Back on May 28, 2018, General Data Protection Regulation (GDPR) for the European Union has come in force.
Trust us, It is better to have yourself prepared for abiding these EU regulations than putting aside a solid amount of money for paying out fines.
“Up to €20 million, or 4% of the worldwide annual revenue of the prior fiscal year, whichever is higher” – this is what the business owner would have to pay for infringement of some of the articles of GDPR.
As a person who does business in any European Union country, one should be concerned with the new data privacy rules.
Failure to comply with the legislation might cause serious financial damage.
We strongly advise you get your app through some sort of decent GDPR compliance checklist in order to avoid problems.
We also list some adjustments that are obligatory to make as quickly as possible to the mobile app for making it GDPR-compliant.
Adopt privacy by design
Privacy is the reason GRDR exists in the first place. You should prioritize the user’s privacy at the earliest stages of mobile app development.
It is a fairly easy concept to implement. Start from establishing what is the most basic information app could live on. According to Article 23 of GDPR, app operator might only process and store data in cases when it is necessary.
This is especially relevant for the sensitive data. Mobile apps used to collect all sorts of data, including the user’s religion, sexual orientation, political affiliations, and even criminal history.
This should not be happening anymore – it is unnecessary and violates the regulation. Users will appreciate extra privacy concerns, EU will be happy legal requirements are met if you would consider privacy from the very start.
Make sure you get explicit consent for everything
Let’s make it clear – system permission is not the same as getting explicit informed consent.
When your app asks for an access to a location, for instance, it is the question of whether you trust that app.
However, if you ask for the consent of using data in your app, you make users enter an agreement between you (the one who uses their data) and them (as personal data suppliers)
So you have to ask any user for opting-into data collecting. The only way to be fully GDPR-compliant is by showing consent screen right on the app launch. Don’t forget that consent withdrawal option should be provided as well.
Notifications for users should also inform them of how and exactly where their data will be used. In that case, it will be an informed consent.
Get prepared for responding to user requests
If a person is unsure of how you are using his/her data, they may send you a physical or digital request asking for a report on it. This would be called a Subject Access Request.
You as an app owner are legally obligated to respond to them within 30 days. Perhaps, this may force you to invest more in customer service. App owners can’t charge users for such kind of requests.
It is better to build an internal process for generating the responses for such requests.
Provide maximal security and send timely data breach notifications if things go wrong
Under GDPR, we now have deadlines of 72 hours for disclosure of any data breaches that might happen.
Investment in technology for notifications of higher risks and establishing the procedure of reacting to data breaches.
It goes without saying, that security is the top priority on default.
Make sure terms and conditions are crystal clear and easy to understand
This is the easiest thing to do. Yet it causes too much trouble.
This point is interlinked with the one about informed consent.
After you figure out all the regulations your mobile app should meet, make it as easy as possible for users to realize it. You can lay out all on a single screen or in little portions. Just don’t forget to mention every subtlety there is.
If you are planning to have clients in the European Union, be prepared to study plenty of documentation about user’s privacy. We’ve listed some adjustments you could make. Applying them would already be useful, but they are just a start for a comprehensive compliance process.
Dmitry Garbar is a partner/department head at Belitsoft. He has been working in IT for 11 years, first as a developer, then – in project management roles. Dmitry has delivered over 200 projects in Healthcare, Financial, and other data-sensitive domains.