With the introduction of GDPR (General data protection laws) in the European Union, the playing field has changed drastically in the digital world. Now you may have to cough up to € 20 million or 4% of your global revenue whichever is higher!
Even after one year, most of the firms are not GDPR compliant, either they are grossly underestimating the graveness of the situation or are unaware of how to make their firm GDPR compliant. According to a survey, only half of the companies reported that they were compliant with the GDPR laws.
The European authorities have started levying fines on companies, here are a few examples:
A Portuguese hospital was fined 400,000 euros in December 2018. The reason? They allowed their staff to create fake accounts to access the records of patients. Although there was no ulterior motive, the hospital was punished for willfully defaulting on GDPR compliance.
Google has been fined 50 million euros in France for non-compliance to GDPR laws. Google has appealed the fine.
One of the clauses in GDPR states that once you no longer need the data for business purposes, it should be deleted. A Taxi company in Denmark found about this clause the hard way; they had to pay 1.2 million Kroner because they chose to store 9 million records containing personal details such as contact information on its systems.
Facebook was fined around half a million pounds in the Cambridge Analytica data breach case. If the case had unfolded when the GDPR laws came into effect, then the fine would have been a staggering $ 1.7 billion.
What is GDPR?
The GDPR(General Data Protection) law was passed by the parliament of EU in 2016 and it came into effect on 25th May 2018. GDPR has replaced the old data protection laws in EU member states. The GDPR offers better safeguards for EU citizens and makes it mandatory for companies dealing with the data of EU citizens to handle the data in a more responsible manner. The important points to note about the GDPR are
• All EU states will have a uniform data protection law
• Any company or business regardless of its location, dealing with EU citizens will come under the ambit of GDPR laws. Hence the impact of GDPR will be global.
Before we see how to make your app GDPR compliant, we need to see certain key terms in the law.
Important GDPR terms
Data subject:- A user whose data is being collected and processed.
Data Processor:- An organization who processes the data for the data controller. For eg:- Google analytics or AWS can be classified as data processors.
Data controller:- The data controller is an entity which collects and processes the data for fulfilling various purposes. A website or a mobile app collecting user data can be classified as a data controller.
GDPR’S main provisions
Some main provisions of the act need to be considered while designing and re-designing your app.
Privacy by design:- Your app must ask only for the information which is absolutely necessary.
Deleting user data:- When a user requests you will need to delete his/her data and GDPR laws also have a provision through which the user could ask you not to use his/her data in future.
User Consent:-You will need to acquire the user’s consent to collect any kind of data. Moreover, your app should make it easy for users to withdraw consent.
Data protection officers:-GDPR mandates that large organizations must hire data protection officers or DPOs which shall be responsible for adhering to data protection laws within the company.
So, how do you make sure that your app is GDPR compliant? Just follow the below-mentioned guidelines.
Does your app really need all the personal data?
When you design your app think about the fact whether your app really needs all the data you think it does. Could you possibly do away with that date of birth field in your contact form? Or, is it necessary to ask for the user’s country? Ask only the requisite information which would be absolutely necessary for your app to deliver the service, avoid asking for all other un-related information.
While building a new app or including a new app feature into your app, think about privacy first before anything else. Don’t let privacy be an afterthought it should be included in your design.
Some of the most common cases where you need to be alert are
• Your app collects emails and phone numbers of users
• You utilize Google Analytics or Firebase
• Your app collects payment and shipping information of users
Also, you should ensure that the third-party services that you use are GDPR compliant.
Handle user data in a better manner
In case your app is storing user data, then make sure to use strong encryption algorithms to secure the user data to avoid a data breach. Many organizations store sensitive data such as passwords and other details in clear text, this can lead to fines under GDPR laws. The user data should be hashed to protect it. Users should be informed that their data is properly encrypted and hashed. Also, you must tell them how you plan to use their data and till when. This will instill confidence in them and will help you in getting user consent easily.
Acquiring an SSL certificate for your app would be a good idea to boost the security of your app.
In case you are sharing the user data with third-party companies, then it is mandatory to let the users know about this fact and also share with them the purpose of doing so.
Sometimes apps track the user activity in order to understand the peculiarities in a buyer’s behavior. This is especially true for e-commerce companies like Amazon. If your app plans to continue this practice, then under GDPR it is mandatory to ask the user’s permission first.
You should explore the idea of sharing the entire process of receiving, handling and deleting data explicitly with the user. This would boost the user’s confidence in your app.
Get explicit consent of the user
In GDPR, the app owners must get explicit consent from users to gather their information. The consent must be asked in a clear manner, don’t try to hide it under confusing terms and conditions.
GDPR requires you to put up a special consent screen which asks the users for their consent explicitly.
Add tick boxes to your signup forms asking for consent to use the data and declaring clearly how you intend to use the data. And do not pre-select the tickboxes, no gimmicks, please!
Analyze what tracking codes are installed into your app. Make sure that all these tracking codes are really necessary and you have access to the data that these codes collect.
The users should also be able to withdraw the consent easily. For this, you should keep a dedicated screen where the users are provided the option of opting out of the app.
Subject access request
GDPR makes it mandatory for you to share the details about how you use the user’s data if a user asks for it. This is known as subject access request. GDPR allows you to respond within one month to the subject access request, in complicated cases up to 3 months of time is allowed. Large organizations might need to invest in resources to respond to such requests.
Data processing agreements
Under the GDPR you are required to sign data processing agreements with your data processors. This would entail the legalities like who will be in control of the transferred data. It is risky to “assume” that your third-party service provider is GDPR compliant. In case a data breach occurs at their end the GDPR authorities would hold you also responsible.
Deleting user data on request
A powerful tool that the GDPR has given to the user is the right to be forgotten. Under this provision, you have to erase the user’s data when the user asks you to do so. The data could be either under your ambit or under the ambit of a third party like Google Analytics.
You should provide a form on your app through which the user could easily send the request to delete his/her data. Ask your third-party service providers how will they comply with this norm and understand what you need to do to integrate your app with these third-party service providers so that the request for deletion could be processed smoothly.
Although it might seem to be a hassle first the GDPR laws will ensure better data security for all. Being GDPR compliant will not only keep you in the good books of law but also increase your credibility amongst your users. If you want to make your app as per GDPR compliant then discuss your needs with a trusted mobile app development company.