Many organisations have downplayed the requisite changes as ‘tweaks’ to their policies, but Snapchat has made a point of emphasising its widespread alterations. The most significant revelation is that, unlike rival messaging app WhatsApp, Snapchat will continue to allow under-16s to use its service – but that means significant alterations to the way it collects data. The GDPR forces organisations to seek parental or guardian consent for minors (the default age is 16, but EU member states can choose to set the threshold anywhere between 13 and 16).
Facebook-owned WhatsApp removed the burden that comes with this requirement by setting the minimum age for registration at 16, but this option was less viable for Snapchat. Teenagers are its most loyal and active users, so retaining this demographic was imperative. The move will also allow the app to welcome former WhatsApp users who can no longer use the service.
Snapchat will have to go to great lengths to get and maintain consent, and if it isn’t vigilant about the way it does this, it runs the risk of violating the Regulation and facing disciplinary action. To mitigate the risk, Snapchat’s says it will reduce the amount of data it collects from minors.
What else is it doing?
Its consent procedure has also changed, requiring users to opt in to features on Lifestyle Categories and Discover. Likewise, it makes it easier for users to opt out of those features if they change their mind.
Although it didn’t publicly announce it, Snapchat’s compliance project will have also included a litany of behind-the-scenes activity that will go a long way to keeping personal data secure. This includes steps such as appointing a data protection officer (DPO) to oversee regulatory compliance, placing staff on GDPR awareness courses and implementing procedures for them to follow, and ensuring that its defence technologies are up to date.
What does GDPR compliance look like?
There is no single, best practice approach to GDPR compliance, as every organisation has different priorities and needs. Even very similar organisations such as Snapchat and WhatsApp have different solutions to child consent requirements. The important thing is to assess each aspect of the GDPR and find a way to comply that suits your organisation’s needs.
“That’s all well and good,” you might be saying, “but the GDPR takes effect in a matter of days.” While it’s true that there’s not much you can do by May 25, 2018 (if that date hasn’t already passed by the time you’re reading this), you don’t have to stop preparing once the Regulation takes effect. Many organisations have only recently heard about the GDPR and have not been able to comply in time. If you’re in this situation, don’t panic. As long as you can demonstrate that you’re taking steps towards compliance, you’re likely to receive favourable treatment from your supervisory authority.
For advice on implementing the GDPR’s requirements, take a look at our free green paper: EU General Data Protection Regulation – A Compliance Guide.
This guide provides an overview of the key changes introduced by the GDPR, the scope and impact of the Regulation, and the areas that organisations need to focus on.