But, what is it really? And more importantly, why should you care?

What exactly is the GDPR

The acronym GDPR stands for General Data Protection Regulation (Regulation (EU) 2016/679) and at its most basic, it specifies how user data should be collected, used, protected or interacted with in general. The intent here is to bolster and centralize data protection within the EU, putting personal data control back into the hands of all people whose personal data fall within its scope.

The GDPR is the biggest change to data protection in the region in 20 years and replaces the Data Protection Directive of 1995. The regulation was adopted in April 2016, and following a two-year transitionary period, it will be fully enforceable by May 25th, 2018 (meaning that you’re are expected to be GDPR compliant by that date!).

Does GDPR apply to you?

The short answer is most likely, yes. The GDPR applies to all government agencies, companies and organizations (including non-profits) and individuals that are based in EU; or access the data of people in the EU in anyway; or offer goods and/or services to people in the EU (even if the offer is for free).

This scope effectively covers almost all companies and, therefore, means that the GDPR can apply to you whether you’re located in the EU or not.

As a matter of fact, a recent PwC survey showed that GDPR is a top data protection priority for up to 92 percent of U.S. companies surveyed.

What exactly does “Personal Data” comprise of?

Personal data within the context of the GDPR refers to any data that relates to an identified or identifiable living person. This includes pieces of information that, when collected together, can lead to the identification of a person. This applies even to data that has been pseudonymized or encrypted as long as the encryption/ anonymization is reversible.
In terms of meeting data protection obligations under the regulation, it means that decryption keys will need to be kept separately from the pseudonymised data.

Examples of personal data include (but are not limited to) basic identity data such as names, health, genetic & biometric data, web data such as IP addresses, political opinions, and sexual orientation data.

Examples of non-personal data include company registration numbers, generic company email addresses such as info@company.com, and anonymized data.

Are there penalties for non-compliance?

Yes. The legal ramifications for non-compliancy include fines, sanctions (inclusive of audits) and potential litigation.

• The fines are up to EUR 20 million (€20m) or 4% annual worldwide turnover (whichever is greater).
• Sanctions include official reprimands (for first-time violations) and periodic data protection audits (which can lead to the potential seizure of valuable data in cases where similar data was obtained using non-compliant methods).
• Under the GDPR, users have the right to compensation for any damages resulting from an organization’s non-compliance, hereby leaving violators open to potential legal action.

So it’s pretty important to be ready.

Core requirements of the regulation

Lawful basis for processing data (Article 6):
Under the GDPR data can only be processed if there’s at least one lawful reason for doing so.
The Lawful bases are:

• The user has given consent for one or more specific purposes.
• The data processing is necessary for a contract in which the user is a participant or necessary in order to take steps (requested by the user) prior to entering the contract.
• The processing is necessary for fulfilling a legal obligation to which the data controller is subject.
• The processing is necessary for protecting the vital interests of the user or of another person.
• The processing is necessary for doing a task carried out in the interest of the public or as contained under the official authority given to the data controller.
• The processing is necessary for the legitimate interests of the data controller or third party, except where overridden by the interests, rights and freedoms of the user, in particular where the user is a child.

Consent (Articles 7&8):
Consent obtained from users must be explicit and verifiable (opt-in). In getting consent for data use, you may not use overly complicated or indecipherable terms/ wording —this includes legalese and unnecessary jargon. This means that privacy notices must be laid out legibly (see ours here) using understandable language and clauses so that users are clear on what they’re consenting to. Consent for children under 13 must be given by a legal guardian using verification measures (e.g, control questions) and in general, it must be as easy for users to withdraw consent as it is for them to give it.
Because consent is such an important issue under the GDPR, it is mandatory that you keep detailed records of consent. The records should contain details of when and how consent was obtained and exactly what the user was told at the time.

User Rights:
Under the GDPR users have specific rights that must be honored. These include:

• The right to be informed (Articles 13&14): In addition to the generally required disclosures outlined above, the GDPR further requires that you ensure that your privacy notices are concise, easy-to-understand and easily accessible throughout your website/ app.
• The right of access (Article 15): Users have the right to access to their personal data and information about how their personal data is being processed.
• The right to rectification (Article 16): Users have the right to have their personal data rectified if it is inaccurate or incomplete.
• The right to erasure (Article 17): When data is no longer relevant to its original purpose or where users have withdrawn consent, users have the right to request that their data be erased and all dissemination ceased.
• The right to restrict processing (Article 18): Users have the right to restrict the processing of their personal data in specific cases.
• The right to data portability (Article 20): Users have the right to obtain (in a machine-readable format) and use their personal data for their own purposes.
• The right to object (Article 21): Under the GDPR, users have the right to object to certain activities in relation to their personal data.
• Rights related to automated decision making and profiling (Article 22): Users have the right to not be subjected to a decision when it is based on automated processing or profiling, and it produces a legal or a similarly significant effect on the user.

Privacy by design and default (Article 25):
Data protection should be included from the onset of design and development of the business processes and infrastructure. This means that privacy settings should be set to ‘high’ by default and measures put into place to make sure that the processing life cycle of the data falls within the GDPR requirements.

Maintain records of processing activities (Article 30): 
In several specific cases, the GDPR may require that up-to-date records of the data processing activities being carried out are kept and maintained. These cases include situations where the processing can result in a risk to the rights and freedoms of individuals and where special categories of data are being processed.

Breach Notification (Articles 33&34):
If there is a data breach, the data processor will have to notify the controller immediately after becoming aware. The data controller must then notify the Supervisory Authority within 72 hours of becoming aware of the breach. Under this rule, users must also be informed of the breach (within the same time frame) unless the data breached was anonymized (for example via encryption).

Data Protection Impact Assessment (Article 35):
A data protection impact assessment (DPIA) is a process used to help organizations comply effectively with the GDPR and ensure that the principles of accountability, privacy by design and privacy by default are put in practice by the organization.
Generally speaking, the DPIA is only mandatory in cases where data processing activity is likely to result in a high risk for users (this is particularly applicable when introducing new processing technology). However, if unsure as to whether or not your processing activity falls within what is considered “high risk”, it is recommended that a DPIA be carried out nonetheless as it is a useful tool for ensuring that the law is complied with.

Appointment of Data Protection Officers (Article 37):
In public authorities (except courts/judicial authorities), organizations that systematically process personal data on a large-scale and in cases where special categories of data are being processed, a professional with expert knowledge of data protection law and practices must be appointed as Data Protection Officer (DPO). This officer should also be proficient in IT process management, data security and other critical issues surrounding the processing of personal and sensitive data.

Cross-border data transfers (Articles 44-50):
The GDPR permits data transfers of EU resident data outside of the European Economic Area (EEA) only when in compliance with set conditions. Under these conditions, the country or region the data is being transferred to must have an “adequate” level of personal data protection by EU standards, or where not considered adequate, transfers may still be allowed under the use of standard contractual clauses (SCCs) or binding corporate rules (BCRs). If transferring data outside of these conditions, informed consent must be received from the user —in which case the consent must be given on the basis of sufficiently precise information, including information on the lack of protection in the third country.

What this means for businesses

As with most new regulations, the GDPR has it’s pros and cons from a business point of view. Generally speaking, the new regulations will mean more restrictions on the commercial use of data and more initial spending of becoming compliant. However, in the long term, the regulation is intended to encourage innovation, reduce the cost of doing business in the EU, mitigate risks and associated potential costs, safeguard individual data security rights and encourage consumer trust.

Next Steps

In terms of compliance, some of the first logical steps are to:

• Make sure that your privacy policy is up to regulation. You can click here for information on what your privacy policy should contain (at the very least) or you can simply generate one here.
• Review your current data processing systems and ensure that they are up to regulatory specifications.
• Review your data processors’ GDPR readiness (data processors can include your cloud service provider, email marketing service providers, analytics companies etc.). The ICO’s controller/processor Contracts and liabilities Guide is a good place to start.

Looking for more in-depth information on the GDPR? You’re welcome to join us at our up-coming webinar. It’s free to attend and you can have your most pressing questions answered. You can use this link to reserve your spot NOW (as our webinars often fill up quickly).

You can also read our GDPR overview here and the full GDPR legal text here (available in several languages).

iubenda helps you to:

• easily create your legally required privacy and cookie policy;
• fully manage consent to cookies via our Cookie Solution;
• meet GDPR-relevant recordkeeping requirements for both consent and your overall processing activities.

Start Generating

The post What is the GDPR and how will it affect your business appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

The new EU privacy law in-depth

In January (2016), the European Union released a draft of the new European Data Protection Regulation which will replace the current centrepiece of existing EU legislation on personal data protection, Directive 95/46/EC.

On May 4th, 2016, the General Data Protection Regulation (GDPR) has been published in the Official Journal of the European Union.

As is the case with EU Regulations, the GDPR will come into force for the entire territory of the Union within 20 days, that is to say, May 25th, 2016; however, due to its two year implementation period it will not be applicable until May 25th, 2018.

The new Regulation is a milestone in the field of data protection and will serve the purpose of strengthening the existing rights and empowering individuals with more control over their personal data, as well as creating business opportunities and encouraging innovation.

The reform at hand is based on Article 16 of the Treaty on the Functioning of the European Union (TFUE) which allows the adoption of rules relating to the protection of individuals with regard to the processing of personal data by Member States when carrying out activities which fall within the scope of Union law.

It also allows the adoption of rules relating to the free movement of personal data, including personal data processed by Member States or private parties.

The reform consists of two legislative instruments:

• The General Data Protection Regulation with regard to the processing of personal data and on the free movement of such data (which is the one, we as businesses and consumers are mostly interested in).
• The Data Protection Directive for the police and criminal justice sector will ensure that the data of victims, witnesses, and suspects of crimes, are duly protected in the context of a criminal investigation or a law enforcement action. At the same time more harmonised laws will also facilitate cross-border cooperation of police or prosecutors to combat crime and terrorism more effectively across Europe.

1. The General Data Protection Regulation

First and foremost, it’s important to understand that this will be a regulation, not a directive like the previous Directive 95/46/EC. These two terms are often used interchangeably, but they actually have very different meanings: in fact, a directive is legislatively implemented by individual countries whereas a regulation, once adopted, becomes immediately enforceable as law in all member states simultaneously.

Strengthening of individuals’ rights

The regulation will concern both users and businesses. In fact, on one hand the new rules serve the purpose of strengthening the existing rights and empowering individuals with more control over their personal data. In particular, these include:

1. easier access to your own data: individuals will have more information on how their data is processed and this information should be available in a clear and understandable way;
2. a right to data portability: it will be easier to transfer your personal data between service providers;
3. a clarified “right to be forgotten”: when you no longer want your data to be processed, and provided that there are no legitimate grounds for retaining it, the data will be deleted;
4. processing of personal data of a child: introduction of conditions for the lawfulness of the processing of personal data of children in relation to information society services offered directly to them;
5. the right to know when your data has been hacked: for example, companies and organisations must notify the national supervisory authority of serious data breaches as soon as possible so that users can take appropriate measures.

Business principles

On the other hand – by unifying Europe’s rules on data protection – lawmakers aim to create business opportunities and encourage innovation. In this perspective the new regulation will establish new principles:

• I. One continent, one law: the regulation will establish one single set of rules which will make it simpler and cheaper for companies to do business in the EU.
• II. One-stop-shop: businesses will only have to deal with one single supervisory authority. This is estimated to save €2.3 billion per year.
• III. European rules on European soil: companies based outside of Europe will have to apply the same rules when offering services in the EU.
• IV. Risk-based approach: the rules will avoid a burdensome one-size-fits-all obligation and rather tailor them to the respective risks.
• V. Rules fit for innovation: the regulation will guarantee that data protection safeguards are built into products and services from the earliest stage of development (“Data protection by design”). Privacy-friendly techniques such as pseudonomysation will be encouraged, to reap the benefits of big data innovation while protecting privacy.

Moreover, this reform will “cut costs and red tape” for European business, with particular attention to small and medium enterprises (SMEs). The EU’s data protection reform will help SMEs break into new markets. Under the new rules, SMEs will benefit from four reductions in red tape:

• I. No more notifications: notifications to supervisory authorities are a formality that represents a cost for business of €130 million every year. The reform will scrap these entirely.
• II. Every penny counts: where requests to access data are manifestly unfounded or excessive, SMEs will be able to charge a fee for providing access.
• III. Data Protection Officers: SMEs are exempt from the obligation to appoint a data protection officer insofar as data processing is not their core business activity.
• IV. Impact Assessments: SMEs will have no obligation to carry out an impact assessment unless there is a high risk.
• V. Protecting personal data in the area of law enforcement
• VI. Better cooperation between law enforcement authorities

2. Data Protection Directive for Police and Criminal Justice Authorities

According to the European Commission, this directive aims to provide better cooperation between law enforcement authorities enhancing mutual trust between police and judicial authorities of different Member States, thus contributing further to a free flow of data, and effective cooperation between police and judicial authorities. It will also supply citizens with a better protection of their data: individuals’ personal data will be better protected when processed for any law enforcement purpose including prevention of crime. It will protect everyone – regardless of whether they are a victim, criminal or witness. All law enforcement processing in the Union must comply with the principles of necessity, proportionality and legality, with appropriate safeguards for the individuals. Supervision is ensured by independent national data protection authorities, and effective judicial remedies must be provided

Next Steps

Now it’s time to review the above principles, wait for additional instructions, guidance and – when the time has come – the practice by European courts and data protection authorities.

The official documents about the reform of EU data protection rules can be found here.

The post EU data protection reform: General Data Protection Regulation appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

The Attorney General of California made it clear that its Online Privacy Protection Act would be enforced on apps (CalOPPA). To make sure these laws were actually being followed California’s Department of Justice set up a Privacy Enforcement and Protection Unit in July of 2012. This may sound like it’s only valid for developers based in California, but it’s actually a call for compliance for anyone possibly targeting Californians.

Path, Delta and others have been charged or fined because of non-compliance with privacy laws. The FTC and AG of California published guidelines on things to consider when developing mobile applications.

The simple fact is this: there’s really just a small number of apps that are not legally bound to include a privacy policy. Let’s take a look.

When Do I Need a Privacy Policy in my Mobile App?

The simple first question you have to ask yourself is: do I/does my app collect/store/share personal data?

Personal data can be a lot of things: a first and last name, an email address, a telephone number, location data and many more like analytics or ads (examples for personally identifiable information according to AG of California).

If you collect any of this data, you need a privacy policy.

Privacy Laws

If so you may already be under the obligation to include a privacy policy: according to the California AG’s interpretation of CalOPPA, applications that collect personal user data must conspicuously post a privacy policy detailing, clearly and completely, how the application collects, uses, and shares personal data. This rule applies globally to any mobile application that may impact a California consumer. Therefore, if your application possibly provides value to a California resident you are already bound to these rules. App developers that do not comply with CalOPPA by posting a privacy policy for their app can be held accountable under California law.

Last year AG Harris and the six leading mobile application platform providers agreed to bring the mobile application industry into compliance with the terms of CalOPPA following this two-page Joint Statement of Principles. More, dedicated State laws are very likely to be coming up soon.

Let’s assume you have an app that is geared towards European users. The picture doesn’t change. The relevant EU legal framework is the Data Protection Directive (95/46/EC). It applies in any case where the use of apps on smart devices involves processing personal data of individuals. Basically whenever your app is used in the EU, even if you are not residing there (the national law of a Member State is also applicable in cases where the controller is not established on Community territory and makes use of equipment situated on the territory of that Member State. Since the device is instrumental in the processing of personal data from and about the user, this criterion is usually fulfilled), you need to ensure compliance with all the requirements defined under the Data Protection Directive.

The ePrivacy directive (2002/58/EC, as revised by 2009/136/EC) sets a specific standard for all parties worldwide that wish to store or access information stored in the devices of users in the European Economic Area. Many provisions of the ePrivacy directive may not directly apply to you as a developer, but the most important one in regards to developing for mobile platforms is article 5(3) stating that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, among other things about the purposes of the processing.

It is important for app developers to know that both directives are imperative laws in that the individual’s rights are non-transferable and not subject to contractual waiver. This means that the applicability of European privacy law cannot be excluded by a unilateral declaration or contractual agreement.

Therefore you must:

Provide a readable, understandable and easily accessible privacy policy, which at a minimum informs users about:

• who you are (identity and contact details),
• what precise categories of personal data the app wants to collect and process,
• why the data processing is necessary (for what precise purposes),
• whether data will be disclosed to third parties (not just a generic but a specific description to whom the data will be disclosed),
• what rights users have, in terms of withdrawal of consent and deletion of data.

According to European laws if your app services European citizens. This document by the Article 29 working party provides interesting insights.

Similar laws exist for most major legislations with slight modifications that might apply to your unique situation. Here’s a link to Australia’s Information Commissioner and docs.

Third Party Services/App Stores

There are other things to consider than pure legislation-skimming. Here are two more for you:

a) Since most third party services you end up using in your app like mobile analytics or ad networks also need to follow the law, they may require you to use a privacy policy within their terms of service. An example is Google Adsense.

b) Since the aforementioned agreement the big 6 app stores are actively improving the privacy policy situation for consumers and are starting to have privacy policies as a requirement in the app approval flow. Here’s an excerpt from an Amazon developer email from last week:

Customer privacy is important to us, and we know it is important to many of you too. That’s why we want to make sure you know how to include links to your privacy policy on product detail pages for your apps. We require all apps that collect personally identifiable information or personal information to provide a link to their privacy policy, so if you haven’t already done so, please take a moment to submit the privacy policy link for each of your apps today.

So much for a simplified look at why you must have a privacy policy in your app.

What Could Possibly Happen if I Don’t Include One?

Most developers don’t include a privacy policy because they think it’s a) too complicated and time-consuming and b) that no one is really enforcing those laws anyways.

Luckily a) isn’t true anymore. iubenda’s editor makes it very easy to make compliant privacy policies for mobile apps quickly.

For b) most of you will know about Path’s costly $800,000 settlement as well as Delta’s case in court that has them at risk of paying a $2500 fine for every app download (the case has been dismissed recently, but surely is not going to rest there). Similar not well known cases are out there as well.

Rest assured that in the wake of PRISM and the growth of the mobile ecosystem all of the above will be more and more important and not the other way around. Be clever and play by the rules.

Generate a Privacy Policy for Your Mobile App

Privacy Policy in App Stores

While this post covers some of the reasons and legal grounds for the privacy policies in mobile apps, it doesn’t say much about the situation across the app stores. That’s why we’ve compiled two guides regarding that:

• Privacy Policy for iOS and macOS Apps
• Privacy Policy for Android Apps

Hopefully these resources will be helpful on the way to your perfect app store listing.

The post The Need for Privacy Policies in Mobile Apps – An Overview appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.