10 Steps to Ensure Your Mobile App Meets Gdpr Compliance Standards
What is the GDPR?
GDPR stands for the General Data Protection Regulation.
The GDPR will be enforceable from the 25th of May 2018. It is designed to protect user data storage and usage, and to ensure that the user is in control of their data, rather than companies being in charge of user data.
Key GDPR Definitions
To help you understand the GDPR for apps, there are a few key definitions that we will refer to throughout this article.
Data Controller: A Data Controller is the entity that determines the purposes for and means of collecting and processing personal data. If you own a website or mobile app, and you're deciding what is collected, how it is collected, and for what purpose, you are a Data Controller.
Data Processor: A Data Processor is an organization that processes personal data on behalf of a data controller. For example, third-party services that plug into your website or app, such as Analytics (Google Analytics, KISSMetrics), Cloud Services (AWS), that access or host your customer data.
Data subject: a natural person whose data is processed. For example, an app user or a website visitor.
For a full list of GDPR definitions, you can read the Article 4 of the regulation.
Does the GDPR affect me?
Most likely, yes!
The GDPR applies to all businesses with customers, or website/mobile app visitors who are from the European Union (EU). This means that any organization in the world that works with EU residents' personal data in any manner has obligations to protect their users' data and be GDPR compliant.
What does "Personal Data" refer to under the GDPR?
"Personal Data" under the GDPR includes any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.
The scope of this is broad, and includes anything from personal information, to a cookie placed on someone's browser by an analytics tracking tool you might use to track your website usage.
For your website or apps, this means you have to be considering how you collect and store personal identifying details such as names and email addresses, but also consider things such as users' IP addresses and device IDs (unique IDs that devices share with external SDKs for ads and analytics).
What does the GDPR mean for your mobile app?
The fines for not being GDPR compliant are high - either 4% of annual global turnover or €20 million (whichever is greater!).
With GDPR compliance becoming a requirement for every business with either customers or website visitors, or app users in the EU, you're probably concerned about whether or not your mobile app is GDPR compliant.
As a mobile app publisher, you will need to understand how you obtain, transfer, store, and handle your user data. You should take some time to understand exactly how you currently ensure data security for your users, and what you can do to improve this in order to have a GDPR compliant mobile app.
Cennydd Bowles sums up why you should be compliant, even if it may be a lot of work initially: "You may end up with less rich customer insights than you had before. Some KPIs may slump. But for companies that have direct customer relationships, it’s all manageable, and on the upside you not only reduce your compliance risk but benefit from the increased trust your customers will show in you and the online world in general."
There are some key highlights that are relevant to your mobile app and business in general that will help you ensure GDPR compliance.
Scroll down to find the 9 things you should consider in order to have a GDPR compliant mobile app.
1. Privacy by Design
Privacy by Design is now a legal requirement under the GDPR. From the moment you start creating your mobile app, you should be considering your users’ privacy.
According to GDPR Article 23, your app must only hold and process user data that is absolutely necessary.
This means that when you’re developing your mobile app, or having a third party develop it, you need to consider data protection and user privacy.
Privacy by Design is not a new concept and pertains to thinking of your users data privacy in your app, website, or software from the very start, rather than leaving it as an afterthought. The idea of privacy by design includes deciding what data you need, and what data you don't. In Brian Pagan's overview to designing apps with privacy in mind, he asks if you really need a users name AND date of birth. In many cases, just one of these fields is enough. He writes:"the risk of someone opening a credit card in my name far outweighs the benefit of getting that “happy birthday” spam marketing e-mail from your company."
It's worth considering all options when designing and building your mobile app.
As well as being a legal requirement, your app users will appreciate the extra privacy considerations you have in place for their benefit!
Think about your user data from the very start, and don't let it be an afterthought.
If pages from your website are loading within your mobile app (e.g. a contact form), consider the data collection happening on the website when reviewing your app.
You should be thinking about Privacy By Design when you're creating new features, or creating a new page on your app in order to remain GDPR compliant.
As well as this, you should encrypt personal data with strong encryption algorithms. This will help you minimise the impact of a data breach.
2. Ask for Explicit Consent
Under the GDPR, businesses must request and receive user consent in order to collect, use, and move personal data.
This includes data collected for advertising, analytics, crash logging or anything else. The opt-in must be understandable and clear. You won't be able to get away with confusing Terms and Conditions that no one is likely to read or fully understand.
Explicit Consent can be granted easily through an opt-in screen when your app launches. Your app users chose to download your app in the first place, so the likelihood is, most people will be happy to grant consent in order to use your app and receive further communications from your business, provided the recipient can see a benefit.
When someone registers on your mobile app, they should be asked to opt-in to have their data collected, or to receive communications, such as emails or Push Notifications. We highly recommend showing a consent screen on app launch, as this is the only way to be fully GDPR compliant. You should also notify users on these screens exactly where their data will be used. For example, will they be tracked in Google Analytics, or have data sent to Google Admob to show them relevant ads? Your users need to know, and it's your obligation to inform them as soon as they begin using your GDPR compliant mobile app!
As well as this, your GDPR compliant mobile app should have a dedicated page where users can opt out of communications from you, or ask for their data to be removed from them.
MobiLoud provides mobile apps with a Push Notification settings page, which helps at least for what concerns your app's notifications.
3. Providing Visibility and Transparency
One of the most important aspects of GDPR is how the data you collect is actually used. If you are a data controller, you need to be aware of how your users can effectively manage, and protect their user data.
You should also provide information to your users over which third parties you are using to collect or process user data.
You should also make sure that all third-party providers which collect any user data are GDPR compliant. They'll be "data processors", while you remain the "data controller". As such you should have written agreements in place which meet the level of assurances in terms of data protection and security which GDPR requires. For some of them, you'll be able to sign data processing agreements which add the required wording to the existing terms of your agreement.
If you've built your app based on your website's content and you're using MobiLoud, this is very simple and can be done by adding a link to your app's menu from the Menu Configuration tab in your app's settings.
4. Respond to User Requests
If someone asks how you are using their data, under GDPR you are legally obligated to respond to them. This is called a Subject Access Request.
A Subject Access Request may be done physically, or digitally. When a user asks for information about their data or a copy of their data that is used in your mobile app, you have one month to respond. For complicated requests, you will have up to three months to respond.
This may sound like you'll need to invest more time and effort into customer service, but if your business is set up to have GDPR compliant processes, it shouldn't take too much of your time. At the end of the day, providing high quality customer service to your customers and mobile app users is a good thing!
Initially you can respond to these ad-hoc, but eventually you'll want to have an internal process to generate a response for this sort of request.
Create a page on both your website and mobile app that includes your business contact information. This will allow users to contact you easily, and provide transparency from your side. Make an effort to respond quickly and clearly to all Subject Access Requests.
5. The Right to Be Forgotten
Article 17 of the GDPR highlights the Right to Erasure, or the "right to be forgotten". This means that when a user asks you to remove their data acquired through your website or mobile app, you are obligated to remove every personal detail you hold about them in all systems, whether you control their data directly or through a tool or SaaS you use in your app (for example, Google Analytics).
If you want your mobile app to be GDPR compliant, you could choose to provide solutions such as deleting user data from your own database directly from the app, or having a simple contact form or dedicated page where a user can request their data to be erased.
Be transparent and allow users to easily contact you about erasing their data. When someone asks for their data to be erased, take the request seriously and comply with the request on every system you control.
You are also obligated to notify Third Party Data Processors that the data must be deleted from their servers too. This can be done through calling an API of theirs that allows for the deletion of personal data (if this is made available by the provider).
6. Review services and SDKs you use
If your app sends personal data to an external service for processing (e.g. to analyse app usage), you need to be clear and transparent about where this is, and who will be in control of the transferred data.
Then, you should sign Data Processing Agreements (DPAs) with your data processors. Written contracts between your business and your data processors will be a general requirement under the GDPR. The sooner you get this done, the better!
Don't assume that all Third Parties and SDKs connected to your app are GDPR compliant. If there is a data breach on one of your Third Parties that leads to your user data being exposed, you are responsible.
You should thoroughly analyse the vendors who process your data, and take time to understand whether or not they are GDPR compliant. If they're US based, are they registered under the EU-US Privacy Shield Framework? Any business can self-certify under this, and having this certification is required for that vendor to be GDPR compliant.
It's worth the time it takes -
Marcus Turner, CTO of Enola Labs says that, "Ultimately, higher levels of cyber security are a necessary and worthwhile investment for business owners that care about protecting their customers and safeguarding their business. I often tell businesses that they can pay an upfront cost now to protect their data, or wait until a cyber security attack and pay an even bigger price later to clean up the mess. Waiting may very well cost you your business".
So, make sure you take the time to review your technology suppliers and invest in necessary ones that will help safeguard your business from being in breach of the GDPR.
You should only have contracts with providers who can provide 'sufficient guarantee's that GDPR requirements will be met, and your users' data is sufficiently protected.
7. Data Breach Notifications
To increase trust between customers and businesses, and in the wake of notable data breaches from companies such as Yahoo!, Uber, Equifax and more, the GDPR is enforcing tighter deadlines for businesses to notify national supervisory authorities and their users. Disclosure must happen within 72 hours.
To ensure this is possible for your business, you may need to invest in technology to ensure continuous surveillance of your data, and that notifies you when risks are present. You should also establish a clear procedure about how you will react to a data breach - including how you will inform users, and how you will protect their data.
Establish a clear step by step process that you can use in case of a data breach that includes how you will inform users and national supervisory authorities of the breach.
8. Appointing a Data Protection Officer
Your company may need to appoint a Data Protection Officer (DPO) in order to be GDPR compliant. This applies to you if:
- You are a public authority (except for courts acting in their judicial capacity);
- Your core activities require large-scale, regular and systematic monitoring of individuals (for example, online behaviour tracking); or
- Your core activities consist of large-scale processing of special categories of data or data relating to criminal convictions and offences.
While this may not apply to all readers, if your website or mobile app processes large amounts of individual data you should be considering whether or not you need a Data Protection Officer to help you monitor internal compliance, inform and advise on your businesses data protection obligations, and act as a contact point for data subjects (i.e. your users) and supervisory authorities.
Assess whether or not your business needs a DPO in order to be compliant. If so you should appoint one, and inform your website or mobile app users of how they can contact your DPO.
9. Encryption and data storage
Your mobile application should use SSL or HTTPS for external communications. When communicating personal information of any kind, that data must be encrypted. Not encrypting data means that information sent will be in clear text and will be exposed over the internet.
If you built an app that connects to your website or web servers and transmits sensitive data (e.g. a username/password), you should verify that you're using SSL for all connections from your app.
Encryption is not only relevant for external communications. All data that your mobile app collects should be stored in a safe place and, and your backups should also be encrypted. Users should also know how long their data will be retained for.
Ensure that your app uses secure communications through SSL and HTTPs, and make sure your SSL certificate has been properly deployed.
All data stored should use encryption, and you should provide transparency to data subjects over how long you retain this data for.
10. Log and Justify Your Data Collection
Article 30 of the GDPR outlines that each data controller, or representative of the controller, “shall maintain a record of processing activities under its responsibility”
This means that in order to ensure your GDPR compliance, you should start documenting all the data that you collect (either yourself, or through a third party).
You should create a secure, comprehensive log of your data collection activities.
For a good example of how to do this, we would recommend reading Step 1 of Startup Resources guide to GDPR compliance.
This log should include all and any kind of personal data that you are collecting on website visitors and users. From people’s names (if collected) to IP addresses to the country they’re located in.
Then, you should justify why you’re collecting this data. You need to identify where you’re storing it, how long it is stored for, how can the data collection be justified, and more.
Make sure you’re fully aware of every kind of user data that you’re collecting and ensure you can justify why you’re collecting it.
Clear, complete documentation that you can refer back to will not only help you when customers or users ask about your GDPR policies but ensure regulatory compliance and safeguard both your business and mobile app.
GDPR is a legal requirement, and unavoidable for any business that interacts in any way with people and customers in the EU.
Anyone whose data is processed must be able to exercise their rights over their data, even if it is in your control.
You will need to have a GDPR compliant mobile app. Without ensuring compliance, you risk large fines and losing the trust that your customers have in your business! For this reason, creating a process to ensure compliance for your business and mobile app, should be a priority for you.
We believe you should not see the GDPR as a headache, despite its strict rules. Providing your users with a GDPR compliant mobile app will let them know that you value them, and are committed to their data security. For many businesses, ensuring compliance will be a value-add, and make your users trust your mobile app, so you should embrace it!
If you want to learn more about GDPR, we have included links to several resources below:
- Read the entire General Data Protection Regulation as published by the European Parliament to get familar with it.
- Read Kyvio's excellent guide to understanding the GDPR, this article from SafeDK and this practical GDPR guide for developers.
- Read Startup Resources' Quick and Dirty Guide to Getting Compliant for Startups and Small Business
- Self-certify your business under the EU-US Privacy Shield Framework. This provides companies on both sides of the Atlantic with a mechanism to comply with EU data protection requirements when transferring personal data from the European Union to the United States.
If your website is GDPR compliant and you're looking to build a GDPR compliant mobile app, MobiLoud offers a solution that will be GDPR compliant, and provide your business with a new platform for user engagement and reach.