follows:
- Companies are expected to adopt policies and practices that ensure “data protection by design” (ensuring data is processed with the highest possible privacy protections) and “data protection by default” (ensuring that personal data isn’t accessible to an indefinite number of people by default).
- If a company handles a great deal of personal data, the GDPR requires appointment of a Data Protection Officer (DPO) to monitor GDPR compliance over all digital touchpoints with consumers, act as a point of contact for employees and customers, and report on GDPR compliance to company leadership.
- Companies with more than 250 employees are required to create and maintain documentation regarding the collection, processing, and overall life cycle of customers’ personal data.
Timely Notification of Qualifying Data Breaches
The GDPR sets clear requirements for how businesses should handle notification surrounding data breaches. (When you stop to consider that Equifax discovered their massive data breach on July 29th and it wasn’t publicly announced until September 7th, you’ll fully appreciate the importance of these requirements.) In accordance with the GDPR, depending on the nature of your breach, you must:
- Notify the supervisory authority within 72 hours. If your mobile app or website experiences a covered data breach involving personal data of EU citizens, you are required to notify appropriate EU Data Protection Authorities (DPAs) within 72 hours of becoming aware that the breach has occurred. The notification must include information about the nature and breadth of the impact, its likely consequences, the mitigation plan, and points of contact at your company.
- If “the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons,” however, the regulation does not apply (e.g., if the personal data that was compromised is publicly available in another forum).
- Notify the EU citizens whose data have been compromised within 72 hours. If the breach of personal data represents a “high risk to the rights and freedoms of natural persons,” you must also directly notify the EU citizens themselves.
- Notify clients immediately. If the data breach fits the stated requirements and involves personal data belonging to a business’ clients, they are required to notify those clients as soon as it becomes aware of the breach.
Even if you’re not sure you’ll have any users physically in the EU and you have no plans to market your mobile app or website directly to EU users, it’s likely that — given all of the high-profile personal data breaches of the past two years — change is a ‘comin on a global basis. In addition, the EU has been clear in their intention that, with the GDPR, they hope to set the global standard. So it’s likely that the smartest bet is to start embedding appropriate guidelines into how you handle personal data, regardless of who or where you think your users will be. With the GDPR’s arrival, it would be smart to consider taking the following actions:
- Do your homework. Appoint a representative within your company to read up on the GDPR, so that you can develop a strong baseline understanding and better understand how it applies to you. Consider seeing legal advice to fully understand how your business is impacted. In particular, make sure to review how the GDPR defines “controllers” and “processors” and assess how it impacts your liability and your relationships with any third-party service providers.
- Make your leadership and organization aware of the GDPR’s requirements. Clearly, the GDPR doesn’t accept “ignorance” as an excuse for failing to comply.
- Consider appointing a DPO for your company. This may be someone who’s already in your company, as long as they have the right expertise to ably monitor these activities.
- Review your mobile app or website’s sign-up process. During your mobile app or website’s signup process — a time when you’re inevitably collecting some amount of personal data — be clear with your users about how, why, and for how long their data will be used. Make sure to gain explicit consent to process personal data using a positive opt-in (e.g., they must “check” a set of boxes to indicate consent). Develop your user interface (UI) and user experience (UX) to support “data protection by design” and “data protection by default” principles.
- Review your use of users’ email addresses. Make sure to inform users how their email addresses will be used, as well as to gain positive opt-in permission for that use.
- Ensure you have a strong incident response plan. Establish and indoctrinate clear protocols to ensure timely detection, containment, and reporting of any data breaches in accordance with GDPR requirements.
- Review, map, and update your data processing practices and controls. Focus on pinpointing and addressing any areas in which you may be vulnerable.
- Review and update your data processing policies. Make sure you have clearly stated purposes for the gathering of personal data, procedures for keeping that data accurate and up-to-date, and policies regarding when and how the data will be reviewed and/or erased.
- Make certain your developers are instituting and maintaining proper safeguards. Safeguards may include properly configuring firewalls, undertaking security testing, encrypting personal data that moves between your app or website and its server, replacing names with pseudonyms, and ensuring strong hashing of user passwords. (Distillery’s developer team is working on a blog that gives more specific technical guidance on how you can ensure you’re ready for GDPR. Look for it soon!)
- Consider cyber insurance policies. Some aspects of the GDPR may be covered by a good cyber insurance policy. Seek legal advice before purchasing, however.
Still confused about how the GDPR may impact your US-based mobile app or website? Let us know.