What is GDPR?
The General Data Protection Act (GDPR) is set to take effect on 25th May 2018 and companies are putting in place measures to combat potential vulnerabilities where sensitive data could be lost.
In short, GDPR is a set of rules created by the European Parliament, European Council and European Commission that regulate how every organisation must protect and manage personal data pertaining to individuals within the EU.
The full GDPR documentation is available to read online but the main things to note are;
The right to be forgotten: Users can request to have all their personal data deleted Explicit consent: Businesses must request consent to collect, use and move customer data Mandatory data breach notifications: Authorities and users must be notified of any potential data breach within 72 hours Privacy by design: Privacy and data protection should be a key consideration through all stages of a a projects lifecycle
Failure to comply with GDPR regulation or violation may result in a substantial fine of 4% of annual turnover or 20 million Euros. Companies must also be able to demonstrate that they are properly adhering to regulation by putting procedures in place to protect their customers data. #### What does GDPR mean for mobile apps?
Compliance is by no means limited to traditional IT systems protected behind a firewall, mobile apps are also included in the regulation and it’s vital app developers and organisations understand what this means. The needs of application users have never been so strongly and comprehensively protected than now.
A recent study by SafeDK* found that more than half of all mobile applications may not meet the new EU privacy standards. The report found that over 5% of top apps had a least one SDK (software development kit) that can gain access to a mobile users location, over 40% of apps had at least one SDK that can access a list of installed apps on a users device and just under 60% of ad- network data SDK’s had access to users data.
App developers need to really scrutinise the tools they use to build apps to ensure that they don’t violate data protection rules. In addition to this, Google Play- the app store for Android- has already started to purge apps without privacy policies.
There are no step-by-step guidelines on what to implement when it comes to software development but we have compiled some best practices steps that will help guide you on your path to become GDPR compliant.
_Disclaimer: We are not GDPR experts and we expect you would seek advice from GDPR and data security professionals- however we do understand the key concepts and combine this with our app development knowledge to help guide you through some best practices when it comes to mobile and app security. _#### GDPR best practices
1. Access to personal information
When you store data for an app, make sure you do it securely. When it comes to creating secure mobile applications, it’s thankfully pretty straightforward. You should ensure you: - Send data to the cloud over secure channels (HTTPS)
- Use local encrypted storage on the device
- Practice good cloud security including no-root access, strong password management procedures and firewalls.
Make sure you have robust network security procedures in place to defend against malicious attacks and monitor any potentially suspicious activity.
It should be explicitly stated to all users that their personal data including phone numbers and addresses will be encrypted and hashed to avoid any potential data extraction and breaches. ##### 3. Patch vulnerabilities
Many data breaches are completed avoidable by ensuring your application is fully patched and not being used with known vulnerabilities that can be exposed easily. ##### 4. Get consent
Make sure you obtain consent before you collect any data. You also need to prove that you have followed through with the correct consent procedure and be able to prove consent if asked for it. Implementing an automated system that will allow you to easily track where and when you have received consent and also where people have explicitly asked for their data to be removed is so important. ##### 5. Be transparent
When asking for consent to use data, make it as clear as possible what people are consenting to and why. You should be able to explain I’m simple language what the data is being used for, how long you plan on holding the data, what the purpose is and what this means if you are using any third party suppliers.
It's no lie that GDPR is a massive change regarding data privacy in the EU and will undoubtedly have a significant impact on mobile application owners and developers. However, any mobile app development company worth their salt will design apps with privacy in mind regardless and should never ask for more information than is actually required for the app to physically function.
At xDesign we always strive to put privacy at the heart of the apps we develop and only ask for information if it is absolutely necessary. We work alongside our clients to ensure that every app we design and build will meet the new GDPR regulation standards. There's no getting away from the fact that there still seems to be a lot of confusion around GDPR and "grey areas" so we firmly believe that this will be an evolving process for most people. Follow these guidelines though and you should be well on your way to ensuring compliance and avoiding those hefty fines.