GDPR and mobile apps: 5 steps to meet the regulations
The General Data Protection Regulation (GDPR) is the European regulation concerning personal data protection. With the endless increase of internet and app usage, our personal data is shared to the point that we don’t even know who has access to it anymore. Names, email addresses, phone numbers, IP addresses and much more are out in the wild. Users provide them but the usage of these data is rarely transparent.
For example, some major scandals demonstrated that personal information can be tapped to create targeted online ads. Personal data was used to profile voters in the US thanks to a personality-quiz app dating back from 2014.
The GDPR essentially gives more control to the users over their data. The main takeaways are a new transparency framework, a new compliance journey, and punishment regime. To comply with the GDPR is, therefore, the norm. So what does the GDPR for mobile apps mean for already existing and new applications?
The General Data Protection Regulation (GDPR) is the European regulation concerning personal data protection. With the endless increase of internet and app usage, our personal data is shared to the point that we don’t even know who has access to it anymore. Names, email addresses, phone numbers, IP addresses and much more are out in the wild. Users provide them but the usage of these data is rarely transparent.
For example, some major scandals demonstrated that personal information can be tapped to create targeted online ads. Personal data was used to profile voters in the US thanks to a personality-quiz app dating back from 2014.
The GDPR essentially gives more control to the users over their data. The main takeaways are a new transparency framework, a new compliance journey, and punishment regime. To comply with the GDPR is, therefore, the norm. So what does the GDPR for mobile apps mean for already existing and new applications?
GDPR for mobile apps: how to comply?
In other words, the GDPR is about data protection. These rules must be taken into account at every step of the development of your app. Whether you are choosing a business model or determining your mobile app design, you must bear in mind the way you will handle data and inform your users.
1. Security
The security of your app was already a prerequisite before the GDPR. The data collected via your mobile app, despite its nature, must absolutely be secured. Depending on the type of data collected you may even need to do a Data Protection Impact Assessment (DPIA). However, this will probably not affect many mobile apps as a DPIA is only mandatory in case there seems to be a high risk to the rights of the user. It is vital to ensure the app complies with the GDPR requirements and to identify any weakness that will necessitate advanced protection.
In other words, the GDPR is about data protection. These rules must be taken into account at every step of the development of your app. Whether you are choosing a business model or determining your mobile app design, you must bear in mind the way you will handle data and inform your users.
1. Security
The security of your app was already a prerequisite before the GDPR. The data collected via your mobile app, despite its nature, must absolutely be secured. Depending on the type of data collected you may even need to do a Data Protection Impact Assessment (DPIA). However, this will probably not affect many mobile apps as a DPIA is only mandatory in case there seems to be a high risk to the rights of the user. It is vital to ensure the app complies with the GDPR requirements and to identify any weakness that will necessitate advanced protection.
2. Data mapping
The crucial thing to do is to map the transfers of data. You need to know where in your app you will receive data from your users. Where do you get it from? And where does it go to? You need to keep in mind that you will have to explain to your users why you collect their data.
3. Privacy by design
Similarly to the days before the GDPR, your users will have to agree to the app’s Terms & Conditions. Although they are supposed to read the whole document, we know very well that only a few ever will. At this stage, make sure your app’s Terms & Conditions align with the current GDPR legislation. Obviously, the same applies to the Privacy Policy, but you will now have to explain:
· What information you collect;
· Why you collect it;
· How it can be managed, deleted, updated, and exported by the user.
Within your app, you will have to ask for consent every time you make use of the user’s data. As mentioned above, they must be able to access and control their data at any time.
The Privacy by Design concept aims to minimise data collection and requires the user’s permission for data processing.
The crucial thing to do is to map the transfers of data. You need to know where in your app you will receive data from your users. Where do you get it from? And where does it go to? You need to keep in mind that you will have to explain to your users why you collect their data.
3. Privacy by design
Similarly to the days before the GDPR, your users will have to agree to the app’s Terms & Conditions. Although they are supposed to read the whole document, we know very well that only a few ever will. At this stage, make sure your app’s Terms & Conditions align with the current GDPR legislation. Obviously, the same applies to the Privacy Policy, but you will now have to explain:
· What information you collect;
· Why you collect it;
· How it can be managed, deleted, updated, and exported by the user.
Within your app, you will have to ask for consent every time you make use of the user’s data. As mentioned above, they must be able to access and control their data at any time.
The Privacy by Design concept aims to minimise data collection and requires the user’s permission for data processing.
4. Right to Erasure
As explained in the previous paragraph, users must be able to manage their data. Thanks to the so-called Right to Erasure or Right to be Forgotten the user can look into the collected data, modify, or erase it. The deleted data can’t be backed-up or accessible again, without any exceptions. Yet, the right is not absolute and only applies in certain circumstances.
5. Extraterritoriality
The GDPR regulation also applies to companies based outside the European Union. This means if a business is offering a product or service in the EU or monitoring data of EU citizens, the regulation should be obeyed, no matter where you operate from. Online marketplaces, cloud-based apps or other apps intended for the international market will most certainly be affected.
To summarize all of the above, if you already developed a mobile app, it is important to do all the necessary modifications as soon as possible. The fines for not complying with the GDPR can be huge. If you do not have an existing app yet but are planning on developing one, the new regulations will be one of the fundamental aspects of your project. Do not ignore the importance of the GDPR for mobile apps as it will be more likely to break your app – and your business – rather than make it.
As explained in the previous paragraph, users must be able to manage their data. Thanks to the so-called Right to Erasure or Right to be Forgotten the user can look into the collected data, modify, or erase it. The deleted data can’t be backed-up or accessible again, without any exceptions. Yet, the right is not absolute and only applies in certain circumstances.
5. Extraterritoriality
The GDPR regulation also applies to companies based outside the European Union. This means if a business is offering a product or service in the EU or monitoring data of EU citizens, the regulation should be obeyed, no matter where you operate from. Online marketplaces, cloud-based apps or other apps intended for the international market will most certainly be affected.
To summarize all of the above, if you already developed a mobile app, it is important to do all the necessary modifications as soon as possible. The fines for not complying with the GDPR can be huge. If you do not have an existing app yet but are planning on developing one, the new regulations will be one of the fundamental aspects of your project. Do not ignore the importance of the GDPR for mobile apps as it will be more likely to break your app – and your business – rather than make it.