On May 25th, 2018 the new EU General Data Protection Regulation (GDPR) will come into effect. This new regulation was approved by the EU Parliament on 14 April 2016 and it allowed a period of almost two years in which companies and organisations can adjust their operational systems to comply.
Especially for smaller organisations, new regulations are not a top priority, but in this case, they should be as GDPR is both far-reaching and non-compliance can result in heavy fines. Given its subject is data privacy it applies to almost all organisations, whether you only have a simple website where users log-in or your company is a user data-driven marketing one; it will have an impact and you do need to comply.
Startups and app developers must be particularly aware of the GDPR regulation as it is common practice to get as much user data as possible in order to improve their offering to customers. Using general privacy terms or soft opt-in won’t suffice! Up till now, you could get away with referring to some very generic terms & conditions without needing (and thus asking) specific user consent. Under the new regulation, this is not allowed anymore, even using an IP-address as identification needs specific user consent. You should also be aware of the chain of responsibility if you use tools and frameworks. Given all the (free) analytical tools available (Google Analytics, Facebook Analytics, Mixpanel and so on) most developers use these o get insight into their users. Thereby giving these companies access to user-data you collect. The GDPR not only covers explicit user consent but also the right to insight in what data you have collected, and the right to be forgotten. Can you comply to this?
Are you at risk? Yes, you are. You might think that once the regulation is in effect, the EU will go after the big fish first (they probably will) but this doesn’t necessarily exclude you. All it needs is one of your user’s filing a complaint if you can comply with a request or a basic data breach in your ap or website.
Since 2016 many articles have been written about all aspects of GDPR, so instead of making my own version I will give you some relevant links.
First -and most important- is the EG site itself:
Then there is dataIQ’s summary of the regulation which should give you a good insight into its effect on your organisation:
TechBeacon offers some basic steps to help you comply:
Don’t have time time to read (you should definetely make it)? Look at this 3-minute video:
Or this in-depth video oversight: