The discussions about General Data Protection Regulation (GDPR) – Europe’s new privacy law is happening everywhere. From your mailboxes to internet forums, everyone, from users to internet companies and app developers, is trying to understand how to be GDPR compliant. As an app owner and publisher, you too are required to comply with this privacy law even if your company is registered outside the European Union. What’s it all about and how can you be GDPR compliant? Let’s dig deeper.
GDPR at a glance
What is General Data Protection Regulation?
Adopted on April 27th, 2016 by the European Union, General Data Protection Regulation is a data protection and privacy-centric law that became enforceable from May 25th, 2018. The law aims to protect the privacy of European citizens and offer them complete control of their personal information.
The recent Cambridge Analytica-Facebook incident has brought more spotlight to GDPR and makes it an important milestone in protecting user privacy. The law holds controllers accountable for misuse of user data and has outlined punitive fines in Article 83. According to GDPR, a company can attract a fine of up to 20 million euro on infringement of principles related to personal information processing.
What does GDPR imply?
GDPR objectifies giving people more control over the personal information that they share online. To make this possible, the law has laid down four basic aspects that any app developer, data processor or website must respect. These aspects aim to provide:
- Easy access to personal data: Every user is entitled to know how their data is processed in a clear and understandable way.
- Right to data portability: Users should be empowered to transfer their personal information from one service provider to another easily.
- Right to be forgotten: Users should have an option to delete their data by intimating their service provider through simple steps. Once a user exercises the right, their info should be permanently deleted from the service provider’s database.
- Right to be informed on data breaches: Users must be informed about personal data breaches when their data is hacked. The app publisher must notify national supervisory authorities within 72 hours of identification of a data breach.
Preparing your app for GDPR compliance: Points you should know
GDPR is really serious about the privacy of app users and protects their rights thoroughly. This means that your app planning, development, and management efforts must be revisited to make sure you comply with the guidelines laid out in the law. Though the privacy law hasn’t laid out a step-by-step process to follow, it has outlined some general rules while developing and publishing a mobile app.
According to this law, app publishers, developers, and owners are now directly responsible for the security of personal user data. The term ‘personal data’ refers to any form of information that can be used to identify an individual including the phone number, name, email address, username, location, insights, etc.
App owners must endeavour to be more transparent and provide more control to the users. This includes changing the way how data is acquired, stored, transferred and used currently. Everything must be done to enhance security and give users real-time access. At the same time, developers need to document the complete history of changes to personal data and encrypt transfers between the server and app mandatorily.
To make sure that as an app owner you offer complete control over their personal data, you need to adhere to the below-mentioned guidelines in your app design:
- Relevance: Identify if your app requires all the information you are requesting
- Consent: Inform and obtain consent from the users to collect their private information
- Accountability: Answer user queries regarding their private data usage and sharing
- Security: Encrypt private user data and secure your communication through HTTPS
- Transparency: Keep users informed about data breaches and security loopholes
- Portability: Implement a protocol for data portability
- Privacy: Don’t track user activity and destroy cookies after the user logs out
- Disclosure: Inform users about logs that capture location, IP address and data sharing with third parties
- Safety: Store user logs in an encrypted manner
- Clarity: Create understandable terms and conditions and ensure the user reads them completely
- Erasure: Delete personal data of the user if he/she opts out of the service
Things to do to adhere to the GDPR guidelines
Make an app based on privacy by design concept
According to Article 23 of the GDPR, Privacy by Design is now a legal requirement. Privacy by design is a development concept that makes an app developer, owner or publisher think of user privacy before starting the development process. Instead of leaving user privacy and data protection as an afterthought, your app development efforts should take steps to promote user privacy from the beginning, itself.
Ask for user consent explicitly
Every app or company must request a user to provide his/her consent to collect, use and transfer personal data. A user, while opting-in, must clearly understand the terms and conditions of personal data collection and usage.
If you are thinking of collecting user data in your mobile app, you must have an opt-in screen as soon as an app launches. The opt-in process should clearly give users the ability to provide consent to data collection, receive communication and should inform users about the places where data will be used.
For example, if you are thinking of tracking user activity through Google Analytics, you are obligated to inform them about the same. At the same time, a user must be able to easily opt-out from future communications and request deletion of personal information. An app should have a dedicated page to give users the ability to opt-out to be completely GDPR-compliant.
Respond to user requests
Under GDPR, you are legally required to answer a user if he/she wants to know how you are using their personal data. To make your app compliant, you need to create a mechanism using which users can place a Subject Access Request. Once you receive such a request from any user, you are required to respond to it within one month. (For complicated requests, the period is three months)
Developing an internal system to subject access requests is essential to stay compliant in the long term, failing which you would be breaking the privacy law, landing yourself in legal trouble.
Review your third-party data processors
If you are using the services of any external data processor to analyse your app usage, you must disclose the fact explicitly. You need to be transparent with the users about data transfer and processing and at the same time sign a detailed data processing agreement.
Having a documented agreement with your data processor is a mandatory requirement to comply with GDPR. This means that you need to make sure that all third parties and SDKs associated with your app are also required to be compliant with GDPR. As a data controller, it is your responsibility to ensure that all third parties are compliant and have efficient data security measures in place. In case of a security breach, you can be held accountable.
Notify users of a data breach
As a data controller, you are required to notify all the users and supervisory authorities of a data breach if it occurs within 72 hours under the GDPR. In order to make this a reality, you might need to continuously monitor your data, identify risks and plugin loopholes. In case of a breach, you must have a clear policy to inform users and take the necessary steps to protect their personal data.
Encrypt your stored data and external communications
Every mobile app should essentially use SSL or HTTPS protocol for interaction with external players. Also, personal data sharing should always be encrypted. This means that when your mobile app interacts with your website or web servers to transfer personal data such as username or password, an SSL or HTTPS protocol must be in place.
To make sure that user data is secure at all times, the data should be stored securely at a safe place with appropriate encrypted backups. Users should be notified about the tenure of this storage explicitly to give them control over their personal information.
Create detailed logs of data collection activity
As per Article 30 of the GDPR, every data controller i.e. an app owner or manager must keep a record of data processing activities. This means that you are required to have a detailed document of every single byte of data that you collect yourself through the mobile app or with the help of a third party. The data should be stored in the form of a secure and comprehensive log. The log should contain every detail including all the personal data collected including IP addresses, names, email addresses, etc.
After you collect this data, you should also justify to the user that why are you collecting the data, where will you store and for how long will you store the data.
That’s not all!
Apart from the above steps, you might need to appoint a data protection officer if you are a public authority or if you require large-scale monitoring, collection or processing of personal data. If you are not very sure about how to get your app to adhere to GDPR guidelines, you can always contact experts who have developed and launched GDPR-compliant apps. Connect with the Mobile app development leaders at Intuz free consultation to make your existing app GDPR compliant.
Planning to Develop an App without worrying about GDPR compliance? Get in touch!
This article was originally published here.