Top Tips to Make your App GDPR Compliant
The GDPR or General Data Protection Regulation is a regulation in EU law on data protection and privacy aiming to offer to the subjects an explicit control over their personal data.
This means that if you are a company owner who is processing the personal data of EU citizens, then GDPR applies to you as well! This is true even if your company is registered in a country apart from the participating nations.
How does GDPR impact mobile app owners?
GDPR is iconic in its essence as it is for the first time that the privacy needs of the app users have been addressed and protected as fiercely and comprehensively. It is for this reason that as an app owner, you take a fresh look at the way you plan and develop an app so as to meet the GDPR requirements in their entirety.
Now, the problem is that the regulation itself does not really contain a list of step by step instructions that would help you make your app GDPR compliant. The regulation consists of a list of general rules that must be kept in mind while creating a software.
It is worth noting that if your app does not offer adequate security of personal data, you may observe an outflow of users from it. Conversely, offering the right kind and amount of protection of personal data can prove to be a magnet to bring in more users and customers.
It is therefore evident that when you take the right measures and go on to meet the GDPR standards, it would add value to your business.
What does it mean to be GDPR compliant?
Before you start getting all riled up about how you should make your mobile app GDPR compliant, it is important that you first understand what it really means to be GDPR compliant. We have therefore listed here, the main points of the act so that you understand it better before really getting into it.
The users have the right to be forgotten. This essentially means that a user, at any point in time can put in a request for deletion of all their personal data from your entire system and that you would have to comply
You must receive the explicit consent from the users. The businesses cannot work on a ‘presumed consent’ and assume that the users are giving you consent simply because they are using the app. You, as an app owner are required to ask your users for their consent before you can collect, use, or move any personal data
You are required to notify the users and authorities about any data breaches. In case the users’ data was compromised in any way, it is your responsibility to inform both, the users and the authorities within 72 hours
Privacy by Design. It is imperative that you make privacy and data protection the key focus of any project. The personal data on your app must only be accessible to those who really need it
Data Protection Officer. In case of big businesses especially there would be a need for employing someone as data protection officer who would be responsible for managing and safeguarding the users’ personal data.
What do you mean by ‘Personal Data’ in context of GDPR?
Under GDPR, Personal Data includes any information that is related to an identifiable person who can be directly or indirectly identified particularly by reference to an identifier.
Now, this indicates a broad scope including everything from personal information, to a cookie placed on someone’s browser using analytics tracking tool that can be used to track the usage of the website.
As an app owner you would have to think not only about the way you collect and store the personal identifiers like names and email addresses but also about their IP addresses and unique device IDs.
Now that you have your basics in place, it is time to get into the actual implementation and compliance part of the equation. I have listed out the following guidelines that are going to make it easier for you to make your mobile app GDPR compliant.
1. Only ask for personal data that is of absolute importance
When offering privacy and data security to your app users, the most critical factor for such evaluation lies in saving as little personal data from users as possible. This personal data could be anything from name, date of birth, country of residence or origin etc.
Now this might not be possible in most of the cases as there would be some organizations that are going to need a certain amount of information. This information might be key for the smooth functioning of the app or for other technically critical reasons.
Whether you need a world of information or just a few details, the developers and the app owners must come together and determine which data is of absolute importance to the app and only ask for that much. It is important to not give in to the temptation of using the app, in order to mine as much data as is possible.
2. Make sure that all the personal data is encrypted and inform the users about it
Data encryption is the process of transforming the data into a different code, so that only those people who have the decryption key or the password would be able to read it. So if your mobile app does need you to collect and store any personal data from the users, it must be encrypted using suitable and robust encryption algorithms which includes hashing.
In 2015, when the Ashley Madison data breach happened, the consequences were huge, simply because the entire data was in the plain or clear text format instead of being encrypted.
It is a massive learning for all digital entities that collect any personal data from users in any form to make sure that any information whether it is names, phone numbers, address, country of residence, or any other shred of information, is suitably encrypted and hashed. Doing so would ensure that there is no data extraction in the event that it is exposed through a breach.
Now, when you are encrypting all this personal data, it is also your responsibility to let the users know about this data encryption as well.
3. Leverage HTTPS to enforce secure communications
In a digital era that is extremely sensitive to data protection and privacy it is a blunder to not use HTTPS. It might so happen that your app doesn’t need any form of authentication and it might lead you to assume that you do not need HTTPS either. But, there is a good chance you might have overlooked certain things. You may have a ‘Contact Us’ form on your application that collects personal data from users. Now, if this information was being passed around without being encrypted, it would be exposed through the internet spelling disaster for your app. One more thing to remember in this context is that the SSL be deployed properly so that it is not weakened by the vulnerabilities related to SSL protocols.
4. Explain the process clearly
According to GDPR, the user interface of the app must explain clearly, in what way their personal information is going to be used. It must also ask the users for their consent for every category of personal data. Now, these details must be displayed to the users before they install your app and the details must let the users know exactly what you are going to do with the data, in each and every field, and for how long do you intend to store this data that you are collecting.
5. Time out sessions & destroy cookies
If you are using any cookies, the users must have clarity about it. They should know that your application is using cookies. Also, you should allow the users to make the choice about accepting or denying the cookies.
Apart from this, the cookies must be destroyed after a long period of inactivity or after the users have logged out. You must also enable time out sessions so that the users are logged out automatically and the cookies are destroyed automatically.
6. User activity must not be tracked for business intelligence
Some of the ecommerce companies use their apps to track the users to understand the buyer behavior through their searches or the products that they bought. Since you are monitoring the personal taste and choices of the users with the intent to use it for commercial gains, the users must have the choice to accept of reject this tracking. Also, if the users do decide to accept such monitoring they should also be informed about why and for how long would the data be stored in the system. Here too, remember implementing encryption.
7. Make users aware of any logs that save their location or IP addresses
Your mobile application may use IP addresses or locations as a parameter in order to establish control on authentication and authorization. This information is then logged into their system in case someone makes an attempt to bypass authentication controls. The users should be aware of this in addition to letting them know how long these logs would be saved in the system. These logs must never include any sensitive information like for example the password(s).
8. Terms & conditions should be clear & users must read them
It is of absolute importance that the terms and conditions you put up on your app or site be easily understandable. The terms and conditions are for the benefit of your app users, which means that they should be able to easily understand everything you have to say there.
As an app owner, it is your responsibility to make sure that the terms and conditions you have set are read & understood by the users and finally to seal the deal, it is important that you take their consent.
Disclaimer – Please be advised that you must seek legal counsel in order to make your app completely compliant with GDPR.