From 2 Billion to 200 Users, GDPR is Changing Data Compliance Landscape

May 2018
The General Data Protection Regulation (GDPR) by the EU is coming into force on May 25th and is having some effects on firms whether they have 2 billion or 200 users.

GDPR is the EU data protection legislation, the official purpose is to protect EU citizens from data and privacy breaches. More broadly, it can be thought of as a regulation that protects users against some of the worst abuses by firms like Facebook that hold a lot of personal data. It is an attempt to update the law to cover the proliferation of data-harvesting business models. GDPR brings a number of notable changes, such as protecting data on EU citizens stored anywhere in the globe, specifying maximum penalties, and barring the use of long, difficult to read terms of conditions. It also confers a number of rights people hold over their data.

With GDPR coming into force, I thought it would be interesting to look at two different responses, one from Facebook with nearly 2 billion users, and one from Edge of Reality who manage an online game, Loadout, which currently has 200 daily peak users.

While GDPR only applies to EU citizens, Facebook are planning to implementmany GDPR-style changes globally. This includes clearer terms and conditions, and some of the data-rights like being able to review your personal data held. In contrast to these positive developments, Facebook have still made the cynical decision of ‘moving’ 1.5 billion user accounts out of EU jurisdiction, most likely to minimise legal exposure (Microsoft are planning the same move with their social network, LinkedIn.) The accounts moved will belong to people residing in Africa, Asia, Australia and Latin America, who in a legal sense, had their accounts in Ireland, and so would have been covered by GDPR. Now those accounts are in The United States and ‘protected’ by the much weaker legislation.

This move highlights the successes and failures governments can have in helping to secure user data. On the one hand, Facebook are planning to improve user data management in light of GDPR around the world, showing the influence that the EU can have. But on the other hand, this example shows governments are going to encounter the same problems when regulating data as they do when collecting tax or enforcing labour regulations; multinationals will always have the option to move some aspect of their business in order to skirt the law.

At the other end of the scale are Edge of Reality, the makers of Loadout, a free-to-play online game which currently has about 200 people play at peak time each day. As reported, Loadout was already losing money, and in light of implementing the changes for storing customer data required for GDPR, Edge of Reality decided to close Loadout.

“The well-intended GDPR legislation creates major burdens for small companies to do business in the EU, starting on 5/25. We don’t have the resources to update Loadout to GDPR compliance, and a big portion of Loadout players come from the EU. Sadly, while big companies have the resources to comply with the GDPR, that’s not always the case for small businesses. We still protect your privacy, and we wouldn’t dream of doing otherwise. We just don’t have the resources to overhaul Loadout and implement new features to meet a large list of new requirements.”

GDPR has a lot of requirements to become compliant, and the consequences of non-compliance are very significant and real. These new requirements under the updated GDPR may be a significant burden for small or inexperienced firms, such as game studios. Edge of Reality didn’t specify what aspects of GDPR were too expensive for them, but it is probably the new data rights and fulfilling customer requests. These are things like the right to be forgotten, right to access, notification of breaches, and data portability. For Edge of Reality, they would have needed to organise a dedicated and reliable process to handle these user requests.

The challenges of GDPR and government efforts to protect end users is transforming the data management industry. While the case of Facebook highlights the need for robust technology with agility to keep up with the legal and physical movements of firms, the Edge of Reality case highlights the coming need for very efficient data management technologies that can support small businesses.