On May 25, 2018, the European Commission’s primary privacy rules, the General Data Protection Regulation (GDPR), will go into effect. This regulation will have far-reaching implications for every small business, corporation, or individual that handles the data of EU persons.  This regulation will impact you.

That’s right. Unless you never, ever, ever deal with the information and personal data of an EU person, the GDPR will apply to you, even if you are not located in the EU.

ACT | The App Association has compiled a comprehensive and interactive GDPR guide to help you understand the regulation before it goes into effect and prepare for the ways it will impact your business operations.

At its core, the GDPR will require companies and their contractors to comply with strict rules to ensure the protection of consumer data. This blog outlines key information about how the GDPR will impact you, new rules it will impose, terms to understand, and how this new regulation compares to other privacy regulations.


How Will the GDPR Affect You?

Every day, people around the globe share personal data in a variety of different ways, including with app developers and tech companies that monitor users health, connect them to social networks, manage their finances, and more. The information used to directly, or indirectly, identify a person is known as their “personal data” and can represent anything from a person’s name, identification number, location, or factors specific to the physical, physiological, or other elements of a person’s identity. The GDPR creates specific rules and requirements for the entities that gather, store, or distribute this type of data, regardless of where the entity is located.

Our guide provides a thorough overview of the new requirements that will come along with the GDPR and address a few common questions, like:

  • Are you a controller or a processor? Under the GDPR, this is an important distinction based on how your company handles an EU subject’s personal data. Your classification as a controller or a processor will determine your requirements and responsibilities under the regulation.
  • Have you designated a EU representative? If your company consistently holds or processes data on an EU person, the GDPR will require you to have a physical presence, or hire a representative, in the EU. We explain this requirement and its caveats, articulated in Article 27, in our guide.
  • What are your consent mechanisms? Under the GDPR, consent is key. Depending on the type of data collected, the GDPR requires that a controller receive intelligible and easily accessible consent from EU subjects, or the guardians of children under the age of thirteen, before utilizing their data. Companies must also provide an easy mechanism to revoke consent. Once consent is given, the GDPR requires data to be safeguarded by “appropriate” technical means.
  • Do you need a data protection officer? Depending on the type and use of the data you handle, your company may need a data protection officer who possesses expert knowledge of EU data protection laws and can train company employees on GDPR requirements.
  • What do you do if you suffer a data breach? The GDPR intends to strengthen the protection of EU citizens’ data and outlines the rules and consequences if data is jeopardized. If your company experiences a data breach that leads to the accidental or unlawful destruction, loss, alteration, or disclosure of personal data, the GDPR has different requirements if you are classified as a controller or a processor.


What Do I Need to Know?

The “Key Things to Know” section of our GDPR guide outlines new data protections afforded to EU subjects under the GDPR. These protections include expanded rights for data subjects to not only access their data, but that they also be informed of when, where, and why their personal information is being processed. These include:

  • the right to be forgotten, which allows EU subjects to request a controller or processor erase or cease dissemination of their personal data.
  • the right for EU subjects to request access to their personal data in a commonly used format or request that the data be shared with other data controllers.
  • new rights for EU data subjects if their personal data is used by companies that implement machine learning or if governments request that data for criminal investigations.


What Do These Words Mean?

Not only is lingo different across the pond, but the GDPR introduces many new terms and concepts around the treatment of EU subjects’ data.

  • Did you know that every EU member state has a data protection authority that monitors and enforces data protection regulations within the EU?
  • Does your company have a main establishment in the EU where your company makes decisions about processing data?
  • Have you completed a privacy impact assessment to determine whether your company’s privacy risk mechanisms align with the GDPR’s protections?

You can read about these terms and more in our GDPR glossary.


How Does It Compare?

In our interconnected global economy, app developers and tech companies can serve customers all around the world, from countries with varying privacy laws. This can make understanding and complying with multiple data privacy rules confusing or difficult. Our guide compares key GDPR requirements with the privacy requirements of existing U.S. privacy laws, like the U.S.-EU Privacy Shield, U.S. data breach laws, Children’s Online Privacy Protection Act (COPPA), and the Health Insurance Portability and Accountability Act (HIPAA).


Why Is This Important?

For our members and the customers they serve, data privacy and security are key. Data protections are vital, not only to preserve consumer trust, but also because failure to comply with privacy regulations can carry hefty legal and financial consequences. The GDPR has a tiered structure for fines, depending on the severity of the defense, and violating the GDPR can result in a maximum penalty of 4 percent of a company’s annual global revenue, or up to 20 million euro.


What Should You Do Next?

The GDPR will come into effect on May 25, 2018, whether companies are prepared or not. We hope this guide will provide the necessary information to prepare for the forthcoming privacy regulation. As we near the implementation data, we will keep our members informed of what you may need to preserve EU subjects’ new data privacy rights and succeed in markets abroad.