Like it or not, the GDPR is coming. From 25 May 2018, the current data protection regime will be replaced by the GDPR, and businesses of all types now have a little under two years to prepare for the changes.
The underlying legal message is clear – current data privacy compliance does not guarantee future compliance, but an understanding of the GDPR and what it means in the context of your business, is likely to mean that the move to the GDPR need not be the apocalyptic event that some commentators describe. Previous articles in this forum have set out much of the detail of the GDPR, so whilst not a complete guide to the detail of the GDPR, this article focuses on some of the key areas where the new regime differs to the old and in doing so invites all games industry stakeholders to challenge their own readiness for the changes that are coming.
Brexit should also be borne in mind. The UK’s legal relationship with the EU has yet to change, and until the UK formally leaves the EU, the GDPR will apply in the UK once it comes into force. Given the two year Article 50 EU exit period has yet to commence, there is certainly a need to proceed as normal when it comes to preparing for the GDPR. There are several other reasons why this is also the case, and why it is likely that many of the core principles of the GDPR are here to stay, EU member or not:
(i) The GDPR is likely to catch data processors who are not themselves based within the EU, but who contract with EU businesses or deal with personal data of EU subjects. Once the UK has left the EU, the GDPR will therefore continue to apply to certain UK businesses in any event, simply because of their operations; and
(ii) The UK will need to implement its own data privacy regime following exit from the EU, and given continuing trade links with our closest neighbours and the UK’s historic position (alongside other EU countries) at the forefront of data privacy reform, it would appear most logical for any new UK data privacy regime to be based on the GDPR at least in part, particularly as the GDPR is designed to reflect evolving digital business practices.
Once the GDPR is implemented, some level of stasis would clearly be good news for businesses from a compliance and budgetary perspective. We will, however, need to wait and see how this develops in practice and whether future UK policy makers are influenced by the data protection practices of our American friends. How this dynamic plays out will be of particular importance to gaming businesses with strong links to the US market.
Penalties under the GDPR
Fines for data privacy breaches are not new, but have historically been low (in the UK they have rarely reached the current £500,000 maximum). In contrast, the GDPR increases the potential financial consequences of breach for data controllers and data processors, and the new maximum fine under the GDPR for more serious breaches of the GDPR by data controllers or data processors will be EUR 20m or 4% of annual worldwide turnover in the previous year, whichever is higher.
This is quite an extension, and highlights how important it is for businesses of all sizes to get this right. That said, it does remain to be seen how the authorities in each EU Member State (the Information Commissioner’s Office (ICO) in the UK) will look to apply any such fines. Under the current regime in the UK, instead of immediately applying a fine, the ICO’s emphasis tends to be on collaborating with the breaching data controller to resolve breaches in the best way and to improve business practices to avoid repeat infringement. This is potentially reflected in the new regime as the GDPR does acknowledge that each breach should be viewed by the relevant authority in the appropriate context (e.g. looking at the nature, gravity and duration of infringement), so that some discretion is given as to whether a reprimand is more appropriate than a fine.
Time will tell how this is interpreted in each EU Member State, but whilst the discretional elements do potentially introduce some moderation for ‘lesser’ breaches or particularly contrite offenders, this may be offset by particularly strict interpretations of the GDPR by authorities in some Member States which then set a precedent for others to follow.
The GDPR introduces an overriding concept of accountability for those dealing with personal data, and this replaces the existing requirement to register as a data controller with the ICO. Data controllers and (in some instances) data processors are asked to take responsibility for their own compliance requirements, and a good example of how this will look in practice is the requirement for each data controller to maintain a record of the processing activities under its responsibility. This needs to include a number of specific details, but essentially acts as an audit trail for each business to record how it came by the relevant personal data, what it does with the data and how the data subjects have consented to that use and how long it will hold the data for. As this is a new requirement, it stands to reason that gaming businesses will not always have given this appropriate thought to date – for example, is it easy to reduce into writing how online gaming profiles are created and managed, or can a business accurately describe how it uses GPS tracking data gleaned through the use of an app?
If nothing else this creates a new burden on businesses from a compliance perspective. Whilst other components of the accountability principle will apply across the board, the obligation to maintain records will not apply to an organisation employing fewer than 250 persons, unless the relevant processing is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes certain specified categories of data. For an industry as diverse as the games industry, this means that there is no ‘once size fits all’ approach – smaller businesses or those which are not end-user facing may well be able to dispense with some of the requirements, but this should be examined on a case-by-case basis, especially where datasets are being manipulated.
Setting best practice aside, there is currently no requirement under the Data Protection Act to notify the ICO of a data privacy breach. The GDPR changes this and in the case of a personal data breach, the data controller shall (without undue delay and where feasible) notify the personal data breach to the ICO (in the UK). This needs to be done within 72 hours of becoming aware of the data breach. If the data controller delays then it needs to provide the ICO with reasons for the delay. The notification itself should, amongst various formalities, describe the nature of the breach (including, where possible, the approximate numbers of data subjects involved), the likely consequences of the breach and the measures the controller is taking or has taken to address the breach.
This largely removes any debate over whether notification is required – simply put, if there is a personal data breach (in whatever form that might take), then the controller is likely to need to inform the ICO and the individual(s) involved. There is one caveat to this, and that is where a controller can demonstrate that the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons – in this instance (only) the controller need not notify the relevant authority. This is helpful, although how much so remains to be seen. Little guidance is given as to when this carve-out would apply, and each case would therefore need to be viewed on its merits – we expect that controllers will only be able to take advantage of this in particularly clear-cut situations, perhaps for minor breaches where it can be demonstrated that there was no detriment to the data subjects concerned. As it stands now, it is hard to see how some of the more obvious forms of data leak (e.g. inadvertent disclosure of customer details or unauthorised access to online profiles) would be able to take advantage of this provision.
Equivalent provisions also apply so that the controller also needs to notify the data subjects involved that their data has been the subject of a data breach. However, a controller need not notify the affected data subjects if: (i) it has implemented appropriate technical and organisational protection measures, and those measures were applied to the relevant data (e.g. that the personal data was rendered unintelligible to those unauthorised to access it); (ii) the controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of the data subjects is no longer likely to materialise; and (iii) it would involve disproportionate effort to notify the data subjects involved (instead a public announcement would suffice).
This is helpful in terms of how larger scale notifications are managed. Consider, for example, the unauthorised leak of a large customer list, or large quantities of personal data from online purchases – notification of these larger datasets will need to be appropriately managed, and where a controller can demonstrate each of (i)-(iii) above this will go some way to managing the cost of the process.
Data protection officers
Businesses processing sensitive data (e.g. data showing racial or ethnic origin) on a large scale or engaged in systematic monitoring of data subjects on a large scale (whether data controllers or data processors), must appoint data protection officers (DPO). The DPO can be an existing member of staff who has had specific training or a new DPO can be hired in. In essence, the requirement to appoint a DPO is an extension of the accountability principle noted above – businesses carrying out the activities above must appoint a DPO to help the business comply with its data protection requirements under the GDPR, and such individual should have a clear reporting line into senior management. The GDPR also notes that the DPO should not be instructed to act in a particular way by management, or be dismissed or penalised simply for carrying out their duty – it seems DPOs are free to hand out some home truths to their employers without fear of recrimination.
It might be tempting for developers, platform providers or even retailers to consider that these provisions will simply not apply to them. Sure, it may be unlikely that particularly sensitive personal data is gleaned in a gaming context (but not impossible), but consideration needs to be given as to how the personal data a business does hold is used – for example, does your business gather data from the activity of online user profiles; does it analyse individual spending patterns; does it leverage a marketing database to target individuals for possible new purchases; does it register individuals for hardware warranties and otherwise use that information for other purposes? A ‘yes’ to any of these questions does not necessarily mean that your business will be ‘monitoring data subjects on a large scale’, but it does mean that consideration should be given as to whether your business needs a DPO and how that expertise might best be sourced.
What becomes apparent across all business sectors is that there is no magic bullet for GDPR compliance, but an understanding of how or if a business collects and uses personal data is a good place to start. From there, specifics can be applied and, where necessary, business changes effected. The games industry has some unique challenges, particularly given its place at the forefront of technological development and digital business. One thing is clear though, the next 18 months are crucial for all businesses to get ahead of the curve.
By Charles Maurice, Senior Associate
First published in GamesIndustry.biz, October 2016