How to Make Your Mobile App GDPR Compliant

by Aditya Modi March 22, 2019

GDPR is Euro Zone’s new data protection regulations. General Data Protection Regulation or ‘GDPR’ was established on 25 May 2018 and brings how a company, application or website must protect stored and in-transit data of its Euro residents whether operating inside or outside the continent. GDPR infringements can lead to fines of up to 20 million euros or 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher. British telecom conglomerate TalkTalk made quite a name for itself after European Data Protection Board (EDPB) issued it a half million fines over a data breach.

GDPR TIP#1: Don’t put your European users in the same basket as Asian and Americans

It’s not European Union officials being overly cautious; Euro residents are equally vigilant. TalkTalk lost more than 100, 000 customers in the aftermath of the breach. Unlike Americas and Asia, privacy is a big deal in Europe that some European, even American and Chinese companies use data protection and privacy as a selling for their digital products. A hefty fine for GDPR non-compliance will gather a lot of bad press, which for many years will negatively influence decision of potential customers researching their options.

The Expected Virtue of Ignorance is Hefty Fines

EDPB won’t take your ignorance as excuse if you come under the scanner. When Vanson Bourne surveyed 1,600 organizations, it found that 37% of respondents don’t know whether their organization needs to comply with GDPR, while 28% believe they don’t need to comply at all. GDPR has the potential to make your firm file for liquidation to pay up the fines or from operating in the zone. Europe is a key market and preparing for GDPR compliance is barely an impossible task.

GDPR TIP #2:  Stop thinking you’ll get away with penalties by playing dumb.

EDPB might slap you an even higher fine because you made a dumb person sit in charge of your user data’s privacy, not to mention the, subsequent, bad press.

The smartest move right now would be to start reviewing the data you collect and store. If you ever end up in a GDPR hearing, the member of GDPR board would be very much interested why you collected a set of data. For example, if your mobile app plays nursery rhymes, then a member of the board would love to learn why you collected location data. An answer that you target nursery rhymes according to the location of the kids would make the case only worse. So start acting and stop thinking. Mobile apps of course are at a greater risk if you put them against websites because they collect a lot more data, store most of it, and are infamous for sharing data without users’ consent.

Mobile Apps are Subjected to Greater Scrutiny in GDPR

The more the data you store, the greater are the implications of GDPR on you. As I said, EDPB won’t let you get away with excuses, and non-compliance with GDPR will probably cost you more than compliance. GDPR compliance won’t even be an effort if your organization runs the best practices of user privacy and data protection. However, if your privacy policies clearly state that you will share customer data with advertisement partners if somebody agrees to the T&C, then you’re already under the breach and may attract penalties with a printout of your T&C page put against you as an evidence. ‘Consent’ is repeated many times in the GDPR documents and you don’t want to ignore it.

Users’ Consent Matters More than Anything Does

Users’ Consent

Both Android and iOS have excellent permission managers. The problem is they take every permission access on the same level. That is a navigation app and the Fluffy Bird clone both can ask for location permission in the same way. However, GDPR would constitute both permission on a different level of severity. Flapping birds on your mobile doesn’t need to learn where you’re sitting at. However, the Maps app needs access to highly accurate location data to run navigation services.

GDPR TIP #3: Don’t ask for unnecessary permissions

If your application asks for unnecessary permissions, then GDPR expects that you tell your users why you need those permissions. If you need certain permissions to store information to enable targeted advertisements, then you must warn your customers about the true intent.

So I downloaded a news app and did not give permission to share my personal details with advertisers. The app clearly mentions that advertisements are its methods of monetization and if I want an ad free experience I need to upgrade to a premium version of the app to continue. Fair enough!

Store the Data When You Absolutely Have To

Data is the new oil and businesses don’t want any of it to go away. Most business logics dictate storing every piece of data their mobiles app collects. When it comes to GDPR, the more the data you store, the more the risk. Collecting data you don’t need is not a problem as long as you subscribe to a secure way to delete them. Companies that store too much data for their size are already under GDPR scanner. GDPR won’t be a problem if they know what they are going to do with that data.

GDPR TIP #4: Do not collect data in the first place

However, EDPB would consider any act of storing the data you don’t need as a case of suspected infringement and may subject you to further investigation. The philosophy is if you’re storing the data, then you need it and the board wants to learn the reason. If you don’t have a reason, the board will have many things to suspect which may not be restricted to selling data in dark web, sharing with CPC officials, illegal data mining, social engineering, etc.

Delete any Piece of Data that Identifies a Person, Unless…

If you have any piece of data in public directories, which you can identify to a person, you’re playing with fire. User privacy is of utmost importance to Euro people and government won’t let go off an abolisher without a fine.

GDPR TIP #5: PII data attracts the highest penalties

Euro Zone has some strict regulations around personally identifiable information or PII. For example, a user’s IP address is not classed as PII on its own, but is classified as linked PII in the US and elsewhere. However, in the European Union, the IP address of an Internet subscriber may be classed as personal data. If you log IPs of people using your app and store them in .txt files, you’re already in breach.

PII deserve an encrypted and secure location on the cloud or local storage of your app. A server storage inside a Euro Zone country would turn out to be a life saver if the Euro officials ever come knocking on your doors.

Play with Data Encryption and Secure Connections

Any stored data must be encrypted and transmitted over an SSL connection particularly when dealing with PII. If your application accesses an API that is over a non-secure connection, you mention that to the user with the statement, “he should proceed at his own risk”. If the user suffers a privacy violation while accessing data from the API that would be at his discretion and would give you an upper hand if you ever end up in a GDPR trial.

GDPR TIP #6: Say good bye to HTTP once and for all

Present Accountable in Case of a Breach

Breaches happen and even the finest security measure and practices can’t prevent them from happening at times. If your mobile app encounters a breach in which the intruder got hand of your users’ PII and uploads it on a public domain, you must report the breach immediately.

Talktalk fined

The board fined TalkTalk heavily because it reported the breach many months later after the rumors mills got too strong to turn a blind eye.

GDPR TIP #7: Report data breaches at the earliest

You’re the head of the company; the board expects you to act accountable for the breach and not play blame games on your colleagues. These games only show your incompetence to take account of the situation and act responsibly. The board will levy even higher fines for hiring a douche and not being serious about your users’ data security.

If you adhered to the best practices as dictated by GDPR, there is nothing to worry about but present your case in a systematic manner and convince the jury that the intruders broke the locks and the keys were in safe hands.

Co-operate with the Agencies and Board Members

If the GDPR notice ever comes knocking at your door, there is a no point of playing hide and seek with the investigators. Chances are they already have enough evidence to file a charge and are only here to clear some air and find some supporting evidences. If you don’t co-operate, it will raise more questions than they want answers to and this will weaken your case further.

GDPR TIP #8: Confess, when you’re at fault

If you co-operate with them at the time of interrogation, answer the questions they are asking and clear the doubts; perhaps, that will clear some misconception regarding your practices around stored data, and you might come clean

Developing GDPR Compliant App with TOPS

At TOPS, we follow the best security and data protection practices to safeguard your users’ interest regardless of their country of residence. Mobile apps developed at TOPS deliver superior level of data security for stored and in-transit data owing to encryption and HTTPS respectively. Mobile app development is done in a way that follows the strictest security standards of data security and protection. Apps developed by us receive security updates from time to time for security. When developing for European markets, we already comply with most of the guidelines issued by GDPR; and are working closely with our clients and partners to deliver application in compliance with GDPR.

Tags

Quick Inquiry

Quick Inquiry