The long-awaited General Data Protection Regulation (GDPR) has come into effect from 25th May 2018. It is introduced by the European Parliament to address the export of personal data of citizens outside the European Union (EU) and the regions that come under the European Economic Area.
The new regulation has led to sweeping changes in the way organizations collect and process consumer data of individuals in the EU. Here is everything organizations and app developers should know as the new GDPR is being implemented.
What is GDPR?
The new GDPR, which was agreed upon by the European Parliament and Council in April 2016, supersedes the Data Protection Directive from 1995. It contains provisions and requirements for processing personal identifiable information of people in the EU, regardless of their location or citizenship.
According to the GDPR, businesses should implement appropriate technical and organizational measures to comply with the new regulation while handling personal data of the people in the EU. By personal data, the regulation refers to a broad range of personal information like name, email ID, images, bank details, social media posts, medical-related information, IP address of the system, etc. It is also intended to protect the health and genetic data, racial and ethnic data, political opinions, sexual orientation, etc. If a business fails to abide by the new regulation, the regulator can enforce a maximum fine of 4% of an organization’s annual turnover.
Primarily, GDPR is aimed to protect the privacy rights of the user. As the regulation is already in action, the user is now more empowered to demand the organization to disclose the personal data it gathers and holds. Furthermore, the user can request the organization to delete any information if it infringes the right to privacy.
Wondering whether GDPR is applicable to your business or not?
Any business in the world that have users from the European Union are obliged to follow the new regulation, regardless of their location.
The 4 major aspects of GDPR
With the implementation of GDPR 2018, every business is forced to consider data protection as a priority. It has become a prerequisite for medical app developers and business owners alike to get familiar with the aspects of the regulation, provided their business is collecting data from the people in the EU.
As a developer building apps that cater to visitors from the EU, you should be aware of where and how GDPR is applied to the data. Also, you should know about the new features and functionalities to be introduced for your customers to be GDPR-compliant. Here are the four key aspects of GDPR from the technical perspective.
- Data flow
Data flow refers to mapping the way through which the data travels in your organization. In order to be GDPR-compliant, organizations should provide a detailed history of how and where data is collected, how it is processed and who has access to it.
- Explicit consent
With the new regulation in place, developers should introduce the required features to obtain consent from users in order to collect and process their data. Organizations are now obliged to reveal to the user the amount of information collected and how it is used within the organization.
- Right to access
As mentioned earlier, GDPR is all about protecting the privacy of the user. The users of your mobile app are empowered by law to request information on anything and everything related to their data. It should be provided to the user within 30 days of the request. Therefore, developers should plan beforehand for how to report this information.
- Right to be forgotten
Here’s one of the most important aspects of the new GDPR 2018. The users have the right to put a request to the organization to delete any personal data or identifiable information about them. However, this privilege of the user can become challenging for the developer. For example, for apps of e-commerce businesses and that of a similar nature, it is required to retain certain data for auditing purposes but users may ask for data deletion. And the way out is to discuss with lawyers and find out feasible solutions that are compliant with the GDPR.
Your complete guideline for building GDPR compliant apps
No matter how small or big your organization is, you are obliged to follow GDPR if you have visitors or users in the EU.
Listed below is a GDPR compliance checklist for mobile app developers to build GDPR compliant apps.
- Determine what data is necessary for your business
Developers and the management should put in an effort to determine what data is really important for your mobile app. Some business may require basic information like date of birth or country of residence while others may need additional information. The golden rule is when you build your mobile app, make sure you gather and process data that is absolutely necessary for your business. Remember, you are obliged to justify to the user why you are collecting specific data.
- Implement data encryption for improved security
When personal data is stored as clear text, the chance of a data breach stands high. Therefore, it is necessary to employ strong encryption algorithms to lessen the impact of a data breach. Moreover, it is important to inform your users that the personal data collected from them is strongly encrypted and hashed to minimize the chance of data extraction by third parties.
- Data portability
You can take advantage of open protocol tools like OAuth. This will let users create accounts by providing another account and they need to reveal only the authentication ID.
- Use HTTPS for secure communications
Make sure your mobile app uses SSL or HTTPS to enhance the security during external communication with the user. Most of the mobile apps overlook the importance of HTTPS and SSL. With the new regulations in place, it is necessary to deploy SSL properly and improve the security of your apps.
- Encrypt data from ‘Contact us’ forms
The ‘contact us’ form in your app or website prompts the user to submit information like email id, phone number, etc. If this data is in clear text, it can lead to a data breach. You should use strong encryption algorithms for storing this information. Furthermore, it is necessary to inform the people how this data through ‘contact us’ form is stored and processed.
- Inform about cookies
- Permission-based user activity tracking
Most of the e-commerce applications track buyer’s choices and shopping history for commercial purposes. From now on, developers should add features to take permission from the user to track the information. If the users accept the request to track their shopping choices, they should be informed about how, where, why and till when the data is going to be stored within the organization.
- Inform users about logs
If your application tracks the location or IP address of the users, you are obliged to inform them about it. They should also be told about how long the log and IP address will be stored within the system. Moreover, make sure the logs are not storing any sensitive information.
- Encrypt the logs
The management should take necessary steps to store the logs that contain information of users. And the users should be promptly informed about how you store and process the logs. The logs should also be encrypted to ensure security.
- No personal components in security questions
If your application uses security questions to confirm the identity of the user, make sure the questions should not include any personal components. Preferably, you can opt for two-factor authentication to replace security questions. If users create their questions, warn them to avoid the personal components. Also, all the information you get through security questions should be encrypted using strong algorithms.
- Prompt the user to read the terms and conditions
According to the new GDPR, the terms and conditions should be clearly made visible on the landing page of the application and when the visitor navigates within the application. Moreover, it is clearly instructed that the language used to frame terms and conditions should be simple and easy to understand. If there is any change in the terms and conditions, users should agree to it as well before they use the app.
- Let users know about your data sharing policy
It is usual that most applications use external plugins to track or process data. The developers should make it a point to inform the users in case the data is shared with a third party. Ensure that the details of data sharing are clearly stated in the terms and conditions.
- Do not store data of deleted users
The new GDPR stresses on the right to be forgotten hence the management should scrub the account information and any personally identifiable data about the user once they delete the account. The users should be informed about this as well.
- Inform users about the data breach
The new regulation gives the right to the user to be informed if any data breach occurs and it is the responsibility of the management to inform the users in such situations.
- Install programs to assess cyber risks
Security vulnerabilities are a serious issue for any system and a failure to fix the vulnerability can lead to a data breach. Hence, it is the responsibility of the management to assess any such cyber risks and to apply a patch to avoid data breaches.
The GDPR is considered to be one of the most significant recent regulations pertaining to technology, internet, and privacy. The new guidelines have been carefully formulated to suit the growing role of digital technology. For companies, it is a mandatory legal requirement if you have visitors or users in the EU. Hence, it should be a priority to put the process in place to ensure GDPR compliance in your app-based business.
On the other hand, you get to exhibit the value you give to your users by respecting their privacy rights, and therefore the GDPR compliance can add value to your business. It has the capability to boost the customer confidence and give your business a competitive advantage.
Shailendra Sinhasane (Shail) is the co-founder and CEO of Mobisoft Infotech. He has been focused on cloud solutions, mobile strategy, cross-platform development, IoT innovations and advising healthcare startups in building scalable products.