Great question! If you are also asking individuals outside of this forum, it would be awesome if they/you could follow backup on this thread.
I similarly have a swiss-cheese knowledge about GDPR, but one area that has been disruptive, is the opt-in model to receiving marketing emails. You've likely noticed that many subscription services are asking for consent to email you recently, and this part of GDPR is driving that. There are also rules around weighing opt-in / opt-out options. The devil is in the details on all these reg...
Well, I haven't dived deep into GDPR but there are few things you need to change in your app....
- Your users should be able to Delete their account permanently and when they do that, their account & all the data related to their account should be deleted forever.
- Users should be able to download the data related to their account. Meaning if you allow users to upload their photos, they should be able to download them all if they need to.
Other than that, I don't think you need to make any major changes in your app.
I would love to hear others' thought on GDPR.
"Right to be forgotten" includes your analytics. You can preserve their records in your aggregates, but it has to be provably impossible to derive PII from them.
I found a high school friend who now lives in Sweden and is a lawyer who is working on this exact issue. She offered some advice that I'll share. Basic takeaway is that perfect compliance is hard, but small companies are unlikely to be targets of regulators.
"If you have a service agreement with European users you can base a lot of the processing of the users' data on that agreement, i.e. that will be your legal ground for that processing (article 6 GDPR). Each different type of processing requires you to identify an appropriate legal ground for that processing in order to be legal. The GDPR does not apply to anonymized data at all, but care has to be taken to ensure that it really is not just pseudonymized (there can be no way to 'unlock' or decode the data, i.e. it has to be irreversibly anonymized). Sharing data with third countries (any country outside the EU/EEA) requires a separate legal ground for that particular transfer, as third countries are usually not considered to have sufficient security (this actually includes the US because of the NSA, but there are some specific exceptions for that transfer). Third country transfers are governed by articles 44-50 and are a complicated and require some work to set up, so the best thing would definitely be to keep EU/EEA data within the EU/EEA.