What does GDPR mean for your mobile app?
Due to come into effect tomorrow (25th May 2018), the General Data Protection Regulation (GDPR) aims to give individuals in the EU better protection over their personal data, with a particular focus on how it is handled by businesses and organisations. So, how does this relate to mobile apps and mobile application development?
Because GDPR covers “personal data”, it will have a significant impact on organisations within the EU, including both consumer-facing organisations and B2B companies. GDPR defines “personal data” as any data record that could be used to identify an individual, including names, phone numbers and addresses. This also now includes digital information, such as GPS locations, user behaviour, usernames and much more. This means that, in one way or another, all businesses are affected, and if your organisation is looking to develop a mobile app, you will be affected too.
Another significant change under GDPR is that traditionally, “personal data” was the sole responsibility of the main data owner. However, under GDPR, any company that processes or handles the data will now be responsible for its protection; this includes third parties and cloud providers.
What it outlines
The full documentation on the GDPR can be read here, but in a nutshell, the regulations include;
- Right to be forgotten: The individual can request to have all their data deleted
- Explicit consent: Organisations must request consent to collect, use and move data
- Mandatory data breach notifications: Authorities and users must be notified of any data leaks within 72 hours of a breach
- Privacy by design: Privacy and data protection is a key consideration at the beginning and throughout a project lifecycle
- Data protection officer: Large organisations need to employ someone dedicated to managing data protection
The consequences of GDPR non-compliance
One of the biggest, and most talked about, elements of the GDPR is the power for regulators to fine businesses that fail to comply with it. If an organisation doesn’t process an individual’s data in the correct way, it can be fined. In addition, if an organisation requires a data protection officer and doesn’t appoint one, it can also be fined. Furthermore, if an organisation faces a security breach, it can be fined.
According to MLaw Group:
“The proposed new EU data protection regime extends the scope of the EU data protection law to all foreign companies processing data of EU residents. It provides for a harmonisation of the data protection regulations throughout the EU, thereby making it easier for non-European companies to comply with these regulations; however, this comes at the cost of a strict data protection compliance regime with severe penalties of up to 4% of worldwide turnover.”
According to Article 83 paragraphs 4 and 5 of the GDPR, the following sanctions can be imposed on organisations that do not comply:
- a warning in writing in cases of first and non-intentional non-compliance
- regular periodic data protection audits
- a fine up to €10,000,000 or up to 2% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater
- a fine up to €20,000,000 or up to 4% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater depending on severity
What should mobile app owners be aware of?
Data protection is more than just keeping customer information safe; it is also about keeping track of changes and data access, in both physical and digital forms. This means that if you are managing and processing personal data, you must record a full history of all of the changes.
You will need to understand the processes that you use to obtain, store and handle data. This includes how your existing processes ensure maximum security and how you can improve on them. Firstly, you should conduct a data flow map to understand exactly what data is stored, transmitted and collected from mobile devices. This will help you to to pinpoint any vulnerabilities and areas which may need additional security.
Furthermore, your mobile app developers, whether they are in-house or third-party, should encrypt and secure any data that moves between your mobile app and the server, in addition to adequate hashing of user passwords.
Mobile devices harvest a lot of contextual information, including location, usernames, connected accounts and more, which means you will also need to consider the following:
The right to be forgotten
The GDPR states:
“…a data subject should have the two rights. The right to have his or her personal data erased. And no longer processed where the personal data is no longer necessary in relation to the purpose for which they are collected or otherwise processed”
This means that users can not only request changes to their data, but they can also request to have all their data deleted. All organisations will need to have a system or process in place to locate individual’s specific data and remove it. This includes all services and backup systems, so that the data cannot be recovered from anywhere.
Explicit consent
All organisations will be required to ask for consent from the user explicitly, unless there is legal means to process the data. This consent includes what data you are collecting and why, how it will be processed, how your organisation will protect it, how it is moved, and how long it will be stored for.
This means that you will need to create an updated privacy policy or terms of service that define the above, and to comply with GDPR regulations this needs to be explained in “clear and plan language” to the user. More information on this can be found in Article 6 of the GDPR.
Breach notifications
The GDPR will enforce tighter deadlines for businesses to notify both the authorities and users when a data leak or breach occurs. If a company encounters a data breach they must notify the national supervisory authorities within 72 hours. With this, a good idea is to invest in better technology to ensure close and continuous surveillance of your data, as well as preparing a disaster procedure and plan.
Privacy by design
The GDPR refers to a new approach that organisations to take to projects: Privacy by design. Privacy by design means promoting privacy and data compliance from the very start of a project. Practically speaking, this means that when developing a new mobile app, you will need to ensure that privacy and data protection is a key consideration both in the beginning stages of a project and throughout the entire life cycle.
Data protection officer
GDPR have requested that larger organisations appoint a Data Protection Officer to facilitate the new regulations. A Data Protection Officer is someone who is qualified in the field of data protection who can assist with fulfilling, controlling and communicating with National Authorities. This role can be managed in-house, or can be outsourced.
If you are an entrepreneur or an SME, then you are exempt from this rule. However, if you are an organisation with over 250 employees, then you will need to hire a Data Protection Officer.
Under GDPR, it is crucial that mobile app owners, both B2C and B2B, have complete visibility and real-time control over app usage and activity in a centralised way that puts the protection of user’s data at the forefront of your business operations.
This article is intended to be a guide and not legal advice. We highly recommend you still seek full legal advice to understand specific requirements for your business.
If you need more information about the GDPR, or if you have are concerns that your organisation is not compliant, then contact us today.