Compliance for Mobile Devices

What is it ?

General Data Protection Regulation : is the most important change in data privacy regulation in 20 years. This regulation replaces the Data Protection Directive of 1995. It is designed to harmonize data privacy across the EU, protect all EU citizens data privacy and reshape the way companies and organizations approach data privacy.

Businesses that fail to comply can be fined up to 20 million euros, or 4% of their annual global turnover.

GDPR aims to protect user data storage and usage and to ensure that the user is in control of its data.

The GDPR applies to all businesses with customers websites or mobile visitors who are from the European Union. This means that any organization in the world that works with EU residents personal data in any manner has obligations to protect that users data and be GDPR compliant.

Let's first go over a few key definitions.

The first one is data controller: a data controller is the entity that determines the purpose for and means of collecting and processing personal data. If you own a website or mobile app and you're deciding what is collected, how it's collected and for what purpose, then you are a data controller.

The second term is data processor: a data processor is an organization that processes personal data on behalf of the data collector. For example this can be a third party service that is plugged into your website or app. This can be an analytics tool such as Google Analytics or it can be a cloud service such as Amazon Web Services that has access to, or hosts your customers data.

The third term is data subject: a data subject is a person whose data is processed. For example an app user or a website visitor.

Now that we've gone over these terms let's get into the meat of what a general data protection regulation is.

Personal data under the GDPR includes any information relating to an identifiable person who can be identified in reference to any sort of identifier for your website or apps.

The ten things you should consider in order to have a GDPR compliant mobile app:

Privacy by Design

Privacy by design is now a legal requirement under the GDPR. From the moment you start creating your mobile app you should be considering your users privacy. According to GDPR article 23 your app must only hold and process user data that is absolutely necessary. Think about your user data from the very start and don't let it be an afterthought. As well as this you should encrypt whatever personal data you collect with a strong encryption algorithm this will help minimize the impact of a data breach

Under the GDPR, businesses must request and receive user consent in order to collect, use and move personal data. This includes data collected for advertising, analytics, crash logging or anything else. The opt-in must be understandable and clear because you won't be able to get away with any confusing terms and conditions that no one is likely to read or fully understand. It is highly recommended to show a consent screen on app launch as this is the only way to be fully GDPR compliant. You should also notify users on these screens when their data will be used. Also your users must be able to withdraw consent as easily as it was for them to give it, so you might need to create another page on your website to allow your users to opt out.

Provide Visibility and Transparency

One of the most important aspects of GDPR is how the data you collect is actually used. If your data controller needs to be aware of how your users can effectively manage and protect their user data providing visibility and transparency through a clear and understandable privacy policy not only benefits the users of your mobile app but it is also a requirement of the App Store. Google will actually remove your app if they can't find a privacy policy on your Play Stores profile page and accessible inside your app. You may choose to have a sidebar or menu item that links to these legal terms of your mobile app. This will enable users to easily find, read and understand how your mobile app or any external services are using their data.

Respond to user requests

If someone asks how you are using their data, under GDPR you are legally obligated to respond to them. This is called a subject access request. When a user asks for information about their data or a copy of the data that is used in your mobile app you have one month to respond. For more complicated requests you have up to three months to respond. Our recommendation is just to create a page on your website and mobile app that includes your business contact information. This will allow users to contact you easily.

The Right to be Forgotten

Article 17 of the GDPR highlights the right to erasure or the right to be forgotten. This means that when a user asks you to remove your data acquired through your website or mobile app you are obligated to remove every personal detail you hold on them. Take this request seriously and comply with the request on every system you control. You must remove data whether you control it directly or through tools such as Google Analytics

Review Services and SDKs you use

If your app sends personal data to an external service for processing -e.g. an app that analyzes app usage- then you need to be clear and transparent about where that is and who will be in control of the transferred data. You should sign a data processing agreement with your data processors as it is a general requirement under the GDPR. But don't assume that all the third parties and SDKs connected to your app are GDPR compliant. If there is a data breach on one of your third parties, that leads to your user data being exposed then you are responsible therefore you should only have contracts with providers who can provide sufficient guarantees that GDPR requirements will be met and your user's data will be sufficiently protected

Data Breach Notifications

The GDPR is forcing tighter deadlines for businesses to notify the National Supervisory Authorities and their users. Disclosure must now happen within the first 72 hours, so make sure you establish a clear step-by-step process that you can follow in case of a breach. Now this includes how you will inform your users and the National Supervisory Authorities of the breach. You may need to invest in a technology that notifies you when a risk is present and ensures that you have continuous surveillance of your data.

Appointing a Data Protection Officer

Your company may need to appoint a Data Protection Officer in order to be GDPR compliant. This applies to you if:

- You are a public authority, except for courts acting in their judicial capacity 
- Your core activities require a large-scale, regular and systematic monitoring of individuals such as online behavior tracking 
- Your core activities consist of large-scale processing of special categories of data, or data relating to criminal convictions and offenses

Assess whether or not your business needs a DPO in order to be compliant. If so, you should appoint one, and inform your website or mobile app users on how they can contact your DPO.

Encryption and Data Storage

Ensure that your app uses SSL/TLS and HTTPS for external communications. While communicating personal information of any kind your data must be encrypted. Not encrypting data means that the information set will be in clear text and will be exposed over the Internet.

Log and Justify your data collection

Article 30 of the GDPR outlines that each controller, or representative of the controller “shall maintain a record of processing activities under its responsibility”. That means, in order to ensure your GDPR compliance you should start documenting all the data that either you collect yourself or through a third-party.