The European Commission approved the new General Data Protection Regulation (GDPR) on 14th April 2016 and it picked up quite a flurry in the media, with good reason. This new regulation states that if a website/application collects or stores data related to an EU citizen, it must comply with the following:
- Tell the user who you are, why you collect the data, and how long you will store it
- Get clear consent before collecting any data
- Let users access/delete their data at any time
- Let users know if data breaches occur (as soon as they are discovered)
When did GDPR start?
Although the regulation was passed in 2016, GDPR came into effect across the European Union only on 25th May 2018
What happens if you’re non-compliant?
The maximum fines for non-compliance are hefty, which is why toeing this regulation is paramount for any business that deals with citizens in the European Union. As of 2018, the maximum fine for non-compliance is 20 million Euro or 4% of annual turnover — whichever is higher.
Businesses that are deemed to be non-compliant with GDPR could also find themselves at the receiving end of official actions including:
a) Official warnings
b) Official reprimands
c) Official orders to comply with Data Subject requests
d) Communicating personal data breaches directly to the Data Subject
All GDPR compliance cases are handled and judged by the European Data Protection Supervisor (EDPS).
How will GDPR affect your business?
GDPR comes with a unique set of technical challenges as well. From revamping welcome screens to providing users with options to control their own data, there is a lot that needs to be done on the technical front to make your business fully compliant with these new regulations.
Since the humongous fines for not complying with GDPR are no joke, even for large multinational corporations, non-compliance isn’t an option. Moreover, we expect many other countries to take cue from these regulations slowly and set out similar regulations in the near future.
However, are the resources expended on complying with GDPR going to waste? We don’t think so. A business that complies with these regulations sets itself up as a ‘user-centric’ brand — garnering trust amongst potential and current users. Think of this as yet another way to enhance the user experience, while improving data security measures at the same time.
Our experience with GDPR
Our clients recently had to revamp their products to comply with GDPR. This involved implementing additional features for disclosures for EU users.
The second feature would give users an option to accept or decline personalized, targeted advertisements that would be delivered through the application.
- If the user accepts, they are shown targeted and personalized advertisements.
- If they decline, they would be shown only non-personalized advertisements (this is a feature available through Google’s ads SDK).
The third screen would give users the option of accepting or declining sharing of their information with affiliates and partners of the client for better targeted/tailored ads/promos.
- If the user accepts this, we send information to the DMP tool which is shared by the client and their affiliates. This information may be used to better target ads/promos for individual users.
- If the user declines, we do not send any information to the Data Management Platform.
Another requirement as part of GDPR is to collect and store all the information related to user consent. We have worked with services such as Gigya, which basically stores user preferences and acts as consent management platform. This is good especially if you don’t have a user authentication and storage of your own.
We had to work with the clients’ product, legal and QA team and every country in the GDPR country list was tested on the platforms by proxying the location.
In summary, GDPR is a great policy for consumers in the respective countries however, it is a very resource intensive effort for enterprises to comply with the policies with their products. The features we implemented for our clients along with the integration with a account management platform, changed the way advertisements are served based on user preferences, and changed the way user data is reported to DMP tools. We also gave users the option to change their settings at any time.