What is it?
GDPR – or to give it its full title, the EU General Data Protection Regulation – is a new set of laws designed to standardise and improve how companies deal with the privacy of their customers’ and users’ data. It also empowers EU citizens to better control who has access to their personal data, and what they do with it.
European rules but global impact
Although GDPR is a set of laws created to protect EU citizens, they also apply to any company that controls, stores or processes data of people in the EU, even if the company or its technology is based in another country. So that means that even if you are based on the opposite side of the world, as long as you have even one customer that’s based in the EU you’ll need to comply with GDPR’s rules and regulations.
It’s all about how you collect, store and use your customers (and their customers) data
With so much discussion going on about GDPR, it’s a good bet that even if you don’t know all the details, you are aware that it’s a serious piece of legislation. There are pages and pages of rules covering what needs to happen with different kinds of personal data, but the key to remember is that the biggest impact of GDPR is on how companies collect, store and use personal data.
Different companies will need to look at exactly how GDPR will affect them, but broadly speaking, there are six steps that all companies will need to follow to be GDPR-compliant:
- Make it clear and easy to give (and withdraw) consent for personal data to be used
- Let anyone affected by a data breach know about it within 72 hours
- Allow consumers access to any personal information held about them
- Act on any request by a consumer to delete the data held, and to stop sharing it with any 3rd parties
- Ensure that any IT systems that store or process personal information is secure
- Make sure there are clear processes in place to ensure all the above actions are undertaken
Are you a Subject, a Controller or a Processor?
One key aspect of GDPR is that there are different rules to follow depending on what your relationship is to the personal data. This divides the stakeholders into three camps – the Subject, the Controller, and the Processor.
You are the Subject if it’s your data that is being collected or processed.
You are the Controller if you are the person or company that wishes to collect and process someone’s data, or are the one that decides why and how the data will be collected and processed.
You are the Processor if you are the person or company that is doing the actual processing of the data.
Depending on which role you or your company has, specific rules apply that have to be followed. Failure to comply can result in a significant fine of up to 4% of annual revenues, or up to €20 million – whichever is the biggest.
Help! I’m an app publisher – what do I need to do?
If you have an app that monetizes anywhere in the European Economic Area (EEA), you need to make sure you are GDPR compliant. Under GDPR publishers have the role of Controller, meaning they bear responsibility for how any and all data is handled – even if it’s being done by a 3rd party such as an ad network. This includes any SDKs that pass identifying data to and from the ad network or platform.
With the new law due to come into force on the 25th of May, companies should have done everything by now to be ready, but if you’re not sure, make sure that your advertising partners are fully GDPR compliant as soon as possible. You can read Mobvista’s own GDPR policy here.