If You Have EU Customers, GDPR Should Keep You Up at Night

You may have heard of GDPR. If you’ve only been paying faint attention, you might think that it’s some kind of European regulation that won’t affect your work. But if you have customers in the EU, GDPR may force you to change a lot of things about your business—which will take time, and a whole lot of effort.

First, a bit of background: ‘GDPR’ stands for ‘General Data Protection Regulation,’ and it’s slated to take effect on May 25 of this year. It is a framework for data protection that applies to all EU citizens, whether or not the servers hosting their data are located in the EU, the United States, or somewhere else.

Moreover, the EU insists that GDPR applies to pretty much any company that does business with anyone inside the EU, no matter where its headquarters is located. Neil Penny, owner/director of Enarpee Services Ltd. (a regulatory and compliance support services company), told Dice UK that these upcoming regulations cover pretty much any kind of personal data, whether used in isolation or in conjunction with other data.

What does this mean for you, the developer or business owner? If the database associated with your app or website stores something as basic as European customers’ home addresses, email addresses, fingerprints, facial images, or MSISDNs (mobile station international subscriber directory numbers, the numbers used to identify mobile phone numbers internationally), then you need to learn the intricacies of GDPR before May 25.

Additionally, if you work for any sort of tech firm that analyzes personal data collected by third parties, and that data comes from the EU, you will still fall under the GDPR’s umbrella; claiming that you aren’t the “primary contact” for the customer is not a defense. Here’s a rather dull video that breaks down GDPR data protections:

Here’s a somewhat more exciting GDPR rundown:

For developers building apps and websites, this all boils down to a few key things: your UX needs to become very transparent about opt-ins for things like newsletters and special offers. Automatically signing up users for further engagement and requiring them to manually opt out is no longer a thing: As far as the EU is concerned, it’s all opt-in, all the time. You can no longer demand that customers un-click a random checkbox in order to not receive emails, for example.

Here’s where things get potentially time-consuming and expensive: all personal data related to European customers must follow GDPR regulations, no matter when it was collected. So if you have a database of EU users that’s a couple of years old, prepare a re-engagement campaign to obtain their opt-ins. If that database is the result of furtive scraping, or because you bought an email list, you will have a huge issue with the EU unless you re-obtain explicit permissions from those users.

For many companies, readjusting email lists won’t even prove the most expensive part of the process. Under the regulations, European users will have the “right to be forgotten,” meaning that companies need to prepare to delete individual accounts (and all data associated with them) as quickly as possible upon request. Those users will also have the right to receive their data in a machine-readable format, and take it with them anywhere. Depending on a company’s infrastructure, this could mean some heavy-duty retooling.

Last but certainly not least, companies that do any business with the EU will need to inform users of any data breach within 72 hours, which means having a crisis plan already in place is a good thing.

Yes, it’ll end up being a lot of work, and some developers and companies may opt to retreat from the EU rather than wrestle with these regulations (Unroll.me is just one company that’s chosen to opt out of the EU entirely.) But for European customers, GDPR will translate into cleaner inboxes, less spam, and an easier time retrieving data—all of which are good things.

Related