How to Make Your App GDPR-Compliant
It took three years to make GDPR real, and on May 25, 2018 it will finally come into force. From now on, companies will need to treat information about their customers more carefully. GDPR gives users more power over how companies use their personal data. Is your company ready to meet the requirements?
Are you ready for GDPR?
So, what does GDPR stand for? The General Data Protection Regulation (GDPR) was approved by the EU Parliament on 14 April 2016. Companies were given a two-year transition period so they could change the way they handle customer data before it comes into force. Well, those two years have almost passed. But according to a recent study by Gartner, less than 50% of EU companies are actually ready to meet the full requirements of this regulation. In this article, we talk about how to make your app GDPR-compliant.
Gartner’s study also shows that only one-third of companies have gotten help with GDPR compliance from a third-party consultant. Yet most companies actually need help, as they report struggling to make their apps and products GDPR-compliant. Half of EU companies say that they don’t have a sufficient budget to fund this transition. Over 48% report a lack of IT expertise that would allow them to meet the requirements, and 27% of business owners aren’t even sure they understand the regulations fully.
Though only 27% of companies say that they probably won’t be able to meet the deadline, Gartner believes that this number is too optimistic. So even if you still aren’t ready to be fully compliant, you aren’t alone. GDPR is a very important regulation that will take time to be fully enforced. Sooner or later, however, you’ll need to adjust the way you gather and use data from your customers.
Why can’t I ignore GDPR?
According to EU law, playing games with user data and ignoring GDPR can result in heavy fines of up to €20 million or 4% of annual revenue if a data breach occurs. A survey by Vanson Bourne shows that for 17% of companies, this would mean the end of their business. This percentage is even higher for small businesses (54%). But despite the danger, only 6% of companies in the UK have made GDPR compliance a priority.
The situation is a bit different in other EU countries. According to the survey, 30% of French companies and 25% of companies in the Benelux countries treat GDPR seriously. The UK is probably the country least prepared for the GDPR.
Probably this is because many companies in the UK thought that since the UK will no longer be part of the EU as of 29 March 2019, the rules don’t apply to them. But this is incorrect, as all companies that process data of European Union residents will still need to be GDPR-compliant.
While GDPR for mobile apps won’t require any fundamental changes in your application, they will surely affect your business and the way you collect and store data. Mobile applications are more safe than websites, but you still need to pay close attention to how secure your application is, and whether you gather users’ data properly.
Main provisions of the GDPR
There are some main provisions in the GDPR that you’ll need to consider if you currently need to develop a GDPR compliant app from scratch or if you already have one you need to make GDPR compliant.
- The right to be forgotten – You need to erase all data you have on a user upon request. Moreover, a person can prevent further publication of their data and forbid its processing by third-party services.
- Consent – From now on, each business will have to ask permission to collect any kind of data about customers. Also, it should be easy for customers not only to give permission but also to withdraw it.
- Data protection and privacy – Your app should request only information that is absolutely necessary, and this should be documented before you launch your app. If you already have an app, you’ll need to make changes to your data collection process.
- Data protection officers – GDPR requires that large enterprises hire data protection officers, or DPOs, who will be responsible for managing data protection within the company and be safeguards of users’ data.
- The right to access – this means that the users have a right to see what information is shared with the company and ask how exactly it is used. If a user requests it, a company is obliged to give a digital copy of a personal data of a user
- The right to be informed – each time a company gathers any data from users, it needs to notify them, request for consent, and inform users about how exactly this data will be used
- The right to object – according to this rule, users have a right to stop the processing of their information at any time. Moreover, companies are required to warn users that they have this right in the beginning of their communication.
Now that you know the main requirements of the GDPR, let’s see what you should do as an app owner to build an app that complies with EU law. First, you need to figure out what definitions GPDR uses to understand the requirements.
There are certain definitions you need to understand for effective GDPR app development process. We’ll use these definitions later in the article. These are main categories of entities GDPR refers to in its documents:
Data controller defines the purposes for collecting and processing private information of users. You are a Data controller, if you decide what data is collected and how it will be used later.
Data Processor is an organization that collects and processes personal information on behalf of a Data Controller. These organizations’ software may include analytics, cloud services and so on.
In most cases, these are your users, data of whom you collect and process.
How to Make Your App GDPR Compliant?
So, how to get compliant with GDPR? Here’s a GDPR developer guide for a better understanding of legal requirements for apps.
1. Think about the data you collect from users
Do you really need all that data you get from your users? Maybe there’s something you don’t actually need to deliver your service. Analyze how you collect data and see if you can make any changes to that process. This will probably make your transition easier.
Since GDPR doesn’t contain any step-by-step instructions, it can sometimes be tricky to understand in which cases you need to make changes to your system. Let’s explore some of the most common cases that you might face as an app owner.
You need to work on app GDPR compliance if:
- You collect emails and logins
- You have access to installation IDs and analytics metrics
- Users can create their own content in your app
- You use third-party services like Google Analytics, Crashlytics, or Firebase
You collect personal data for shipping products
You’ll need to make sure that third-party data storage services you use are GDPR-compliant because if they aren’t, you’ll also be responsible should anything go wrong.
Also, remember that GDPR gives users a right to be forgotten. This means that you should delete any user data on demand.
2. Analyze how you handle user data
You should thoroughly investigate how you handle the data that users give you. While this data is usually stored in databases, it’s rarely kept in a single place. You should assess what data you collect and determine what permissions you’ll need from your users.
It’s also a good idea to document your whole system for receiving, handling, and deleting data. By doing so you’ll be able to show that you tried your best to work according to the GDPR regulations in case of an investigation.
3. Ask for permission
You’ll need data from your clients to perform activities and deliver services to them, including:
- Making bookings
- Offering products according to user preferences
- Sending special offers via email and SMS
- Sending push notifications about order statuses and other information
- Shipping products
You need permission to get the data you need for all these things. Moreover, you have to explain why you need this data and what you do with it so that the process is clear for your app users.
Currently, devices already require users to give such permissions to apps, but if you need anything more to make your service work its best, your users should be able to opt out of sharing certain information.
4. Encrypt the data that users give you
You need to make sure that even if someone gets to your data, they won’t be able to do anything with it. For storing user data, you need to use the most advanced encryption algorithms that include hashing.
Encryption isn’t a 100% guarantee of data safety, as hackers have their ways of getting around it, but if you store information in plain text it leaves your business no chance against exposing users’ data.
5. Use two-factor authentication
Two-factor authentication is a great way to ensure that the person who logs into an account is actually its owner. Security questions are ineffective, as they often refer to information that a hacker can find on the social media profile of a potential victim.
Two-factor authentication means a combination of a possession factor (token, smartphone), knowledge factor (password, login), and inherent factor (fingerprint or face). This allows you to verify a person more precisely.
6. Educate and inform your users
GDPR requires app owners to show terms and conditions to users and make sure they read these documents. These documents should also include information about sharing data with any third-party services.
You should inform your users of any changes that may happen to the terms and conditions. Also, in case of a data breach, you must inform users within 72 hours. GDPR regulations make sure that companies can’t conceal the truth for months as Uber did.
7. Delete the information of users who opt out
This is one of the main requirements of the GDPR – users have a right to have all data about them deleted. You’ll need to make sure this is possible and show it clearly to your app users. Many companies currently treat deleted accounts as merely inactive, but now that won’t be possible and may lead to problems.
8. Hire a Data Protection Officer
If you are a large-scale company that tracks online user behavior or you store data on criminal convictions or offences, you need to appoint or hire a Data Protection Officer (DPO). Without a DPO you won’t be GDPR compliant.
Main tasks of a DPO include informing and advising a company on its data storage and protection. A DPO is responsible for controlling internal compliance and connect your users with authorities if needed.
If you want to convert website to an app, be sure to make all changes to encryption protocols in both your website and your app.
9. Check services and SDKs for compliance
I mentioned it earlier, and I’d like to stress once again how important it is to check the third-party services you’re using. If your application shares confidential information with third-party services, you definitely need to check all of them. If they aren’t GDPR compliant, you’ll be in trouble.
Once you check your third-party services, you need to sign a Data Processing Agreement with them – it is required in GDPR.
The GDPR in 2022
Local laws of member states are more aligned with GDPR
When GDPR was first introduced, we saw a lot of fragmentation between laws that were enforced across EU and member state laws. In 2022, experts expect more member states change their local laws so they align with GDPR. These laws concern Data Protection Officer appointments, definition of child’s age under which parental concent is needed, and other laws.
Consumer consent is in trend
Consumers are more educated on their data privacy in 2022, and their consent is required for data collection and businesses contacting them. Consumers know that they can withdraw their consent at any time.
Moreover, consent should be given based on open information, so companies need to find ways to inform their customers about how their data is being used. Activities like retargeting should also be based only on consent of users, and for this they should fully understand where and how their data is used by marketers.
New AI regulation is coming in 2022
The biggest change in GDPR in 2022 is of course the EU’s AI regulation. It’s not yet released, but is expected to be enforced in 2022. Its main goal is to regulate how AI is used, and minimize risks based on an approach that defines four levels of risk:
- Unacceptable risk AI: harmful use of AI that doesn’t align with EU values
- High-risk AI: AI that influences people’s safety or tampers with their fundamental rights
- Limited risk AI: some AI systems will be restricted to a certain set of obligations
- Minimal risk AI: defines systesm that can be used across the EU without additional legal obligations
The EU’s new ePrivacy Regulation
The EU regulation on Privacy and Electronic Communications is proposed already but hasn’t yet made it through the legislation. The ePrivacy regulation’s main goals are to:
- create new rules for electronic communications and protect the data privacy of the users that includes their communications and devices
- cover metadata and confidentiality requirements as well as personal data in messengers, VoIP platforms and machine-to-machine communication
Standard Contractual Clauses Deadline Comes in Late 2022
One of the most important GDPR-related developments we have seen revolves around data transfers and SCCs, according to Fazlioglu. GDPR says contractual clauses ensuring appropriate data protection safeguards can be used as a ground for data transfers from the EU to third countries. This includes model contract clauses — so-called Standard Contractual Clauses (SCCs) — that have been “pre-approved” by the European Commission.
An important 2022 deadline for companies will be Dec. 27. That is the final deadline the EC has given for when all old contracts must be transitioned to the new SCCs, two sets of which were released earlier this year. “So, companies who have data transfers relying on old contracts should have a plan in place to fully transition to the new ones in 2022, if they haven’t done so already,” Fazlioglu said. “And they will have to look very carefully at the module(s) required that is specific to the types of data transfers they engage in.”
Loud security breach scandals and big corporations collecting excessive data about users have become a major concern for average users and governments. The GDPR was created to solve these problems, and your application has to change according to its rules.
While the GDPR will help to prevent security breaches and give users more power over their own data, it may be challenging for businesses to make such changes. However, we’re convinced that in the long term it will bring profit to companies as they’ll be able to attract users and gain loyalty by maintaining honest and secure relationships with customers.
Mobindustry can help you with creating a GDPR compliant mobile app. If you feel that your mobile app isn’t yet ready to meet GDPR requirements, be sure to contact us at any time.