GDPR Compliant App Checklist
[Make App Fit to EU Data Privacy Law]

By Ronak Patel   |   21 October, 2019
GDPR Compliant App Checklist <br/> [Make App Fit to EU Data Privacy Law]

Have you ever thought about this question? In the current environment where businesses are trying hard to survive in the market, personal data of users means a lot. Such data is all about keeping the business afloat. Businesses use such data through their apps to get insights that can help them adjust their services. So for all good reasons, it has to be protected and for that, you need to go with Mobile App with GDPR compliance.

What is GDPR?

GDPR stands for General Data Protection Regulation. The main idea behind bringing this regulation is to protect the user data and its usage and ensure that the user has complete control over the data and not the companies that are collecting it. This means that if you are a business or a company owner who is collecting the personal data of citizens based in the EU and processing it for your needs, then GDPR applies to you. Even if you are not running a business based in the EU, the rules of GDPR apply to you if it is focused on the EU market.

The GDPR is Based on these Key Principles:

  • Lawfulness, fairness and transparency
  • Purpose limitation
  • Data minimisation
  • Accuracy
  • Storage limitation
  • Integrity and confidentiality (security)
  • Accountability

What is the Impact of GDPR on Mobile App Owners?

GDPR was introduced in May 2018 is one of its kinds of step taken in the area of protecting the privacy needs of the app users. This regulation protects and addresses the issue strongly. This means when you are planning to develop a mobile app, you need to ensure that it meets the GDPR requirements fully.

Now, this regulation does not explain the mobile app developers with a step-by-step guide to carry out the development in a manner that it remains GDPR compliant app. However, the regulation just helps the developers by providing a list of general rules that they can follow when developing the app.

In case your app is not offering needed security protection to the personal data of the users, then you will see more number of users moving away from it. On the contrary, if you put in the right rules to strongly protect the personal data of users, it will attract more number of people towards your app.

This clearly means that you will be able to add in more value to your business app if you make it a point to take the right measures and go along with the standards of GDPR.

Businesses face fines of 10,000,000 EUR (USD 11,865,500.00) or up to two percent of global annual turnover, while for other violations, those maximums are doubled to 20,000,000 EUR (USD 23,729,200.00) or 4% of global turnover.

Key Concepts in GDPR Compliant App

In order to help you know better how the apps with GDPR compliance will look like, here are some of the key definitions that you can learn. They are:

Data Controller

A Data controller is a thing that determines why the data should be collected and how it has to be collected. In case you have an app or a website, you will be deciding what kind of data you should collect, how you should collect it and what your purpose of collecting such data is. This means you are the data controller.

Data Subject

Data subject is the human whose data is processed by the app. This can be the app user or someone who visited the website.

Data Processor

Data processor is the organization that processes the data which has been collected from the app user on behalf of a data controller. They can be something like the third-party services which are used along with your website like Cloud Services, Analytics, etc.

These principles should lie at the heart of your approach to processing personal data.

What does Personal Data Mean in the Context of GDPR Compliant App?

The personal data under GDPR is nothing but the information which is related to a known person and can be used directly or indirectly to identify him, or her utilizing some identifier.

Such kind of personal data comes under a broad spectrum, which includes all the personal information of the user. It also consists of the cookies which are placed on the browser by using the analytics tool so as to track the activities of the user on the website and to know how people are using it.

This means the app owners need to think and plan out how the user data will be collected and stored, but then, they will also have to think about unique device IDs and IP addresses.

Top Steps to Make your App with GDPR Compliance

App with GDPR Compliance

Ensure privacy by design

When it comes to GDPR, privacy by design is a legal requirement now. You must start considering the privacy of the users, right from the moment you plan to develop a mobile app. Article 23 of GDPR states that your app should only be collecting and processing the user data, which are of utmost importance for the business.

This means you should think about user privacy and data protection the moment you plan to develop your mobile app or go for the third party to develop the same. This step in GDPR implies to the fact that the app owners need to think about securing the user data at the beginning of app development rather than thinking about it later when things fall apart.

The concept of privacy of design is all about deciding what kind of data you will need for your app and what kind of data you should not be having. When you are designing and building your app, it would be better that you consider all the possible options. In the end, the users will appreciate the extra effort you will put in place to protect their data and that will eventually benefit your firm.

Keep all personal data encrypted and let the users know about the same

In case the application is saving personal information of the users, then it has to be seen that the data is properly encrypted using encryption algorithms that are strong and reliable like hashing. Since the incidence of Ashley Madison’s data breach, the importance of encrypting the data from any kind of infringement has increased. In that case, all the information was stored in the form of clear text. This ended up in quite a bad situation for the users. It is essential to let the users know that all their personal data, which includes address, phone numbers and country of residence, will be encrypted and hashed so as to make sure that it will not be used and will not get exposed in case of any data breach.

Ashley Madison hackers publish compromised records. 10GB file contains millions of records, including everything that was promised in July

Check whether all the personal data requests made by the app is mandatory or not

In the ideal scenario, very less amount of user’s personal details like name, birth date, country of residence, etc. get saved on the app as a part of privacy implementation. Now, this is not the case with all the apps, as some of them need to collect more information. Whatever is the scenario, the company management and developers should properly define the data they want to collect and then only have the ones which are really important for the app to function well.

Here is a list of Number Total Complaints Submitted to Data Protection Authority. Lawsuits filed with courts are not included.>
GDPR Complaints Submitted to the DPAs

Encrypt the personal data in contact us forms and inform the users about it

Majority of the applications out there make use of contact forms to collect the personal data of the users along with the use of subscription or authentication. Most of this collected information is personal like phone numbers, email addresses and country of residence. For the same reason, it is important that you inform the users in what manner the data will be stored and for what period of time it will be retained. In order to store information, it is recommended to make use of strong encryption.

To track user activity for business intelligence, take user’s consent

In order to know better about the preferences and choices of users, many eCommerce applications out there track the searches and purchases of users. Based on the insights, companies offer users recommendations, which can be helpful with their purchases. Whenever the business plans to take the information of the users and monitor it for the purpose of business intelligence, then the users should be given the option to choose whether to allow it or not. In case the users decide to go on with the tracking, then they should be informed about how long the data will be saved and how. In fact, it contains any personal information then it has to be encrypted.

For secure communications use HTTPS

A large number of websites don’t make use of HTTPS for their website just because they don’t consider it as to be that important. Say, for example, if no authentication is required for the application, then there is no need to have HTTPS. Now doing such a thing will lead to certain things getting overlooked. There are some applications which collect the personal information of the users using contact forms. In case such information is not encrypted, it will get exposed to the mass. Moreover, you must make sure the SSL certificate is deployed correctly as you don’t want to face any issues that come up due to the vulnerabilities of SSL protocols.

Here is a list of number of data breach notifications submitted to Data Protection Authorities by businesses or other organisations, pursuant to Article 33 of the GDPR.
Data Breach Notifications Submitted to DPAs

Ensure that the users can withdraw their consent quickly and easily

Based on the principle of GDPR, the users have the ‘Right to be forgotten’. At any point in time, users must be able to remove his or her consent and unsubscribe. Say, for example, if you are sending the newsletter to the customers, then there should be the “unsubscribe” feature in the emails or links you send.

In case the users go ahead and unsubscribe, you then don’t get disappointed. You can use some level of creativity to build interest in them and change their minds. In short, you can always focus on encouraging them to resubscribe.

Store logs in a safe place after encryption

All the records that contain user information should be placed at a safe and secure location. Now, if anything happens to these logs, then the user should be updated. It is preferred to keep the record encrypted.

After logout ensure cookies and sessions expire and are destroyed

It is important to keep the users aware of the cookies that have been used upon the application. It should be upto the users to decide whether they want to accept or deny the use of cookies. In case the user has logged out or remained inactive for a long period of time, then the cookies must be destroyed in the proper manner.

For data, portability make use of protocols like OAuth

It is now possible for the users to create user accounts by providing the details used in another account using single sign-in protocols like OAuth. Moreover, it also makes sure that except for the authentication ID from the other service, no personal data is stored in here.

Let users know about logs which save IP addresses or location

In order to get help with authorizations and authentication, many of the applications out there make use of locations or IP addresses as parameters. So when it comes to preventing the attempts made to bypass authentication controls, such kind of information is then logged. The users should have an idea about what kind of process it is and for what amount of time the logs will be saved within the system. Moreover, they also need to be told that the logs should not have any kind of sensitive information.

Provide terms and conditions clearly and make it easily visible for users

It is recommended to have the terms and conditions placed on the landing page of an application. Again, when the users navigate the application, they should be able to spot the terms and conditions easily. Moreover, there should be an arrangement in there, which will ensure that the user will be using the application only when he or she will agree to the terms and conditions. This has to be specifically done when the terms and conditions get changed. The terms and conditions should be easy to be understood and read by the people.

Prevent security questions from focused on personal data of users

It is a general practice for a number of applications to make use of security questions as a way of confirming user identity. It has to be seen that such kind of security questions should not involve any personal information of the users. Instead of using this method, the application should think of implementing two-factor authentication. If such kind of facility is not available in there, then you can ask the users to come up with their own question. It has to be noted that you let the users know about the risks that come with users having to frame questions with personal information. Any information that comes with such questions needs to be kept encrypted.

Data sharing with third parties should be informed to the users
in case of service deactivation data should be deleted

In case the organization is sharing the personal data with any kind of the third party, its entity, which includes government organizations, external plugins or affiliates, should mention about the same in the terms and conditions. Users should also be informed about what happens with their personal data when they delete their account or cancel their service. Chances are there that users may forget the kind of the data they have shared and so it is the responsibility of the companies to delete all the data and account information related to the user or the service. If the companies try to keep the account as just inactive, then they may face issues in the future from the authorities.

According to more than 300 industry experts, the majority of users don’t want third parties anywhere near their personal data.

Implement separated opt-in

When you are running an app, you may have to reach out to your clients a number of times as a part of your marketing efforts. This means if you are trying to reach your users using the phone, email, or post, you should come up with separate opt-ins in your consent form.

If you are just making use of email addresses for marketing, then the marketing consent will be enough. In case you plan to go for segmentation, you will also need the consent to collect the information apart from the marketing consent to profile the data.

GDPR Compliant App Development Company
Wrapping it up

GDPR is a mandatory legal requirement which you will need as a business entity if you are dealing with the customers based in the EU. People, whose data is processed for the commercial purpose, still have the right on it even if the business is controlling it. For all good reasons, you need to build a mobile app with GDPR compliance. If you fail to have GDPR compliance for your app, you have more chance of losing the trust of your customers and may even increase the chances of having large fines. This cannot be good for your business. So it should be your priority to build a mobile app that complies with GDPR.

Ronak Patel

Ronak Patel is a CEO and Founder of Aglowid IT Solutions, an ever-emerging Top Web and Mobile Development company with a motto of turning clients into successful businesses. He believes that Client's success is company's success and so that he always makes sure that Aglowid helps their client's business to reach to its true potential with the help of his best team with the standard development process he set up for the company.

Related Posts