The GDPR is about to go into effect and will totally spread havoc on game developers and other companies that collect personal information about people in Europe. No need to run in fear, we have got you covered.

What is the GDPR?

On May 25th, 2018, a new privacy regulation called the General Data Protection Regulation (GDPR) goes into effect, bringing with it a wave of legal requirements for game and web developers worldwide.The GDPR is a European Union data privacy and protection regime replacing the 1995 EU Data Protection Directive. The goal of the GDPR is to create a broad, consistent regime of protection when it comes to the collection and processing of EU consumers’ personal data.

The GDPR broadly defines personal data as “any information relating to an identified or identifiable natural person.” This means that login information, IP addresses, pseudonyms, and more can be considered “personal data,” even if identification of the user in question can only be done through indirect means.

Previously, the 1995 directive only placed the burden of compliance with EU privacy law on controllers. The GDPR imposes new obligations on how controllers and processors manage personal data, regardless of whether the controller, the processor, or the activities themselves are located in the EU. This means that any party who either collectsoruses personal data of people located in the EU is subject to the obligations of the GDPR.

Specifically, the GDPR applies where any processing activities are done “in the context” of the EU establishment, where the processing is related to the offering of goods or services to a consumer in the EU (even if they are free), or where the processing is related to the monitoring of EU data subjects (regardless of where that behavior takes place.) The GDPR also places limitations on the reasons for which controllers and processors can take and use data as well as the terms of the contracts existing between controllers and processors.

In addition to these limitations, the GDPR also requires that controllers and processors take affirmative steps to ensure compliance with security measures. The GDPR requires specific data breach protocol compliance, information management, and record keeping requirements. In some cases, depending on the size and nature of your operations, compliance with the GDPR may require the appointment of a data protection officer.

The fines for non-compliance with the GDPR are devastating – up to 20 million euros or 4% of global turnover, whichever is more. For an indie game developer, these hefty fines can mean the end of the business. For big companies like Google, the fines can be the GDP of a small country.

This new law introduces some of the strictest privacy requirements anywhere. For consumers, the good news is that the GDPR aims to provide the assurance of information protection. For developers, the good news is that compliance with the strict regulations of the GDPR means you’ll be compliant (or nearly compliant) in many other countries.

Does the GDPR Apply to Me?

Almost certainly, yes. While the GDPR is a European law, the regulation applies to nearly every online company– specifically any company that collects, stores, or otherwise processes EU citizens’ personal data (with few exceptions).

Authorities and advocates of the GDPR are expected to be looking specifically at how US companies are using data about users living in the EU. Because the pre-existing privacy law did not cover US companies in this way, many US companies that previously never had to worry about EU compliance are suddenly facing these big changes.

So, I Just Need a EU Privacy Policy?

Unfortunately, compliance with the GDPR requires much more than that. Your privacy policy is only one aspect of the GDPR.

In order to be compliant with the GDPR, you will need to map out your data, prepare for the new types of data requests you’ll receive from your users, update your contracts with companies that manage your data (e.g., AWS, ad companies), potentially register with privacy shield, perform something called a “legitimate interest assessment”, and more.

I’m Scared, Can You Help Me??

Lawyers are evil but necessary here. Morrison / Lee is proud to announce that we are now offering a fixed price package for small US indie game studios – the first of its kind. This package standardizes the process and caters compliance solutions for the minimal resources of Indies. Indie game devs can get started today with a free consultation to ensure that they’re up to date with compliance by May 25, 2018.

For companies that don’t qualify for our fixed price package, we’re offering GDPR compliance at our hourly rate. By combining our privacy expertise with our deep technical and industry knowledge, we’re able to work efficiently and effectively.

Schedule a free consultation today to learn about how GDPR affects your business and how we can help.

Author and Privacy Boss, Shaq Katikala, is Privacy Counsel at Morrison / Lee. In his free time, Shaq relaxes by cozying up to a warm fire and studying the GDPR.