The EU General Data Protection Regulation (“GDPR”) goes into effect in less than 24 hours. While you have probably heard or read something about it and how it might affect your company, it is just as likely (if my inbox is any indication) that you are only now considering compliance and what you may need to do to become compliant.

Unfortunately, GDPR means more than just dusting off your privacy policy. Depending on where your company is located and the breadth of data you collect and share, you may have several hoops you have to jump through to meet compliance standards. And in all likelihood you will not be compliant by tomorrow.

However, you are in good company (no pun intended)— few if any businesses will be 100% compliant by May 25th. As with any sweeping body of international regulation, some areas of the new law were drafted with an eye to allowing the individual EU Member States and even companies to come up with their own strategies and solutions for meeting GDPR’s stated goals. Many Member States are still struggling to adopt and adapt the new regulation. Most companies aren’t entirely sure that the strategies or legal positions they have adopted in anticipation of GDPR will be accepted by the respective Member States.

And it’s not likely to get much clearer soon. Reasonable minds may differ, and likely some Member States will adopt the regulation in a manner that will invariably conflict with the adoption practices of another Member State.

So now that it’s here, what should you be thinking about to ensure you won’t violate the new law? How can U.S. companies comply with this new regulation in the first place? Why should they have to? And what mechanisms can U.S. companies take advantage of to make this process easier?

GDPR Generally

The GDPR was established to grant specific privacy rights to EU “data subjects”, or individuals residing or located in the EU—and even here, as we first step into GDPR, we’re confronted with some fairly vague language as to who and what that means. The GDPR defines a data subject as any “identified or identifiable person” that is “in” a country subject to the regulation. Note that the regulation does not specify that it applies solely to individuals domiciled and residing in the EU.

It also applies to any company that takes data out of the European Economic Area (“EEA”), which implicates most U.S. based game companies. Even if you are not located in the EU and otherwise don’t do business there, if you have players in the EU and take their data outside of the EEA, you are liable under GDPR. To deal with the broad reach of GDPR, the U.S. has negotiated the EU-U.S. Privacy Shield Framework. Certifying with Privacy Shield doesn’t mean that you are GDPR compliant—but if your sole liability under GDPR arises from transferring data out of the EU, this is almost definitely the best solution to meet GDPR compliance for US based companies, and will get its own discussion shortly.

Under both GDPR and Privacy Shield, Companies are required to make these new rights granted under the GDPR known and enforceable to their end users. This sounds simple, right? Just update your privacy policy and you should be fine—except you actually have to provide mechanisms that allow users to take advantage of these rights. This can be a costly and sometimes overwhelming undertaking for companies, especially with the requirement of specific, affirmative and informed consent where consent is required to collect data.

GDPR has several moving parts that can be broken down in three basic relationships: Your relationship with the Member State or Member States you report to (if any, which will be discussed later), your relationship with your service providers and ad mediators or partners, and your relationship with your “Data Subjects”, or end users.

Your Relationship with the Member State

Companies seeking to comply with GDPR must have various mechanisms in place for compliance, recourse, and enforcement. Most of these implicate DPAs, or Data Protection Authorities, which are independent bodies established in each country in the EU that regulate data protection laws. These mechanisms include processes for verification compliance, recourse, and enforcement. U.S. based companies qualifying under Privacy Shield must commit to cooperating with DPAs, and enforcement through arbitration and mediation. If your company already does business in the EU and has offices there, your “independent recourse mechanism” may be the EU country where your company is located/your DPA.

If you are a US based company that doesn’t have offices in the EU, the question becomes a little trickier and will depend largely on your own cost-benefit analysis. The EU-US and US-Swiss Privacy Shield Frameworks allow companies to use third party mechanisms like TrustE for this process. Privacy Shield also offers the option to cooperate directly with DPAs.

If you’re required to or elect to appoint a local representative in a Member State, your DPA will likely be in the country where your representative is based.

Your Relationship with your Business Partners

As mentioned before, a U.S. company’s primary liability under GDPR arises from transfers of data out of the EEA. To comply with GDPR, you need to ensure that your business partners: a) reside in a territory where GDPR is enforced, or where the EU Commission has reached an adequacy finding with respect to that territory’s data protection framework; b) have adopted Binding Corporate Rules; or c) will execute an addendum to your base agreement that includes model data protection clauses.

For U.S. companies, this generally means (b) and/or (c). Under U.S.-EU Privacy Shield, companies are required to include model contract clauses for every instance where the relationship causes data to leave the EEA.

Your Relationship with your End Users

The relationship that gets the most attention under GDPR is your relationship with your data subjects/end users. The GDPR grants a bundle of rights to individuals located in the EU with respect to any data you collect. This includes the right to access and receive a copy of their data in a portable format, the right to modify or request the deletion of their data, the right to restrict who you share their data with, and the right to object to any data collection practice. Additionally, where you rely on consent as your legal basis to collect data, data subjects have the right to withdraw consent at any time.

You are required to communicate both the individual rights and the mechanisms through which end users can exercise their rights in your Privacy Policy. You have to communicate a lot of other things in your privacy policy as well, especially if you’re qualifying for Privacy Shield. Other information you must disclose includes, for example, the legal basis you are relying on to collect data, the actual information you are collecting, and how you protect and store that data.

An important note for U.S. companies—you may typically draft your policy as a binding agreement. Do not do this. General consent is not okay under GDPR. Including a general consent in your privacy policy will be a red flag for DPAs or third party verification mechanisms like TrustE.

Privacy Shield

It is up to each studio or company to determine the resources they want to commit to GDPR compliance. This will depend largely on where you are located, the amount of data you collect from the EU, and how you use it. Similarly, the strategies you incorporate will vary depending what makes sense for you economically and legally. Operating under and certifying with the EU-U.S. Privacy Shield Framework will likely be the most efficient way for U.S. companies to meet the rigorous standards of the GDPR.

For some background, the U.S. sought an adequacy decision from the EU Commission for a framework that would allow EU to U.S. data transfers under Chapter 5 of the GDPR. Chapter 5 prohibits transfers to non EU-territories unless certain safeguards are in place. Obviously, Privacy Shield won’t help you if your service provider is based in Japan—in that case, you would need to rely on a different mechanism provided for under the GDPR, including the model contract clauses referenced above. But as a US company receiving data from the EU, the Privacy Shield framework will enable to comply with GDPR with relatively minimal effort.

You can self-certify with Privacy Shield by applying online at http://www.privacyshield.gov. Additionally, third party data protection programs like TrustE and E-Verify offer GDPR compliance solutions that have been vetted through the Privacy Shield framework. While costs vary, the fees for self-certification are reasonably low depending on your company’s revenue.

Privacy Shield requires compliance with its principles to self-certify. This includes complying with the Notice Principle with regard to your privacy policy, and implementing mechanisms that allow EU data subjects to take advantage of their rights under GDPR. It also requires an annual audit of your data protection mechanisms and data collection practices to ensure ongoing compliance, and model clauses in your contracts with third parties. You must renew your certification annually to remain compliant under Privacy Shield.

Getting Compliant      

If you have not taken steps to determine your liability under GDPR and what you need to do to comply, now would be a good time to start that process. Enforcement begins tomorrow, and the law will be around for a while—at some point (hopefully before you’re the subject of a complaint or fine), you are going to need to take steps to comply.

Coming into compliance means more than just updating your privacy policy. As a game company, data protection is going to become a growing area of concern as the law finally begins to catch up to technology. You will need people in place to monitor and provide guidance concerning data protection and implanting the “privacy by design” principles on which GDPR is based. You will need to clearly define and identify your data collection practices and partners, and develop best practices for your business with regard to the collection and storage of that data.

Most importantly, you need to ensure that you have mechanisms in place so that as privacy rights expand both geographically and in scope, you can effectively allow for enforcement of those rights at the least cost possible to your end users.

Approaches will vary. If the data you collect is minimal or anonymized, your liability under GDPR decreases. If you collect substantial personal information from individuals located in the EU, your liability will increase proportionally. Your strategies will often be based on the extent of your liability under GDPR and the costs required to come into compliance—for example, some of my clients are cancelling distribution in the EU for titles that aren’t performing well, while others are operating as if the rights granted under GDPR apply to ALL end users, regardless of location. Your philosophy concerning data protection is equally important when choosing compliance mechanisms and strategies.

It is important that you make data protection a core tenant of your company’s business practices regardless of the approach you take or the strategies you implement. Yes, GDPR is intimidating. Yes, for smaller companies and studios, the human resource costs and financial commitments are particularly daunting.

However, the costs of failing to comply are far more likely to lead to cancelled projects and closed studios. Fines under the GDPR are going to be significant, and with the current pro-protection environment of our global economy, you can be sure that we will see enforcement of GDPR sooner rather than later.