GDPR for mobile apps: 5 steps to make your app GDPR compliant

Since May 2018, the General Data Protection Regulation for the European Union has been introduced. This means the GDPR for mobile apps is also affected by the new law. That’s why not only app users but also app providers start to wonder what this really means and how the changes can affect them regarding data protection. In this article, we will explain what GDPR means and how your app can comply with the new requirements. Let’s start with explaining the regulation.

WANT TO CREATE AN APP? TELL US ABOUT YOUR PROJECT!

What is GDPR?

The General Data Protection Regulation (GDPR) is the latest European regulation concerning personal data protection. With the endless increase of internet and app usage, our personal data is shared to the point that we don’t even know who has access to it anymore. Names, email addresses, phone numbers, IP addresses and much more are out in the wild. Users provide them but the usage of these data is rarely transparent.

For example, the Cambridge Analytica scandal demonstrated that personal information can be tapped to create targeted online ads. Personal data was used to profile voters in the US thanks to a personality-quiz app dating back from 2014.

The GDPR essentially gives more control to the users over their data. The main takeaways are a new transparency framework, a new compliance journey, and punishment regime. To comply with the GDPR is, therefore, the norm. So what does the GDPR for mobile apps mean for already existing and new applications?

GDPR notebook and pen — Image by Dennis Van Der Heyden via Flickr

GDPR for mobile apps: how to comply?

You understood correctly, the GDPR is about data protection. The new rules must be taken into account at every step of the development of your app. Whether you are choosing a business model or determining your mobile app design, you must bear in mind the way you will handle data and inform your users.

Data mapping

The first thing to do is to map the transfers of data. You need to know where in your app you will receive data from your users. Where do you get it from? And where does it go to? You need to keep in mind that you will have to explain to your users why you collect their data.

Security

The security of your app was already a prerequisite before the GDPR. The data collected via your mobile app, despite its nature, must absolutely be secured. Depending on the type of data collected you may even need to do a Data Protection Impact Assessment (DPIA). However, this will probably not affect many mobile apps as a DPIA is only mandatory in case there seems to be a high risk to the rights of the user. It is vital to ensure the app complies with the GDPR requirements and to identify any weakness that will necessitate advanced protection.

Privacy by design

Similarly to the days before the GDPR, your users will have to agree to the app’s Terms & Conditions. Although they are supposed to read the whole document, we know very well that only a few ever will. At this stage, make sure your app’s Terms & Conditions align with the current GDPR legislation. Obviously, the same applies to the Privacy Policy, but you will now have to explain:

What information you collect;
Why you collect it;
How it can be managed, deleted, updated, and exported by the user.

Within your app, you will have to ask for consent every time you make use of the user’s data. As mentioned above, they must be able to access and control their data at any time.

The Privacy by Design concept aims to minimise data collection and requires the user’s permission for data processing.

lock with stars and apps — Image by TheDigitalArtist via Pixabay

Right To Erasure

As explained in the previous paragraph, users must be able to manage their data. Thanks to the so-called Right to Erasure or Right to be Forgotten the user can look into the collected data, modify, or erase it. The deleted data can’t be backed-up or accessible again, without any exceptions. Yet, the right is not absolute and only applies in certain circumstances.

Extraterritoriality

The GDPR regulation also applies to companies based outside the European Union. This means if a business is offering a product or service in the EU or monitoring data of EU citizens, the regulation should be obeyed, no matter where you operate from. Online marketplaces, cloud-based apps or other apps intended for the international market will most certainly be affected.

smartphone with stars and lock — Image by TheDigitalArtist via Pixabay

Conclusion

If you already developed a mobile app, it is important to do all the necessary modifications as soon as possible. The fines for not complying with the GDPR can be as high as 4% of your annual revenue or up to a €20 million fine. If you do not have an existing app yet but are planning on developing one, the new regulations will be one of the fundamental aspects of your project. Do not ignore the importance of the GDPR for mobile apps as it will be more likely to break your app – and your business – rather than make it.

What is GDPR?

GDPR for mobile apps: how to comply?

Data mapping

Security

Privacy by design

Right To Erasure

Extraterritoriality

Conclusion

Tags

Related posts