The new General Data Protection Regulations are forcing all companies to reassess their data collection, data processing and security procedures. This includes assessing all partnerships with data processors, including; digital agencies, marketing agencies and app development agencies. Part of this means making sure you’re working with GDPR-compliant app developers.

Ultimately, you as a business or individual are responsible for the data you collect and process on your users.

However, if you work with an agency it’s worth checking that they are following GDPR best practice too.

The nature of app agencies means that they have been keeping data secured and locked down for years on behalf of clients. Encrypting sensitive data is standard best practice and building data flows is part of the app development process. So, when GDPR comes into place, agencies will need to continue protecting clients’ data alongside a few new changes.

What responsibilities do agencies have under GDPR?

It can often be difficult to determine where the responsibility lies in terms of GDPR when working with an app agency. However, as explained by the ICO, there is a clear differentiation between a “data controller” and a “data processor”.


This means a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are, to be processed. Which is likely to be you as an individual or your company.


In relation to personal data, this means any person who processes the data on behalf of the data controller. Who is likely to be your app agency?

What are GDPR-compliant app developers required to demonstrate under the new regulations?

As a data processor, your app agency will take the lead from you the data controller as to what data to process and collect. However, there are a few things they’ll have to do to comply with GDPR which may include;

  • Keep a record of all requests made by the data controller, in terms of collecting, storing and processing data
  • Record information on any processing activities it has carried out on behalf of the controller
  • Create an enforce a breach notification processes
  • Ensure data is adequately secured and encrypted
  • A data processor also cannot bring in other data processors without clear permission from the controller

In addition to this, the data controller may request a new agreement with the data processor which covers things required of the GDPR. Such as the nature and purpose involved with data processing and an outline of the obligations of both the controller and the processor.

A new study by SafeDK reports that 55% of apps may not meet GDPR privacy standards in time.  This means the race is on to ensure your mobile app is GDPR compliant. And whilst an app agency can provide you with guidance on how they keep data secure as a data processor, it’s your responsibility as a data controller to ensure your app is ready for GDPR.

*This information has been provided as a guide to those looking for more information. If you are still unsure about what your business needs to do regarding GDPR we recommend you seek full legal advice.

So, what do you need to do next?

Download our GDPR for Apps Infographic and Checklist!

To help, we’ve created a handy GDPR for apps infographic and checklist to help you complete a GDPR audit for your app.

We recommend you check out our GDPR for Apps Infographic and Checklist