The General Data Protection Regulation is officially in effect. Aiming to transform the way companies manage and secure personal data, the EU commission has already warned of hefty penalties for those who fail to comply with the GDPR.
Thus, firms doing business in Europe are scrambling to catch up. But what does GDPR mean? What does it entail? And finally, how will it affect app owners and what are the technical implications for their online applications and operations? Let’s find out.
What is GDPR?
GDPR is the new regulation enforced by the EU in order to strengthen data protection and privacy. It aims to provide more control to EU citizens over their personal data.
Basically, it means that entities that ask users for their personal data on the internet must inform them exactly what will happen to their data in simple language – from the moment it is submitted.
The four-fold most essential aspects of the GDPR can be best explained in their own words –
“Easier access to your own data: individuals will have more information on how their data is processed and this information should be available in a clear and understandable way.”
“A right to data portability: it will be easier to transfer your personal data between service providers.”
“A clarified ‘right to be forgotten’: when you no longer want your data to be processed and provided that there are no legitimate grounds for retaining it, the data will be deleted.”
“The right to know when your data has been hacked: For example, companies and organizations must notify the national supervisory authority of serious data breaches as soon as possible so that users can take appropriate measures.“
How does the GDPR affect my organization?
Citizens of the entire EU will be covered under this set of regulations, including Iceland, Norway and Liechtenstein. Brexit won’t matter as “The UK is implementing a new Data Protection Bill which largely includes all the provisions of the GDPR.” reports Wired.
However, the GDPR will have a more global impact than you think.
Regardless of where your business is based or registered, if you are an organization that processes EU citizens’ personal data (or the citizens of nations mentioned above) then you will have to abide by GDPR rules.
In simple words, you need to understand the GDPR, and how to implement an application that is compliant with the directive, which means providing users complete control over their personal data.
What does the GDPR mean to app developers?
By some estimates by SafeDK, over 50% of applications are still not compliant to GDPR regulations. Maybe that is because apps have many third parties and SDKs integrated- many of these ask for data on users.
It is difficult for publishers to keep track of all of this. But, now there is a law explicitly stating to be in control of this data.
Never have been there a legislation where the needs of the app users have been so comprehensively protected. Therefore, there is a need to create a definite plan that will help developers to create applications that meet the GDPR requirements.
Is your application GDPR compliant and what do to do if it’s not? Let’s find out –
Does your app really need all the data it asks?
The first step to implement privacy optimally is to minimize the size of personal data as much as possible. Does your app need to know the user’s name, birth date, residence etc.? Now, this is not possible in all cases, as some entities do genuinely need this information. Regardless, in each and every case, app development team and management must make it clear why and which data is absolutely necessary.
Does the GDPR include alias information – like ID number and metrics in Google Analytics and other tools as well?
The EU commission makes it clear the ‘personal information’ which constitutes any piece of data about an actual person or any “personally identifiable information” about a particular person which gives you the power to identify him/her. Thus, this is something that should be in your mind during the app development process.
It doesn’t matter if the information is directly or indirectly related to a person, what matters is if it gives the ability to identify the person.
If the de-pseudonymizing needs manpower and resources that are disproportionate to the data accessed then your solution meets the GDPR standards.
Do apps where users put out content, like messaging application applicable to GDPR regulations?
The answer is yes, even apps where users contribute to the content that can reveal their identity like a chatting app is applicable to GDPR standards. This is because as per EU- each user has the right to ask for the deletion of personal data that could lead to their identification.
You have no control over whether users of your app will input someone else’s personal data in your app. Those whose personal information was published on the app without their consent have the chance to contact your Data Protection Officer (a natural person designated by the application owner or anyone carrying out the processing of data on behalf of the owner- like third-party services like Amazon or Google).
In such a case, they can send a request to delete such information from your system and you are obligated to give them such an option.
An example that displays the importance and need of such regulations of security and privacy standards like the GDPR is apparent in the following example where an anonymous French researcher identified as Elliot Alderson flagged serious security and privacy concerns in India’s messaging app ‘Kimbho’ endorsed as a counter to the popular ‘Whatsapp’.
Alderson claimed that he could access all the messages of the Kimbho app, calling it a “security disaster”.
As India has not implemented any legislation like the GDPR regulations, its users are unprotected from cases like these where strict security standards are not maintained.
What about applications that only use logins (without the first/last name) and email?
Apps which only use emails and logins are also applicable to GDPR standards. There is no easy way of mass verification to see if email addresses do or do not contain personal information. Nicknames, however, are used by many on various portals and it is certainly possible to link them to other data.
It is important to note that whenever we are not sure if the elements of the app can help identify the user- it must be assumed that a situation like the one above can happen.
What do you need to know about GDPR compliancy in applications that make use of Google Analytics or the like as third-party solutions?
In case you are seeking the assistance of third party solutions then you need to be sure that they are GDPR compliant. You can do this by reading their Terms of Services thoroughly.
Due to the GDPR resolution guidelines, we have an obligation to make sure the services we use have the necessary security certificates in line with the GDPR standards. As per the regulations, both the services and app owners are equally responsible for any leakage of personal information from the third parties.
Is a written contract necessary for every third party that participates in the data processing?
You are not obligated to have a written contract; the regulations do give you a little freedom with a wider concept of ‘another legal act’. What you need to do is ensure that the contract or another legal act meets the requirements of the GDPR is to check whether the provider whose services you’ll use has a certificate of compliance with GDPR. Certification is voluntary- however, if you want to be sure whether the service provider is prepared to meet the GDPR requirements, check if they have such a certificate.
What should e-commerce apps do where personal information must be submitted in order to ship consignments?
E-commerce apps must be clear in their “Terms of Service” page that all the data that customer gives in the app will be protected. It must also detail a full-list of user’s rights – like for e.g., the right to access, edit and delete their personal information if the customer wishes to do so.
Furthermore, you must gain the user’s consent in order to process their data for application functionality. You also need to adopt the clearest and simple way for the user to confirm their acceptance of the regulations you put forth.
Do you need to appoint a Data Protection Officer (DPO)?
You don’t need a data protection officer on board. The DPO can either be an employee of the Processor (the entity responsible for data processing on behalf of app owner) or Controller (app owner) or a person outside from the group of employees. This gives you some freedom in options and a chance to reduce costs. You can also adopt an outsourcing model that is contractual and can be adapted as per your need and project scale.
In simple words, you don’t have to assign a DPO position separately, you can just outsource it as per your requirements.
What to do if there is a data leak in the system?
If there is a leak in the system, you should report it to the supervising body within 72 hours after being aware of it. You are only exempt from this in case you can prove that the data leak does not violate the freedoms or rights of any individuals. If the reporting is not carried out within the 72 hours’ time frame, it shall be accompanied with a legitimate reason for the delay.
So, what should you do to be ready for the GDPR?
To start with- do your homework regarding the GDPR requirements – appoint a representative that is responsible for being aware of all things GDPR. This will help you develop a baseline understanding of the regulation and how it applies to you.
Then, make sure your leadership and the company is aware of the GDPR requirements and consider appointing a Data Protection Officer or at least have someone on board who has the right expertise.
Your app/ website’s sign up process inevitably collects some personal information, so be clear to users of how, why and for how long their information will be utilized. Explain in simple words and gain explicit consent to process personal information using a positive opt-in- where they tick the boxes of consent.
Your UI and UX must be designed so that they can optimally support data protection by design and default principles. Moreover, also review your users’ email addresses and have a robust incident response plan. Review and update your data processing policies, the same with data processing practices and controls.
Finally, as the app owner make sure that your developers are establishing and maintaining proper safeguards. You can also look into good cyber insurance policies, but seek legal advice before purchasing.
Conclusion
It is important to note that there is no exact guideline that iterates a step-by-step process for being GDPR compliant. It just gives us basic rules of what must be kept in mind while software development.
With this in mind, the final interpretation of the GDPR regulations and decision that the EU judges will take can only be hypothesized, therefore at this initial stage, one can expect a legal approach based on examples (that cannot be predicted) that will happen in the future.
Nevertheless, you must also keep in mind the marketing power of being GDPR compliant. This will give an added value to your business which can also be reflected on the increased inflow of users based on trust and also in future revenues.