Next May, Europe’s data protection rules will undergo a major overhaul. The existing Data Protection Act (DPA), will be replaced by the European Union’s (EU) General Data Protection Regulation (GDPR), a framework that will change how businesses and public sector organizations can handle customers’ personal data – with much tougher punishments for those who fail to abide by the new rules.
The GDPR is meant to unify data protection for all individuals within the EU, as well as address the export of personal data outside of Europe. It aims to return the control over personal data to European nationals and residents and to simplify the regulatory environment in which international business is conducted.
Once implemented, the new regulation will be binding of all companies processing and holding personal data of people residing in the European Union, regardless of the company’s location. This includes mobile apps. Businesses will have to prove they have made the necessary changes to protect user data, or face hefty fines for noncompliance – 20M Euros of 4% of their annual profit. What’s more, mobile apps found to be noncompliant run the risk of being banned from app stores; a risk no business should be willing to take.
Main highlights of the GDPR
Below are some key highlights from the GDPR act that you should pay attention to, as you need to take these into consideration when planning your mobile app’s GDPR preparation project:
The right to be forgotten
Under the GDPR, European nationals have the right to Data Erasure. Namely, people can have data controllers (the mobile app developers in our case) delete all of their personal data, halt the future publication of any data and potentially stop third parties from processing the data, should the data become irrelevant to the original processing purposes, or should consent to their publication be withdrawn.
According to the new regulation, businesses must request and receive consent to collect, use and move personal data. This request must be made – and given, in a clear, intelligible and easily accessible form, without any confusing legalese. People must be able to withdraw consent just as easily as they are able to give it.
Mandatory data breach notifications
In the event that your database is breached, you must notify users, as well as authorities, within 72 hours of becoming aware of the leak. This is extremely important, as data breaches could result “in a risk for the rights and freedoms of individuals.”
Privacy by design
Though this is not a new concept, under the GDPR, privacy by design will become a legal requirement. This means that privacy and data protection will be required to be critically considered at the start and throughout a project’s lifecycle. According to Article 23 of the GDPR, controllers must only hold and process data that is absolutely necessary for a project to be completed. In addition, data access should be limited to only those personnel in charge of the processing.
Data Protection Officers
Under the GDPR, internal record keeping requirements and the appointment of data protection officers (DPOs, employees charged with managing data protection) will be mandatory for large enterprises. DPOs will be hired for their expert knowledge on data protection laws and practices.
So, what does GDPR mean for Mobile App developers and how can they prepare?
GDPR defines “personal data” as the recording of any data that could identify an individual. Identifiers can include names, phone numbers and addresses, as well as digital information, such as usernames, locations, behavior and more. This regulation therefore affects mobile app developers as well.
App developers and publishers are entirely and directly responsible for their users’ data. App owners must ensure complete visibility and real-time control over app usage and activity. They must first learn everything about how they obtain, store, transfer and use data, to improve security. Upgrades to servers and new firewall configurations may be of the essence. Developers and publishers must also keep track of changes within the data, as well as digital and physical access to it. This means that a complete history of changes must be documented. Any data that travels between the app and the server should be encrypted and secured, in addition to the adequate hashing of user passwords.
To ensure that data processors can accurately create a complete history of change while guaranteeing confidentiality, the following measures must be implemented in mobile app design, installs and usage:
- Determine whether the app really needs all of the data
- Inform the user and obtain consent
- Respond to user requests
- Encrypt user data
- Ensure users are updated about security incidents
- Know your technology and potential weak links
A weak link alert: SDKs
“In our increasingly interconnected workplace, companies must consider not only their own system integrity but also the system integrity of any other party with access to their computer systems,” says Steve Durbin, managing director of the Information Security Forum. “Hackers will seek the weakest link, and that link is often a third-party provider. A company’s robust internal practices and policies may be futile if that company’s vendors are not secure.”
Therefore even if the app publisher has done all the steps required for its app to be GDPR compliant, what about the SDKs? It is a blind spot which app publishers must give extra attention in their GDPR efforts.
Special care should be taken to prevent the app from communicating personal data to a third party in a way that could expose the app to data breaches. If SDKs have been implemented within the mobile app and the SDKs try to access identifying data, the responsibility for the data collection and usage is still the app publisher’s. Validating the compliance of every aspect that goes into the app becomes critical under the GDPR.
As GDPR enforcement day draws near, mobile app developers and publishers (data controllers) must learn to deal with third party (SDK) vendors (data processors) who can access the mobile app’s data. Any third parties or organizations who will use the mobile app’s data must be explicitly listed in the consent form, according to GDPR guidelines. This is because, as mentioned above, the data controller is fully responsible for the readiness and conduct of the processors that store or use EU citizen’s personal information.
App owners need to mitigate the risk and stay in control of the SDKs they work with, to avoid GDPR violations and minimize their exposure. Here’s how:
- Identify and study all relevant processors to understand what data is stored and processed, how well each processor protects personal data, and how they are working towards becoming GDPR compliant.
- Study your own data locations and practices and ensure the data is segregated and protected.
- Ensure you have a strong internal security policy and enforce it.
- Determine whether you need to hire a DPO.
- Inquire and make sure that the SDKs you work with don’t gather and save data in their own databases.
- Map out the path the data takes during the processing lifecycle to ensure adequate security is implemented at each stage.
- Make sure that the SDK has adequate security measures to ensure the safety of your users’ data. Include strict confidentiality, data privacy and data residency clauses in any contract drawn up with an SDK.
- Take advantage of automated tools that can help you stay in control and consistently monitor 3rd party providers’ impact on your app, as well as provide alerts and help you take measures to handle problematic areas.
This coming May, the GDPR will revolutionize the way data is handled by organizations and enterprises. Data protection regulations will better protect users and hope to prevent personal data breaches,like a few we have seen recently. To comply with the new regulations and avoid steep fines, companies, including mobile apps, will have to modify their data processing and storage practices, especially with respect to third-party services (SDKs). Automated monitoring and control tools can be a very useful.
To provide European citizens with increased privacy and protections, and to require businesses to exhibit greater accountability and compliance, a continent-wide personal data protection revolution was of the essence. The GDPR will provide just that.
When it comes to GDPR compliance SafeDK helps you comply with the GDPR by providing identify personal information access, granular control over permissions per SDK and real-time alerts of SDK accessing data and personal data breaches. In addition, in the event a breach is detected, SafeDK allows you to instantly blocks SDK permissions.
Want to learn more about how we can help your mobile app comply with GDPR? Click HERE to contact us.