May 25, 2018
The General Data Protection Regulation (GDPR) is going to be effective from 25th May 2018 and enterprises across the globe are already geared up to update their data privacy rules in compliance with the GDPR regulations.
In this article, we will outline what GDPR means for app owners and how they can ensure that their app is GDPR compliant.
GDPR is a set of regulations that every enterprise collecting user data should comply with. The primary objective of GDPR is to give control to citizens and residents over their personal data and to simplify the regulatory environment for businesses by unifying the regulation within the EU (European Union).
Although most European countries have their individual data privacy laws, GDPR aims to standardize these rules and make safeguarding users’ data stronger, easier, and more uniform across the EU, unifying existing data protection regulations across its 28 member states.
Besides the data collected by enterprises through their digital interactions with the customers on websites, apps, etc., GDPR also protects user-generated data such as social media posts, personal images uploaded to any website including those which might not have been uploaded by the individuals themselves. Additionally, any other uniquely personal information commonly uploaded or found online about the user will come under the purview of GDPR.
Essentially, GDPR is aimed to protect all personal user data across every online platform
Here are some of the key changes to come into effect with GDPR:
It means for enterprises across the globe interacting with customers in the EU region will have to ensure stringent compliance with GDPR. Even if a business doesn’t operate in the EU, they will still have to be GDPR compliant if the business holds data of EU citizens.
This means businesses will need to provide and be accountable for information like:
It will also imply that businesses will have to shift from an ‘opt-out’ approach for collecting user data, to an ‘opt-in’ approach. Which means enterprises will have to ensure that users have the option to opt-out of sharing the data they do not want to share, beforehand.
While right now this approach will only become a mandate when it comes to EU based customers, adopting such approach at a global scale will be helpful for enterprises in a long run, in the light of the recent data fiasco of Facebook.
GDPR is one of the most significant data protection legislation that has been introduced in the European Union. Apps will be one of the platforms which will be most affected. While GDPR will also apply to websites, for websites it will be a lot easier to comply with the changed regulations. However, in case of apps, it will be a bit complex since they will have to be updated with the new SDKs that are used by apps for analytics.
As mentioned earlier, GDPR fundamentally ensures that no data is collected about a user and the device to which the user is associated with, unless the user specifically opts in. While it might be possible that that app owners might by default continue to collect the data, it will be mandatory for them to give users an opt-out option.
To understand GDPR it’s important to first understand the three roles in the mobile app ecosystem.
With the introduction of GDPR, the definition of personal data has changed. It goes beyond traditional personally identifiable information – name, email address, etc., it will now include identifiers such as device sensors, IP address etc, which when combined with other data, can identify an individual. This is a huge change in the way we think about personal data.
The impact of the GDPR, although is limited to the EU region it will have a widespread impact on the entire app and analytics ecosystem. If a business has an app that uses an analytics SDK of any kind to track the user or a device then they are affected by this regulation. If the app is available in the EU region then they have to update it with the latest version of the analytics SDK that complies with the GDPR.
Just updating the SDK is not enough. Even if an app owner doesn’t operate in the EU region, if the app is available in this region then it is mandatory to comply with the GDPR.
Here is what enterprises and app owners would need to do:
GDPR will have a huge impact on reaching the customers via targeted communication. At this moment it is a bit ambiguous whether GDPR requires the data processors to delete the existing user profile data by default or will the users have to explicitly do it after this regulation comes into effect. So, at present, we can assume that app owners will be able to reach out to users whose data might still be there with data processors unless they are also deleted.
Nonetheless, moving forward, user segmentation, targeted push notifications and marketing communications based on user demographics may become things of the past as businesses will not be able to segment users. App owners and marketers will need to find other ways of segmenting their users. For e.g. Interest areas.
Further, while using any Google products such as Google Analytics, Tag Manager Adwords to personalize the ads served to customers and track their on-site actions adhering to GDPR guidelines and getting user consent is a must.
According to Google:
GDPR might also imply that in the coming days, marketers will no longer be able to share additional content assets with users, other than what they have opted for; for e.g. while doing a lead-generation campaign if the user downloads an ebook, marketers will not be able to send additional emails, newsletters etc. to them, unless these users opt-in for additional resources from these brands. Hence, marketers will have to devise newer ways to engage with their target audience.
GDPR by far is known to be one of the most ambitious consumer data protection regulations that have been devised globally. While GDPR right now is limited to the EU, it will pave the way for more secure and stringent data protection laws for consumers globally.
Though initially the implementation and compliance with this regulation might cause some difficulty for businesses, it’s important to remember that this legislation is being introduced to protect users’ rights. And while it isn’t required for businesses to follow such regulations elsewhere, it will help businesses in a long-run to alleviate the privacy-related concerns the users have from apps and other such digital platforms.
Note: This is an opinion piece and enterprises must seek legal advice to ensure full compliance with GDPR regulations.