What does GDPR mean for digital entertainment businesses?
In the second part of their GDPR guide, Purewal & Partners' Jas Purewal and Peter Lewin offer advice and ten key tips for games companies
This is the second of three articles in which Purewal & Partners' Jas Purewal and Peter Lewin will explore the EU General Data Protection Regulation, an imminent reform that will have a huge impact on digital entertainment businesses all over the world.
Yesterday, Purewal and Lewin offered an overview of GDPR ahead of its arrival on May 25, 2018. Tomorrow, the third part will address the most Frequently Asked Questions associated with GDPR.
How could this apply to Digital Entertainment businesses specifically?
Many digital entertainment businesses depend in some way on data exploitation, from analytics to community engagement to monetisation methods and optimisation. The GDPR will increase regulation of that data exploitation considerably. Here are some practical examples:
"We expect that mobile free to play businesses will face particular challenges in GDPR compliance"
Contracts. Data protection will need to be a core part of contracts for developers, publishers, distributors and other stakeholders (e.g. broadcast networks or MCNs). It will need to cover e.g. the purpose of data processing, who will do what and how they comply with GDPR requirements, such as international data transfers and data portability.
In practice, this is already causing difficulties in the short to medium term: anecdotal evidence suggests many EU developers are not well versed in EU data protection law, but publishers, distributors and service providers are often more informed and have already been circulating data protection agreements or addenda to existing agreements and requiring them to be signed pre-GDPR.
F2P data more complex to use. We expect that mobile free to play businesses will face particular challenges in GDPR compliance given the very substantial amount of data that they collect and use. The increasingly blurred distinction between personal and non-personal data is likely to be a particular problem, particularly if post-GDPR the EU data protection authorities continue to take a sceptical stance to anonymisation. Basically, metrics data on which many free to play games depend (such as DAU/MAU, ARPU/ARPPU and other retention and monetisation data) will continue to be vitally important but we expect to see greater regulatory scrutiny in the future.
Privacy by design. This will become a core aspect of the legal/regulatory aspect of product development, especially video games. Again, we expect practical challenges in the short-medium term, particularly for games developers who are not used to building in legal/regulatory considerations during development. Over time, this will no longer be good enough and games development teams will have to think about the regulatory cost of using data in a game, not just the creative/business advantage.
Privacy policies need to change. The ubiquitous privacy policy (either hyperlinked or tick boxed) will no longer be the automatic way to comply with EU data protection law - digital entertainment businesses will need to establish whether there are other more appropriate grounds for processing data. Where privacy policies and consent are still good enough, they will have to be updated and expanded, including where a new use of data is significantly different from the original purpose for which the data was collected.
Considerable uncertainty in 2018/19 and onwards. Generally, there are several uncertainties regarding how GDPR principles will apply to digital entertainment products. For example, how will data portability work between different online games, if at all? How will non-EU games business without an EU base actually ensure compliance with EU data protection law? Are influencers in a MCN processors or controllers?
Ten tips for getting ready for GDPR
"At minimum there should be someone in the business responsible for data protection matters"
1. Data. Assess what personal data you collect, where, for what, with whom you share it and what happens to it when it is no longer needed. This can be done through a data audit/assessment.
2. Internal processes and training. Review the level of knowledge/training on data protection amongst your staff and assess the need for internal data protection policies and documentation.
3. Grounds of processing. Establish which grounds you will need to use to process each type of data. Consent-based processing will need to be in line with the new GDPR standards.
4. Privacy policies. Revisit your privacy policies and other data policies (e.g. cookie policies) to ensure they are GDPR compliant - e.g. do they set out all the information needed? Substantial changes are likely. If your product/service is aimed at children, would they be able to understand your policies and how will you obtain and record verifiable parental consent?
5. Infrastructure. Consider whether your current systems (e.g. technical infrastructure, customer support) are ready to deal with data subjects' requests, including where these are exercised unreasonably or erroneously. How is your infrastructure protected?
6. Existing contracts. Review existing contracts with third parties and consider whether they are processing any data on your behalf and which contracts will need to be amended. This could cover development/publishing/licensing partners, analytics/software/service providers and even staff and contractor agreements.
7. Privacy by design. Data protection needs to be built into business processes, especially product development, just like ensuring proper contracts and intellectual property protections are in place. Businesses should think from the outset what data they will need/not need.
8. Data breach strategy. Build a data breach strategy involving technical, legal and PR resources. Consider what different data breaches could occur and how these would be handled.
9. Data Protection Officer / Representative. Appoint a Data Protection Officer or local representative if required, but at minimum there should be someone in the business responsible for data protection matters.
10. International transfers. If your business is transferring data outside the EU (even intra-group), examine whether or not you have legitimate grounds for doing this and how you might alert customers.