You may have heard the buzz around the GDPR. If you’re asking yourself, “What does this mean?” then don’t worry. You’re not alone — the topic can be pretty confusing. We’re here to break down what GDPR is and how it will affect your business.


Image source

What Is the GDPR?

The introduction of the EU General Data Protection Regulation (otherwise known as GDPR) is one of the biggest regulatory changes in data privacy laws in the last 20 years. The GDPR aims to harmonizes data privacy laws across the EU and strengthen the security and protection of the personal data of all EU residents. This is a good thing for EU residents, and something new to navigate for businesses.

GDPR was approved by the EU parliament on April 14, 2016 and becomes fully enforceable on May 25th, 2018. For businesses that aren’t GDPR compliant by that date, there can be some pretty hefty fines. Companies may be fined up to €20 million or four percent of global annual revenue.

If you want to read more about GDPR basics, you can read this great resource.

Who Are the Stakeholders?

There are three key terms you need to know.

  • Data Subjects: The users of your app are your data subjects
  • Data Controllers: If you have an app or website, then you are the data controller
  • Data Processors: If you have Leanplum’s SDK installed in your app, then we (Leanplum) are a processor of your users’ data

gdpr compliance

Image source

What Are the Key GDPR Changes?

The GDPR requires organizations take responsibility and accountability for the personal data they handle. As organizations prepare for GDPR compliance, they should consider the following points.

Territorial Scope

The GDPR applies to all companies processing the personal data of EU residents — regardless of the company’s location. It is up to you to determine whether your organization has any GDPR compliance obligations it needs to meet.


You must request users’ consent in an intelligible and easily accessible form, using clear and plain language.

Breach Notification

In case of a data breach, Controllers will be required to notify the supervisory authority and the data subject without undue delay or within the specific reporting obligations. Processors shall also notify the controller without undue delay after becoming aware of a data breach.

Data Subject Rights

GDPR has expanded some existing rights and created some new ones. You will need to make sure you are in compliance with all the new rights if you are processing personal data.

Privacy by Design

Organizations are now obliged to consider data privacy at the design stages of a projects as well as the lifecycle of the relevant data processing.

How Will Leanplum Help You Be Compliant?

Leanplum takes our responsibility towards our customers, and their end users’ privacy and security concerns, very seriously. Leanplum will be ready to comply with the GDPR requirements when it goes into effect on May 25, 2018. We are working with two independent outside firms to ensure our compliance. We are committed to helping our customers meet their GDPR goals and as part of that we will discuss what we are doing to help you succeed in achieving compliance with GDPR.

As part of the process we are updating our Data Protection Addendum. We are rolling it out to all our customers to help prepare them for May 25, 2018. Please contact your Customer Success Managers to obtain a copy of the addendum if you don’t already have one.

GDPR gives end users several new rights over their personal data. Under EU law, Leanplum is the Data Processor and our customers (you) are the Data Controllers. Most of the onus on meeting the GDPR falls on the data controller. However, Leanplum will provide customers with tools and guidance to help you become compliant. We’ll explore these services by looking at each right individually.

GDPR Compliance

Image source

Right to Be Informed

The right to be informed requires you as the controller to tell your users what data you’re collecting about them and for what purpose. The GDPR mandates this information be accessible and easy to read.

Right to Erasure & Right to Object

Your end-users have the right to request that their data be deleted and that their data no longer be processed. Leanplum will provide two APIs, deleteUser and setUserBlockStatus, that you can call to fulfill these rights. Blocking a user’s data will also result in us deleting their old data.

Right of Access/Right to Portability

Your end-users have the right to access and export their personal data. When a user requests access to his/her data, you can send Leanplum a getUser API request and you will receive an export of their data.

Right to Rectification

Your end-users have the right to rectify their personal data if it is inaccurate or incomplete. You can fulfill this right by calling setUserAttributes just like you would when setting any other attribute of the user.

Looking Ahead

At Leanplum, data security is our highest priority. We will work to ensure that our customers meet the compliance requirements without any disruption. As we move closer to May 25, we will share more information to help you comply with GDPR. For now, register for our upcoming webinar, GDPR 101: A Primer for Mobile Marketers.