What does the EU GDPR mean for your app?

Due to come into effect on 25th May 2018, the General Data Protection Regulation (GDPR) has been passed to give EU citizens better protection over their personal data, and more specifically how it is handled by organisations. So what do we know about GDPR for apps and app development?

Because the regulation covers “personal data” it will impact a huge number of organisations within the EU. Both consumer facing brands and enterprises, and will continue to affect the UK regardless of Brexit decisions. GDPR defines “personal data” as any data record that could identify an individual, such as names, phone numbers and addresses. And now also encompasses digital information, such as GPS locations, behaviour, usernames and more. Which means in some way or another, all businesses are affected, and if you’re looking to develop an app, you’ll be affected too.

Another significant change is that traditionally, “personal data” was the sole responsibility of the main data owner. However under the new regulations, any company or individual that processes or handles the data will be responsible for its protection. This includes third parties and cloud providers.

What it outlines

You can read the full documentation on the GDPR here, but in short, the regulations include;

• Right to be forgotten: Users can request to have all their data deleted
• Explicit Consent: Businesses must request consent to collect, use and move data
• Mandatory data breach notifications: The authorities and users must be notified of data leaks within 72 hours
• Privacy by Design: Privacy and data protection is a key consideration at the start and throughout a project lifecycle
• Data Protection Officer: Large enterprises need to employ someone dedicated to managing data protection

The Consequences

Violation and failure to comply with any of the GDPR regulations will result in a fine of 4% annual turnover, or 20 million Euros. And one of the key requirements from the GDPR is that businesses can prove that they are adhering to the regulations when asked. Providing documentation to support the changes made and the procedures in place to protect user data.

So what should app owners be aware of?

Data protection isn’t just about keeping customer’s information safe, it’s about keeping track of changes and data access. In both digital and physical states. This means if you’re managing and processing personal data, you must record a complete history of changes.

You’ll need to understand how you obtain, transfer, store and handle data.  Including how your current processes ensure maximum security and how they can be improved. First and foremost, you should conduct a data flow map to understand exactly what data is stored, transmitted and collected from mobile devices. Helping to pinpoint vulnerabilities and areas which may need additional security. They will also be able to suggest upgrades to servers and configure relevant firewalls.

In addition to this, your developers, whether they are in house or an app development agency, should encrypt and secure any data that moves between your app and the server. In addition to adequate hashing of user passwords.

Mobile devices harvest a lot of contextual information, such as location, usernames, connected accounts and more. Which means you’ll also need to consider the following;

Right to be Forgotten

The GDPR states that “a data subject should have the two rights. The right to have his or her personal data erased. And no longer processed where the personal data is no longer necessary in relation to the purpose for which they are collected or otherwise processed”

Meaning that users can not only request changes to their data, but they can request to have all their data deleted. All organisations will need to have a system or process in place to locate the specific data and remove it. This includes all services and backup systems, so the data cannot be recovered from anywhere.

Explicit Consent

All businesses will be required to ask for consent from the user up front, unless you have legal means to process the data. This needs to include what data you are collecting and why you’re collecting it. As well as it will be processed, how you will protect it, how it’s moved and how long it will be stored for.

This means that you will need to create an updated privacy policy or terms of service that define all of the above. And to comply with the GDPR regulations, this needs to be explained in “clear and plan language” to the user. More information can be found in Article 6.

Breach Notifications

With the number of sensitive data leaks on the rise, the GDPR are enforcing tighter deadlines for businesses to notify both the authorities and users when a leak occurs. If a company encounters a data breach, they must notify the national supervisory authorities within 72 hours.

To ensure this is possible, you may need to invest in better technology to ensure a continuous surveillance of your data. As well as preparing a disaster recovery procedure and plan.

Privacy by Design

The GDPR refers to a new approach businesses should take to projects. Promoting privacy and data protection compliance from the start. This means that when developing a new app, you need to ensure privacy and data protection is a key consideration. Both in the initial stages of the project, and throughout its entire life cycle. Encompassing the build of additional IT systems to store and access data, developing new legislations and conducting regular risk assessments.

Data Protection Officer

GDPR have requested that some businesses need to create a Data Protection Officer position to facilitate the new regulations. Someone who is qualified in the field of data protection who can assist with fulfilling, controlling and communication with national authorities. This can either be managed in house, or outsourced.

If you’re an entrepreneur or an SME you are exempt from this rule. However if you are an enterprise with over 250 employees, you will need to investigate hiring a Data Protection Officer.

For app owners, both consumer and enterprise, it’s key that you have complete visibility and real-time control over app usage and activity in a centralised way. Putting protection of users data at the forefront of your business.

*This article is intended to be a guide. We recommend you still seek full legal advice to understand specific requirements for your business. 

To help you navigate through these changes, we’ve created a handy GDPR for Apps Infographic and Checklist for you to follow.

Developing an app and still unsure about GDPR for apps?

We know the regulations are a bit daunting and confusing, especially if you’re about to develop a new app. There’s lots of variables that are thrown into the mix. However any good app development agency like Sonin will be able to support the security requirements when building a new app. Ensuring your data is fully protected. Are you considering building a consumer app or enterprise app and want to ensure you’re GDPR compliant? Give us a call today.