Preparing for GDPR: How Will it Affect My U.S. Organization?

Blue faded map of Europe in the background. 12 yellow stars circling a yellow padlock with the letters "GDPR" in the foreground.

The European Union’s (EU) General Data Protection Regulation (GDPR) goes into effect on May 25, 2018.

While most, (if not all) entities operating in EU nations have taken steps to prepare their websites and mobile applications for these new regulations, many US-based businesses and organizations have failed to understand how the law applies to them.

Who is subject to GDPR?

The GDPR intends to change the way we think about personal data, formalizing a set of citizen rights and vendor responsibilities. While compliance is required for legacy systems, the law will undoubtedly have an effect on how new systems are developed worldwide.

Data must be protected and handled in accordance with GDPR if a company markets its products to EU citizens who are physically in an EU nation when their information is collected.

While the law states that companies must target their marketing towards residents of the EU (by using their native language, accepting EU currency, or indicating that EU users are the intended audience for their product or service) in order to be held to the regulations, the growing public insistence on data privacy and our continued dependence on third-party tracking tools indicate a need to prepare for a new phase of global transparency (regardless of your office zip code).

What are the new regulations?

By law, any processors of personal data (including US firms with a web or mobile presence) will be subject to the following requirements:

1. Only process personal data that is necessary to the app or website’s purpose

Also known as “privacy by design,” this stipulation also restricts access to personal data to company representatives who are explicitly responsible for data processing. How you define what is “necessary” will depend on how you position your product or service.

2. Know your lawful basis for processing

There are six legal bases for processing, and while not all of them require explicit consent, you must at the very least document the application’s lawful basis in its terms of service.

Those bases for processing are compliance with a legal obligation, contractual performance, vital interests, public interest or acting under official public authority, legitimate interests, and with the data subjects’ consent.

3. Obtain explicit consent

Where consent is required, it’s no longer sufficient to assume that consent is implicitly granted by virtue of using the service. Third-party tracking tools that provide businesses with personally-identifiable information (yes, IP addresses count) cannot be used for first-time visitors who do nothing to give you their consent.

It’s also no longer accepted practice to have your “terms and conditions” presented with confusing legal terminology in tiny print where users are entering their information. It is now expected that users can easily and quickly identify how their data will be used before submitting it online or in an app.

4. Tell users what you collect, why, and how long you will retain it

Apart from your server-side records, this includes documenting every cookie you use (including third-party cookies) by name and describing its purpose. This also includes authentication logs and other diagnostic records when they can be associated with a specific user’s account.

5. Provide users with a way to opt out of non-essential processing

Since programs like AdSense and Google Analytics use cookies (and neither is likely to be “essential” to the functioning of your site or app), vendors will likely need to provide an opt-out option.

In practice, this means you must extend your account records to include these preferences, create a user interface (UI) for those account options (if you don’t already have an account settings UI), and make that UI discoverable.

6. Secure any personal data that you transmit or retain

The market for data security services is already large. While GDPR doesn’t change the fundamental requirements or techniques, it will increase the demand for such services.

While there is some competition in this area, security solutions will be the least varied across applications.

7. Upon request, give users a report of data that you’ve collected on them

This does not need to include data that has been anonymized, but it does include any information you’ve collected through first and third-party tools and progressive profiling information that’s been accumulated as the user has interacted with your website or app.

While the exported version of this report can take several forms, a user should be able to easily view all of the data a business has collected on them within the UI of the app itself.

8. Upon request, delete all data associated with a user’s identity

The much-publicized “right to be forgotten” means businesses must have a way to receive these requests, a procedure for complying with said requests within a month of receiving them, and a general knowledge of the circumstances under which they must comply with this regulation.

What’s at stake?

While enforcement measures for companies operating outside of the EU remain to be fully clarified, recent updates to global platforms like Facebook and Google indicate that the general EU perspective on privacy is likely to become the new normal worldwide.

It’s possible that some domestic businesses using legacy systems to target only US users may not need to adopt tactical compliance measures in response to GDPR’s regulatory requirements.

What’s certain, however, is that every organization should keep the spirit of the law in mind when designing new websites or apps. The future of your business may depend on it.

Our team is fully prepared to help businesses navigate the new regulatory landscape and ensure data protection measures are implemented correctly in the future. Drop us a line to find out how we can help.