Member Blog: 6 Steps for Games Businesses to Prepare for the General Data Protection Regulation (GDPR)
by Jaclyn Wilkins, Senior Associate Charles Russell Speechlys
The new data protection regime known as the General Data Protection Regulation (“GDPR”) will replace the UK’s current Data Protection Act on 25 May 2018. The GDPR will affect all businesses no matter how big or small with the authorities having much stronger powers to impose higher, more onerous fines. With less than a year to the GDPR coming into force, businesses should now take the time to consider its obligations under the GDPR as some of these obligations impose additional compliance requirements which will take time to prepare for. With this in mind, what do businesses need to do?
1. Check your existing privacy notices and policies
It is a requirement under the GDPR that your policies and notices should now be transparent and easily accessible and be in clear and plain language. This means that overly legal sounding language should not be used and privacy policies should be open and honest about your use of personal data and should not be hidden away in the depths of your website. It should be easily found and accessible by users.
2. Check the legal basis for which you are currently using personal data
How does your business use personal data? Think about why you have permission to use that personal data. Is it because the individual has given you consent for the use or are you relying on one of the grounds set out in the GDPR such as the “legitimate interest” ground. Your privacy policies now need to state what legal basis is being relied on in your use of personal data, whether that is consent or otherwise.
If you rely on consent, you will need to review whether the consent has been freely given, specific and informed as required by the stricter rules of the GDPR.
3. Take on privacy by design
The GDPR requires privacy by design. This means that if you are designing a new game or product, privacy needs to be thought through within the design process and you need to be able to show a structured assessment and systematic validation as part of compliance with the GDPR.
4. Make sure you are prepared for security breaches
The GDPR requires that all data breaches are reported and must be reported without undue delay and within 72 hours of becoming aware of the breach. This means that it is important to ensure that you have clear policies and procedures (which are regularly tested) to make sure that you can react quickly to any data breach and notify within the required timeframe.
5. Put in place frameworks for accountability
The GDPR contains a new requirement that data controllers will need to demonstrate their compliance with the GDPR through record keeping. This means (i) maintaining certain documentation; and (ii) carrying out privacy impact assessments for more high risk types of processing. Businesses should have clear policies to prove that it meets the standards required by the GDPR and are also expected to establish a culture which takes into account data privacy as the norm. This includes constantly monitoring and assessing data protection procedures including ways of minimising the processing of personal data and the retention of that data. Staff should be trained on data protection.
6. Transferring data overseas
If any personal data is transferred overseas (this includes where personal data is being stored on a cloud server which is located overseas), businesses will need to ensure that the correct rules and procedures are followed or put in place as required by the GDPR to ensure that you can legally transfer that personal data overseas. Failure to comply with this requirement attracts the higher penalty under the GDPR of up to 20million Euros or 4% of annual worldwide turnover.