When Brad Dwyer founded Hatchlings Inc. in an Iowa State University dorm room in 2008, he couldn’t have predicted what the social media landscape would become. 

Dwyer’s mobile games company requires a few basic permissions for users to play using Facebook’s API (application programming interface): Hatchlings needs a user’s name, email address and Facebook social graph, which is the list of friends also playing Hatchlings games.

It takes more sensitive data to open a department store credit card, and yet today, businesses like Hatchlings are watching two tectonic shifts in the digital landscape. 

First, Facebook suffered massive media fallout after news in March that third-party service Cambridge Analytica purchased user data from a rule-abiding personality profile application. The user data was then sold to President Donald Trump’s campaign team in the 2016 election cycle. 

“The biggest change for us is that all of our apps are going to have to be re-reviewed by Facebook for all the permissions that we get,” Dwyer said. “We’ll have to submit a screen recording of where we use your friends list and why we need that permission.” 

Hatchlings had previously released a game that allowed mobile users to play without using Facebook as an identifier, which stored data in the user’s device rather than the cloud. The company did see users make the switch to a Facebook-free version, rather than using the Facebook login. 

“I can’t imagine why you would want to build a Facebook application and not have the social data,” Dwyer said. “At least them having a record of how each app says that they’re using the data probably will be helpful in the future.” 

Meanwhile, the second shift occurred. Data privacy laws pushed by the European Union hummed in the background of the U.S. media cycle — until the days leading up to May 25, when the EU’s General Data Protection Regulation (GDPR) officially became law, affecting everyone from Facebook itself to the small-scale online businesses. 

Hatchlings Inc. has two mobile apps on the market, Hatchlings and Puzzlings. The majority of Hatchlings’ users are in the U.S., Canada, Australia and the United Kingdom — which, while still in the EU, is undergoing the so-called Brexit from the international union. 

Hatchlings has already written a script to comply with the GDPR’s “right to be forgotten” regulation, and has permanently deleted data from one user who submitted a request, Dwyer said. The company, which gains most revenue from subscriptions and in-app purchases, is also reconsidering whether to continue allowing advertising within the apps.  

“We don’t sell our customers’ data or anything like that. Just being cognizant that if people request to delete their data, we have a way of doing that,” Dwyer said. 

“We’re mostly just following the lead of other, bigger companies and trying to see how everything shakes out,” he added. 

---

What to know about the GDPR

1.) Key GDPR rights and obligations.
• Notice: Data controllers must notify authorities within 72 hours of a personal data breach.

• Consent: Data controllers must receive active consent from data subjects for data collected; a parent must also consent to data collection for children under 16 years old.

• Right to access: The right for data subjects to access a copy of personal data, electronically and free of charge, from a data controller.

• Right to be forgotten: The right for data subjects to have the data controller erase his or her personal data, cease further dissemination for the data and potentially halt third parties from processing that data. 

• Data portability: The right for a data subject to receive their personal data and transmit that data to another data controller.

• Privacy by design: The inclusion of data protection from the onset of designing systems. 

• Mandatory data protection officer (DPO): Data controllers and processors must name or hire a DPO whose core responsibilities consist of monitoring data operations, data categories, and data relating to criminal convictions and offenses.  

• Sources: The International Association of Privacy Professionals and the Ponemon Institute LLC. 

2.) Businesses have had two years to prepare. 
• The European Union spent four years deliberating and drafting the GDPR before officially adopted the rules in 2016, guaranteeing a two-year runway before regulations were enforced for companies serving EU residents. 
• Regulators can fine companies (“data controllers” or “data processors” in the regulation language) up to 4 percent of their global revenue for violations of the GDPR. For perspective, the Verge reports that a 4 percent fine on Amazon would amount to $7 billion. 

3.) Despite potentially heavy consequences, only 52 percent of organizations were expected to be fully compliant by May 25 — GDPR’s official adoption day. A study by a U.S.-based data protection research firm, the Ponemon Institute, found many that U.S. and EU-based companies admitted to being behind schedule when it came to compliance preparation. Out of more than 1,000 companies polled, companies in financial services were most likely to be prepared — 63 percent reported satisfaction with their GDPR compliance measures. Technology and software services followed, with 60 percent of companies reporting compliance. The retail industry appears least likely to be prepared, with only 42 percent of companies reporting satisfaction with GDPR compliance measures.

---

WHAT BUSINESS LEADERS ARE SAYING

We asked a number of leaders in various industries how the General Data Protection Regulations might be affecting their business 
practices. We are including responses from executives in PR and marketing, finance, insurance and technology, among others.

________________________

Get data in order
Brett Burkhart, Shift Interactive

You’ve likely received countless emails about companies’ updated privacy policies and terms of service. This is due to the EU’s General Data Protection Regulation (GDPR) that recently went into effect. While regulation came out of the EU, it can still affect U.S.-based companies.

According to the regulation, the EU vaguely defines “personal data” as “information relating to an identifiable person who can be directly or indirectly identified.” This could be any type of data about an individual, such as their name, contact information and location.

Despite not being located or even doing business in the EU, the general feeling is that GDPR affects any business with an online presence since anyone on the internet can find you. Not complying with GDPR could mean tough (“up to 4 percent of your annual revenue” tough) penalties for businesses that don’t adjust their data collection and usage practices. While you should definitely consult with a legal expert about compliance, below are steps you should consider for your website:

– Adding a privacy policy that is easily accessible with little to no jargon.

– Adding a notification box that appears when users first visit your site stating that information is being collected to better improve their experience.

– Modifying your site forms to include checkboxes where users must acknowledge they understand what personal data is being collected.

– Ensuring all data collected is archived and accessible to comply with any future request by an individual to view, remove or port their data from your database. 

________________________

Pay attention, startups
Mo Collins, Speaker and consultant, Entrepreneurial Communities

While most dialogue about the new EU privacy laws has focused on the impact to large, multinational corporations, small and young entrepreneurial firms shouldn’t ignore the requirements of GDPR. Here’s why:

Companies without a physical EU presence still fall under GDPR if they have websites available to residents there. That includes many of our smallest Midwestern startups; in fact, practically everyone doing business in the global economy is on the radar. 

You could jeopardize your mergers and acquisitions. If you hope to be acquired, the company acquiring you will be responsible for your efforts to comply with GDPR. If investigated, your noncompliant startup could expose the parent company to fines equal to 4 percent of their global business revenues.

Regulators in the EU are serious about compliance. According to Linda V. Priebe (former deputy general counsel and ethics official in the White House under the Bush, Clinton and Obama administrations), Germany has already launched investigations into 500 American companies including multiple solo-preneurs. The consensus is that regulators will want to make a show of auditing both large and small firms in coming years to demonstrate their intentions.

It is the right thing to do. GDPR favors the integrity of personal data belonging to individuals over the business goals of organizations. It is likely the first of many similar changes needed to ensure the balance of people, planet, purpose and profit in a global economy. 

________________________

Be proactive in your message
Tara Deering-Hansen, Principal, Sonder Public Relations 

The EU’s GDPR is a sign of the times and shows that governments can step in to protect consumers’ data, but with far-reaching implications. After the Facebook and Equifax data breaches, consumers are more aware of how their personal information and digital footprints can be mishandled and misused.
 
The GDPR sets a high standard of compliance for U.S. companies that operate globally. But there are several GDPR rules that even small Iowa businesses should follow to mitigate reputation damage when there’s a data breach. For example, all companies should adopt the best practice of notifying regulators and consumers within 72 hours of detecting a breach.
 
If the GDPR doesn’t affect your company, it’s still a perfect time to review your operations and compliance policies and identify ways to be more stringent. We’ve been working with our clients to review their data breach response plans and incorporate updates that align with the GDPR. We then schedule a data breach drill — because practiced strategy is what enables a company to rise above emotion and act swiftly when the worst happens.
 
We also advise clients that their messaging before a crisis is just as important as what’s communicated during a crisis. To build trust with consumers on this topic, companies must establish frequent communication touch points and use those opportunities to educate and promote transparency. If you want to demonstrate that data protection is a corporate priority, proactively talk about your privacy efforts and provide customers with tips to better safeguard their information. 

________________________

LAW SETS PRECEDENT
BY Kelly Dittmann, Managing director, strategy, Baton Global

General Data Protection Regulation will affect organizations across the globe, including businesses in Iowa. The EU may only have regulating authority on organizations that conduct business in the EU or have employees who are EU citizens, but this regulation sets precedent globally.
 
In Europe, data has long been about the core issue of privacy and protection. The new regulation of GDPR is about taking an additional step toward greater transparency and trust. The U.S. is known to regulate business on a smaller scale in comparison to the EU, and in the case of customer data privacy, many organizations have been left to build the appropriate controls.
 
In the past week, organizations such as Apple and Microsoft have made major changes to their data collection models and have changed their privacy policies. The Washington Post even announced a new subscription model for EU residents, eliminating third-party data tracking.
 
Recent actions by leading companies have resulted in greater focus on customer protection. The question isn’t if there will be increased regulation within the U.S.; it is a matter of when new policies will be put in place. It is critical for organizations of all sizes to prepare for future regulation, even if they are currently unaffected by GDPR.
 
Organizations will need to understand how to collect, organize, use and ultimately protect customer data. Companies should have a prioritized road map to guide implementation efforts focused on a risk-based approach. Assessing areas that could result in regulatory investigation, class-action lawsuits or cybersecurity threats will be key to identifying where the most sensitive data assets reside within operating models.
 
Leaders should take a disciplined approach to prepare for and meet GDPR requirements from assessing to conforming. Organizations in our local market will need to take a deeper look into their consumer data practices and ensure compliance readiness to compete in our digital and global economy. 

________________________

First, do the right thing; then, talk about it
By Ryan Hanser, President, Hanser & Associates
 
We want data protection, but we’re getting opt-in requests via email instead. 

It reinforces the EU view of inadequate U.S. privacy protection.
 
In the two years since the GDPR regulation was adopted, we’ve continued to see data crises with regularity. Cambridge Analytica is the case study. Yet most organizations are pushing updated privacy policies and asking for permission to keep doing what they already do with customer data. And in most cases it takes a very close reading to discern how data practices may or may not be any better than what was expected of organizations before GDPR activated May 25.
 
It’s important to remember that public awareness and understanding of the issues and, especially, this regulation are relatively low.
 
The public relations opportunity in GDPR is to inspect your data protection work and communicate your values. Show partners and customers what you do with data and why. Build confidence and trust by showing the work you do to protect the interests of those who choose to do business with you.
 
There are direct effects of GDPR on marketing, too. We now can’t use data the way a lot of organizations have been for years. Location data is already harder to acquire. Explicit consent will change the way we communicate. First-party data becomes even more valuable, despite a higher bar for compliant use. Ultimately, GDPR should clean up the data supply in online advertising.

Business use of data will continue to evolve. GDPR compliance builds trust. It’s another step toward giving people what they want, while giving you the opportunity to showcase how you deliver it.

________________________

Incredible leap 
Miles Weis, AVP, Executive Risk Practice Leader, Holmes Murphy

The new privacy laws in the EU, the General Data Protection Regulation, will have an effect on Iowa-based companies doing business in EU member states. The premise of the law applies to “any” enterprise in the world that offers goods or services, targets European Union citizens, and requires processing of personal data as part of their offering.

One poignant element of the new GDPR protocol surrounds a heightened duty for data breach notification. Compliance requires that in instances where personal data freedoms may have been violated, a detailed and prescribed notification to supervisory authorities must be made within 72 hours of the breach discovery.

The task of compliance management is difficult. The GDPR has endorsed codes of conduct and certifications as requirements and guidance ensuring compliance. Iowa-based companies should familiarize themselves with the tenets of these codes and certifications. 

GDPR sets the privacy bar at the highest level in the world and in history. It will take time for companies to become familiar with its purpose. Although somewhat difficult, the GDPR is an incredible leap in the promoting of individual rights and will only strengthen global business and relationships.

________________________

Preview for U.S.
Eileen Wixted, Principal, Wixted and Co. 

The good news about the GDPR is that individual citizens in the EU will have greater control over their personal data. Under the new regulation, they must knowingly give consent and have the right to ask companies to correct or delete personal information. Additionally, companies will now be required to communicate about a data breach within 72 hours. And that is a very fast turnaround.

In theory, working with one EU set of data protection regulations versus 28 (one in each country in the EU) sounds great for businesses, too. However, the devil is in the details.

U.S.-based business leaders and owners will first need to make a deliberate decision on whether they want to continue to do business in the EU. If they answer yes, I think this regulation will significantly affect their operations in the short term. Companies will want to develop a business operations plan, which includes all of the actions and operational changes needed to comply with the new regulation.

From a communications standpoint, the most critical stakeholders for companies will be their internal audiences followed by their customers. Businesses should focus on educating and training employees on why this is important and introduce the new tools on how to be more responsive to customers when gaining consent or making changes to data. A company should update its privacy policy and share with customers as well. An organization’s data breach communication plan will need to be changed to reflect the 72-hour deadline. This means developing a customer outreach plan and placing a data breach statement on owned platforms such as your website. Companies found in noncompliance with GDPR will be fined very heavily. Therefore, it is critical that all team members understand operational changes and the importance of following new policies and procedures for GDPR compliance.

The GDPR represents a major shift in how personal data will be handled, protected and regulated. While it is on the other side of the pond now, it’s likely a preview of more changes and higher standards to come in the U.S. and around the world.

________________________

Start Retrofitting
BY Erin RollenhagenFounder, Entrepreneurial Technologies, and board chair of the Technology Association of Iowa

Hopefully most business owners who do business or have users in the EU have already enacted changes to comply with GDPR. If not, they need to get in touch with a consultant right away. The question for those who are not yet directly affected  is do they need to do anything? I would argue that this signals a shift in thinking, and while the U.S. may not enact exactly the same regulations, it’s likely that additional protections are coming. Most of these changes are less expensive to implement from the ground up as compared with retrofitting, so I’d encourage anyone undertaking new development to strongly consider additional security and privacy practices beyond what are currently required in the U.S. For those who are working with existing legacy platforms, it’s time to think strategically about building a model around opt-in data collection and stronger security practices. 

GDPR, if implemented fully, enforces a shift in thinking. We have this interesting dynamic in technology today where we have all of this great technology that we get to use for free or for a very low cost. Yet that technology costs thousands, and in many cases millions or even billions, of dollars to create. Companies won’t spend the money to develop it if they don’t believe they can turn a profit. So how do they do that? In many cases they generate revenue by using your data to implement targeted marketing and advertising. That model is so ubiquitous now that we almost expect it. The pendulum in the U.S. to this point has been fairly heavily weighted toward the business’s need to make money off the data. GDPR recognizes the importance of legitimate business interests as being equal to the consumer’s need for privacy — not above — and in doing so, shifts the balance a bit. This can be a healthy shift for the industry that allows the model to be sustainable in the long run.

There will be effects on technology in general. Technology is the art of making ever-better tradeoffs, and everyone is trying to find the optimal balance of competing interests. We’re often in the position of trying to advise clients about the risks and costs associated with various practices. Security and privacy are areas that no one enjoys thinking or talking about. It’s like the crash cage in your vehicle — you don’t want to think about getting into an accident in the first place, and everyone assumes it won’t happen to them. What’s interesting about regulations is that they forcibly tip the balance of that optimization in a direction it might not have taken on its own. Suddenly you don’t have to question whether it’s a good business decision to spend the money on that particular security feature, because it’s the law. 
 
A specific provision of GDPR that’s interesting is the rule that encryption and decryption must be done on the client. This is actually something we have been recommending certain clients move toward for some time now because we believe it’s more secure, so it’s made even more compelling to see it as a regulation in the EU. There’s a fairly common strategy in the U.S. to accomplish encryption in transit and at rest through a combination of HTTPS and database encryption. That’s not going to satisfy GDPR, which gives consultants like us a more compelling argument to clients to create stronger systems.
 
Another interesting provision is the requirement that privacy is assumed by default, and the consumer has to make a deliberate choice to opt in. This means no more “opt-outs” and no more pre-checked boxes. It’s likely this is going to decrease the proportion of consumers who are opted in, and so those who run technology platforms will have to figure out how to make everything work without this data.