This is the last of three articles in which Purewal & Partners' Jas Purewal and Peter Lewin have explored the EU General Data Protection Regulation, an imminent reform that will have a huge impact on digital entertainment businesses all over the world.
Previously, Purewal and Lewin offered an overview of GDPR ahead of its arrival on May 25, 2018, and then looked at its specific relevance to Digital Entertainment businesses - including ten key tips for getting ready.
We're a games development studio with a publishing deal - who is responsible for GPDR?
For the game: it depends on the publishing contract's terms but usually we would expect it to be the publisher if the publisher has final say over what can and cannot be done with data collected (but remember you will still have obligations as a data processor). For your studio's own business: you. For the publisher's own business: the publisher.
We self-publish our software/games/content on a distribution platform (e.g. iTunes, Steam, YouTube) - who is responsible for GDPR compliance?
For data that you collect and use, e.g. if you have user newsletters or collect data via the platform: you. For data the platform collects and uses for its own purposes from the platform: the platform.
We're an esports team and work with a number of leagues and broadcaster - who is responsible for GDPR compliance?
Regarding your day to day business operations and your own relationships with your fans: you. Regarding league events and related matters like broadcasting: it depends on your contractual relationships, but we would typically expect this to be a partner obligation. But remember you will still have obligations as a data processor.
What steps are other games industry companies currently taking?
It varies, but on the whole the major industry players (e.g. publishers, distributors, platforms) have been preparing for the GDPR - some for a long time, some quite recently. But on the whole the games industry has reacted slowly to the GDPR due to resource constraints, lack of familiarity with legal/regulatory requirements generally but also a desire to see what happens at the higher levels of the industry first. Clearly there are risks with adopting such a 'wait and see' approach given that all companies need technically be GDPR compliant as of 25 May 2018, but companies may deem these risks acceptable (at least in the short term) while market practice settles and new rules clarified.
We only collect anonymised data - is all this relevant to me?
Yes. Businesses still need to be clear about what data they gather to ensure it is not personal data. Anonymised data and analytics and metrics data is vital for digital entertainment businesses, but thus far some data protection regulators have been sceptical about whether it could still constitute personal data (e.g. if it is susceptible to 'reverse-anonymisation'). The point is that businesses cannot ignore data protection law even if they are confident the data they use is probably not personal data - they have to take steps to be sure.
We gather all our data via data services providers - isn't this their problem?
No. If they are gathering data about your users on your behalf, then you are ultimately responsible as the data controller - both for their work as well as your exploitation of their work. Of course, they will have obligations too. You will need to review your contractual obligations with them as the GDPR approaches, since our experience is that many providers have under-invested in the data protection aspects of their contractual and practical arrangements.
No, unfortunately - that is just the starting point even under existing EU data protection law, let alone under the GDPR.
But that seems excessive, do we really have to do all that?
There is no way of getting around the fact that the GDPR is a big change, negotiated at the highest levels of the EU for some years, and it will require work to implement. Your implementation requirements depend on your business of course.
We are a US/Asian/non-EU business but operate globally online, we regard ourselves as not subject to EU data protection law, is that OK?
In legal terms: no, the EU is clear that you will be subject to EU data protection law. In practical terms: the EU has given itself strong sanction powers but we will have to see how they are actually deployed in practice. At the same time, EU data protection law often provides a gold standard that other countries follow and so there are good reasons to look seriously at implementation steps even leaving aside the sanctions risk.