How To Make Your App GDPR-Compliant
It took three years to make GDPR real, and on May 25, 2018 it will finally come into force. From now on, companies will need to treat information about their customers more carefully. GDPR gives users more power over how companies use their personal data. Is your company ready to meet the requirements?
Are you ready for GDPR?
So, what does GDPR stand for? The General Data Protection Regulation (GDPR) was approved by the EU Parliament on 14 April 2016. Companies were given a two-year transition period so they could change the way they handle customer data before it comes into force. Well, those two years have almost passed. But according to a recent study by Gartner, less than 50% of EU companies are actually ready to meet the full requirements of this regulation. In this article, we talk about how to make your app GDPR-compliant.
Gartner’s study also shows that only one-third of companies have gotten help with GDPR compliance from a third-party consultant. Yet most companies actually need help, as they report struggling to make their apps and products GDPR-compliant. Half of EU companies say that they don’t have a sufficient budget to fund this transition. Over 48% report a lack of IT expertise that would allow them to meet the requirements, and 27% of business owners aren’t even sure they understand the regulations fully.
Though only 27% of companies say that they probably won’t be able to meet the deadline, Gartner believes that this number is too optimistic. So even if you still aren’t ready to be fully compliant, you aren’t alone. GDPR is a very important regulation that will take time to be fully enforced. Sooner or later, however, you’ll need to adjust the way you gather and use data from your customers.
Why can’t I ignore GDPR?
According to EU law, playing games with user data and ignoring GDPR can result in heavy fines of up to €20 million or 4% of annual revenue if a data breach occurs. A survey by Vanson Bourne shows that for 17% of companies, this would mean the end of their business. This percentage is even higher for small businesses (54%).But despite the danger, only 6% of companies in the UK have made GDPR compliance a priority.
The situation is a bit different in other EU countries. According to the survey, 30% of French companies and 25% of companies in the Benelux countries treat GDPR seriously. The UK is probably the country least prepared for the GDPR.
Probably this is because many companies in the UK thought that since the UK will no longer be part of the EU as of 29 March 2019, the rules don’t apply to them. But this is incorrect, as all companies that process data of European Union residents will still need to be GDPR-compliant.
While GDPR for mobile apps won’t require any fundamental changes in your application, they will surely affect your business and the way you collect and store data. Mobile applications are more safe than websites, but you still need to pay close attention to how secure your application is, and whether you gather users’ data properly.
Main provisions of the GDPR
There are some main provisions in the GDPR that you’ll need to consider if you’re currently need to develop a GDPR compliant app from scratch or if you already have one you need to make GDPR compliant.
- The right to be forgotten – You need to erase all data you have on a user upon request. Moreover, a person can prevent further publication of their data and forbid its processing by third-party services.
- Consent – From now on, each business will have to ask permission to collect any kind of data about customers. Also, it should be easy for customers not only to give permission but also to withdraw it.
- Data protection and privacy – Your app should request only information that is absolutely necessary, and this should be documented before you launch your app. If you already have an app, you’ll need to make changes to your data collection process.
- Data protection officers – GDPR requires that large enterprises hire data protection officers, or DPOs, who will be responsible for managing data protection within the company and be safeguards of users’ data.
Now that you know the main requirements of the GDPR, let’s see what you should do as an app owner to build an app that complies with EU law. First, you need to figure out what definitions GPDR uses to understand the requirements.
There are certain definitions you need to understand for effective GDPR app development. We’ll use these definitions later in the article. These are main categories of entities GDPR refers to in its documents:
Data controller defines the purposes for collecting and processing private information of users. You are a Data controller, if you decide what data is collected and how it will be used later.
Data Processor is an organization that collects and processes personal information on behalf of a Data Controller. These organizations’ software may include analytics, cloud services and so on.
In most cases these are your users, data of whom you collect and process.
How to Make Your App GDPR Compliant?
So, how to get compliant with GDPR? Here’s a GDPR developer guide for a better understanding of legal requirements for apps.
1. Think about the data you collect from users
Do you really need all that data you get from your users? Maybe there’s something you don’t actually need to deliver your service. Analyze how you collect data and see if you can make any changes to that process. This will probably make your transition easier.
Since GDPR doesn’t contain any step-by-step instructions, it can sometimes be tricky to understand in which cases you need to make changes to your system. Let’s explore some of the most common cases that you might face as an app owner.
You need to work on app GDPR compliance if:
- You collect emails and logins
- You have access to installation IDs and analytics metrics
- Users can create their own content in your app
- You use third-party services like Google Analytics, Crashlytics, or Firebase
You collect personal data for shipping products
You’ll need to make sure that third-party data storage services you use are GDPR-compliant because if they aren’t, you’ll also be responsible should anything go wrong.
Also, remember that GDPR gives users a right to be forgotten. This means that you should delete any user data on demand.
2. Analyze how you handle user data
You should thoroughly investigate how you handle the data that users give you. While this data is usually stored in databases, it’s rarely kept in a single place. You should assess what data you collect and determine what permissions you’ll need from your users.
It’s also a good idea to document your whole system for receiving, handling, and deleting data. By doing so you’ll be able to show that you tried your best to work according to the GDPR regulations in case of an investigation.
3. Ask for permission
You’ll need data from your clients to perform activities and deliver services to them, including:
- Making bookings
- Offering products according to user preferences
- Sending special offers via email and SMS
- Sending push notifications about order statuses and other information
- Shipping products
You need permission to get the data you need for all these things. Moreover, you have to explain why you need this data and what you do with it so that the process is clear for your app users.
Currently, devices already require users to give such permissions to apps, but if you need anything more to make your service work its best, your users should be able to opt out of sharing certain information.
4. Encrypt the data that users give you
You need to make sure that even if someone gets to your data, they won’t be able to do anything with it. For storing user data, you need to use the most advanced encryption algorithms that include hashing.
Encryption isn’t a 100% guarantee of data safety, as hackers have their ways of getting around it, but if you store information in plain text it leaves your business no chance against exposing users’ data.
5. Use two-factor authentication
Two-factor authentication is a great way to ensure that the person who logs into an account is actually its owner. Security questions are ineffective, as they often refer to information that a hacker can find on the social media profile of a potential victim.
Two-factor authentication means a combination of a possession factor (token, smartphone), knowledge factor (password, login), and inherent factor (fingerprint or face). This allows you to verify a person more precisely.
6. Educate and inform your users
GDPR requires app owners to show terms and conditions to users and make sure they read these documents. These documents should also include information about sharing data with any third-party services.
You should inform your users of any changes that may happen to the terms and conditions. Also, in case of a data breach, you must inform users within 72 hours. GDPR regulations make sure that companies can’t conceal the truth for months, like Uber did.
7. Delete the information of users who opt out
This is one of the main requirements of the GDPR – users have a right to have all data about them deleted. You’ll need to make sure this is possible and show it clearly to your app users. Many companies currently treat deleted accounts as merely inactive, but now that won’t be possible and may lead to problems.
8. Encrypt the data that users give you
If you are a large-scale company that tracks online user behavior or you store data on criminal convictions or offences, you need to appoint or hire a Data Protection Officer (DPO). Without a DPO you won’t be GDPR compliant.
Main tasks of a DPO include informing and advising a company on its data storage and protection. A DPO is responsible for controlling internal compliance and connect your users with authorities if needed.
If you want to convert website to app, be sure to make all changes to encryption protocols in both your website and your app.
9. Check services and SDKs for compliance
I mentioned it earlier, and I’d like to stress once again how important it is to check third-party services you’re using. If your application shares confidential information with third-party services, you definitely need to check all of them. If they aren’t GDPR compliant, you’ll be in trouble.
Once you check your third-party services, you need to sign a Data Processing Agreement with them – it is required in GDPR.
The GDPR in 2020
The GDPR 2020 great expectations
The GDPR has not been fully enforced across the EU yet. The reason for this is that a country needs national laws in place before they can have a data protection agency. That should end in 2020 as these last countries implement national legislation.
The GDPR is no longer the only data protection acronym
The GDPR has inspired lots of imitators around the world, from Brazil’s LGPD to the CCPA in California. Many of these laws are similar to the broad terms of data protection, but each implements these protections in its own way.
2020 is not the year for Brexit
Brexit has been in the European news for the past few years. But, it seems that 2020 is not the year for an alternate data protection regulatory framework. Even though the UK formally left the EU, they will still use all the EU standards throughout this year. That means the GDPR will still be the law of the land in the UK.
The EU’s new ePrivacy Regulation still isn’t ready
The counterpart to the GDPR, the ePrivacy Regulation, falls further behind schedule. The Permanent Representatives Committee of the Council of the European Union voted down its proposal in Nov. 2019. This means that the actual implementation is likely to be at least a year off.
Loud security breach scandals and big corporations collecting excessive data about users have become a major concern for average users and governments. The GDPR was created to solve these problems, and your application has to change according to its rules.
While the GDPR will help to prevent security breaches and give users more power over their own data, it may be challenging for businesses to make such changes. However, we’re convinced that in the long term it will bring profit to companies as they’ll be able to attract users and gain loyalty by maintaining honest and secure relationships with customers.
Mobindustry can help you with creating a GDPR compliant mobile app. If you feel that your mobile app isn’t yet ready to meet GDPR requirements, be sure to contact us at any time.