Due to come into effect on 25th May 2018, the General Data Protection Regulation (GDPR) has been passed to give EU citizens better protection over their personal data, and more specifically how it is handled by organisations.
Because the regulation covers “personal data” it will impact a huge number of organisations within the EU, both consumer facing brands and enterprises, and will continue to affect the UK regardless of Brexit decisions. GDPR defines “personal data” as any data record that could identify an individual, such as names, phone numbers and addresses, and now also encompasses digital information, such as GPS locations, behaviour, usernames and more. Which means in some way or another, all businesses are affected, and if you own an app, you’ll be affected too.
Another significant change is that traditionally, “personal data” was the sole responsibility of the main data owner. However under the new regulations, any company or individual that processes or handles the data will be responsible for its protection, including third parties and cloud providers.
You can read the full documentation on the GDPR here, but in short, the regulations include;
Violation and failure to comply with any of the GDPR regulations will result in a fine of 4% annual turnover, or 20 million Euros. And one of the key requirements from the GDPR is that businesses can prove that they are adhering to the regulations when asked, providing documentation to support the changes made and the procedures in place to protect user data.
Data protection isn’t just about keeping customer’s information safe, it’s about keeping track of changes and data access, both digital and physical. This means if you’re managing and processing personal data, you must record a complete history of changes.
You’ll need to understand how you obtain, transfer, store and handle data, how your current processes ensure maximum security and how they can be improved. First and foremost, your development agency should conduct a data flow map to understand exactly what data is stored, transmitted and collected from mobile devices. Helping to pinpoint vulnerabilities and areas which may need additional security. They will also be able to suggest upgrades to servers and configure relevant firewalls.
In addition to this, your developers, whether they are in house or an app development agency, should encrypt and secure any data that moves between your app and the server, in addition to adequate hashing of user passwords.
And because mobile devices harvest a lot of contextual information, such as location, usernames, connected accounts and more, you’ll also need to consider the following;
The GDPR states that “a data subject should have the right to have his or her personal data erased and no longer processed where the personal data is no longer necessary in relation to the purpose for which they are collected or otherwise processed”
Meaning that users can not only request changes to their data, but they can request to have all their data deleted. All organisations will need to have a system or process in place to locate the specific data and remove it. This includes all services and backup systems, so the data cannot be recovered from anywhere.
All businesses will be required to ask for consent from the user up front, this needs to include what data you are collecting, why you’re collecting it, how it will be processed, how you will protect it, how it’s moved and how long it will be stored for.
With the number of sensitive data leaks on the rise, the GDPR are enforcing tighter deadlines for businesses to notify both the authorities and users when a leak occurs. If a company encounters a data breach, they must notify the national supervisory authorities within 72 hours.
To ensure this is possible, you may need to invest in better technology to ensure a continuous surveillance of your data and prepare a disaster recovery procedure and plan.
The GDPR refers to a new approach businesses should take to projects, promoting privacy and data protection compliance from the start. This means that when developing a new app, you need to ensure privacy and data protection is a key consideration in the initial stages of the project, and throughout its entire lifecycle. Encompassing the build of additional IT systems to store and access data, developing new legislations and conducting regular risk assessments.
GDPR have requested that some businesses need to create a Data Protection Officer position to facilitate the new regulations. Someone who is qualified in the field of data protection who can assist with fulfilling, controlling and communication with national authorities. This can either be managed in house, or outsourced.
If you’re an entrepreneur or an SME you are exempt from this rule, however if you are an enterprise with over 250 employees, you will need to investigate hiring a Data Protection Officer.
For app owners, both consumer and enterprise, it’s key that you have complete visibility and real-time control over app usage and activity in a centralised way, putting protection of users data at the forefront of your business.
We know the regulations are a bit daunting and confusing, and there’s lots of variables that are thrown into the mix, however any good development agency will be able to guide you through the changes and ensure your data is fully protected. If you’re considering building a consumer or enterprise app and are worried about how these changes could affect you, then give us a call today.