In May of 2018, the European Union introduced an essential and globally-influential data and privacy law called “The General Data Protection Regulation” (GDPR). GDPR was a replacement for an old Data Protection Directive from 1995. The GDPR applies to web and mobile applications that collect personal data of people living in Europe. Even if your business doesn’t exist in Europe, but you are collecting information from people in Europe, GDPR will still apply.
The GDPR was introduced to provide security of information to EU citizens and control the use of their data by businesses. It also helps businesses to improve data management.
Every business that conducts transactions in the European Union required to comply with the data privacy rules of GDPR. Failure to comply with this legislation could result in severe penalties.
So, if you are planning to design a web or app for customers in Europe, this article will help you understand the implementation of GDPR-compliant Privacy Policies and procedures.
What you will learn from this article:
- What led to the introduction of the GDPR in the European Union?
- How does GDPR differ from the previous Data Protection Directive of 1995?
- What are the key responsibilities of a 'Controller' under GDPR?
- How does GDPR empower EU citizens regarding their personal sensitive data?
- What are the specific requirements for a business to be considered GDPR-compliant in terms of user consent for data collection?
- How does GDPR address the issue of data breaches and what are the required actions from businesses in such cases?
- What impact does GDPR have on the design and operation of mobile and web applications targeting European users?
What is GDPR?
The General Data Protection Regulation was adopted on April 27, 2016, and becomes enforceable from May 25, 2018. GDPR brought a significant change regarding data privacy.
The GDPR contains 99 articles from its preceding Data Privacy Law of 1995 and many new privacy requirements:
- Businesses should take explicit consent from users before collecting their data.
- Data security by design and by default
- All users should have access to their data.
- Every user should have the right to data portability.
- Every user should have the right to be forgotten.
- Strict implementation of the rules
- Businesses should inform customers in case if data has been breached.
Every mobile app owner needs to have an app-specific approach to secure data moving to and from mobile devices. Mobile app owners should have several built-in controls for users to control their data.
Who are the Subjects of GDPR?
Citizens of the entire EU, as well as Norway, Iceland, and Liechtenstein, are the main subjects of GDPR. Every business that processes the personal data of EU citizens or citizens of the aforementioned countries, GDPR, also applies to them.
To fully understand GDPR, you need to understand the definitions used in the regulation. These terms are:
- Data Controller
- Data Processor
- Data Subject
- Data Protection Officer
Let’s explain each one of them in detail:
Data Controller
The entity who is allowed by the user to collect their data to conduct transactions is called ‘Controller’. Generally, it is the web or app owner.
Data Processor
An entity or person who processes data on behalf of a controller such as 3rd party services like Google, Amazon, iTunes, or PayPal is called ‘Processor.’ In some cases, collaborating/outsourced development companies may also be considered data processors.
Data Subject
A person or entity whose data is collected by the controller or processor is called ‘Subject.’ It is the web or mobile app user.
Data Protection Officer
A designated person or entity, appointed and dedicated by a controller or processor who helps them and their users comply with GDPR. The need to appoint a Data Protection Officer only arises if the collected data is vast and sensitive in nature.
What if a business didn’t comply with the GDPR and fail to follow the rules? What will be the penalties business will face?
What are the GDPR Penalties?
If any the controller or processor fails to fulfil the terms of GDPR, they will be subject to penalties. There are two tiers of fines:
- Up to 10,000,000 EUR or up to 2% of the annual turnover of the preceding year (whichever is higher) – for the controller, processor, monitoring body, and certification body who infringe their obligations.
- Up to 20 million EUR or up to 4% respectively – for a controller who infringes the principles of personal data processing. For example, personal data processing without user consent, data subjects’ rights infringements, or transferring personal data to a non-GDPR-compliant recipient in a third country.
You can find more details about these fines in Article 83 of the GDPR.
What Rights are given to the End-User by GDPR?
Following is a summary of the rights given to the end-users by GDPR:
The Rights to be Informed
According to article 58 of the GDPR, a user has the right to know what data is the app owner collecting and for what purpose. The information should be easily accessible and easily understood and provided free of charge.
Suppose any app collects and processes personal data of children. In that case, the app owner is required to post information about the use of collected data in a clear and understandable language that a minor can easily understand.
Most app owners include clauses in their Privacy Policy to explain efforts to protect children.
Here is Facebook's Data Policy clause on Minors’ safety:
Remember, a mobile app Privacy Policy should be written in a way that it is easy to understand and will actually inform users about privacy practices and their rights.
The Right to Access
According to Article 15 of GDPR, a user get the right to access their data upon request. Every business that collects information from subjects under GDPR needs to honour the request of any of its users and grant them access to the information collected from them. A business has thirty days to fulfil the user’s request. In some cases, when the data amount is too huge, a company can get an extension of another month to complete the request of the user.
Here are some guidelines to follow on How to Handle Privacy Access Requests Under the GDPR.
GDPR allows a business to charge reasonable fees where the request for data access is "manifestly unfounded or excessive." However, the regulation is aim to provide users with control over the collection of their personal data for free or as close to free as possible
To comply with these requirements, many apps include a clause in their Privacy Policy that explains how users can get a copy of their data or access it themselves. Here’s an example of Age UK, who do it in the best way possible:
Here’s another example from Facebook:
The Right of Rectification
According to Article 16 of the GDPR, a user has the right to change his/her information if it is inaccurate or incomplete.
Most mobile apps allow users to change the information in real-time. Here’s an example of Chewy, a popular online pet supply store. The app lets users edit personal information such as payment methods directly within its mobile app.
The Right to Erasure
The GDPR gives the users the right to erasure, which is also known as “The Right to be forgotten.” At any time, the user can request that the app owner erase their personal information if there is no need left for which the data was initially collected or processed.
Users can also withdraw their consent for collecting or processing information at any time if they find that their data is unlawfully processed or used. The best way to comply with this is to make sure your mobile app has a way for users to delete accounts entirely.
An app owner can only store data for as long as it is needed for the purpose it was originally collected for. An app owner needs to set reasonable time limits or may run into legal issues.
The Right to Restrict Processing
The GDPR gives users the right to restrict the process of their data. If an individual requests the app owner to stop processing their data, the app owner is bound to comply immediately.
According to Article 18 of the GDPR, users have the right to restrict the processing of their personal data in these conditions:
- If the collected data is inaccurate
- If the processing of data is unlawful
- If the business has collected unnecessary data
- If the individual objects to the processing of their data
Here's an example from Sainsbury's. They have included the clause in their Privacy Policy regarding the right to restrict customer data from processing:
The Right to Data Portability
The GDPR gives the right to data portability to users. Data portability means that when a user wants to transfer his/her data from one device to another, they can do it without any interference from the app owner. The app user can also ask the app owner to transfer data to any third party within the legal boundaries.
The reasons for transferring data from the app to another device of the third party may vary in nature from a desire to interact through your app with a social platform or forum to sharing data with creditors, job sites, medical providers, and so forth.
Here's how LinkedIn has defined the clause for data portability in its Privacy Policy:
The Right to Object
According to article 21 of the GDPR, a user has the right to request an app owner to stop processing their data. A web or app owner must let the user know at the beginning as well as in the privacy policy that they have the following rights to object.
One of the best ways to let users know about the right to object in first communication is something like the following email sign-up form from Zettasphere. Here, users are informed that their email addresses are collected that "all emails include an unsubscribe link" and that" the user may opt-out at any time." The Privacy Policy is also linked.
Rights in Relation to Automated Decision Making and Profiling
One of the first clauses of the GDPR is to acquire informed and specific consent from the web and app users before collecting personal information from them. Previously, it was understood that users’ decision to proceed to use the application is a consent to collect and use their data. It is not the case anymore. App owners are required to take the user's active and informed consent before automating and profiling their information.
Read Article 42:
An app owner should provide users with some kind of disclosure about the information the app will collect. The disclosure should contain a checkbox or a button for users to click and confirm their consent to gather the information.
One of the examples of such a case is the Slice app, which actively takes consent upon sign up from the user.
How to make your application compliant with GDPR regulations?
An app owner can make their app compliant with GDPR by following these guidelines and by integrating these options in the app.
Guideline # 1: Don’t store unnecessary data
An app owner should have clear guidelines of what information should be collected and for what purposes. The collection of unnecessary information without having any purpose is against the GDPR terms. For example, if a food ordering app is asking for marital status or a gaming app asking for the home address.
An app owner should also consider defining the time duration to store data. After the purpose is fulfilled, the app owner should delete the users’ data from their system.
Guideline # 2: Data Encryption
Encryption is one of the most important terms used in GDPR text. It has been mentioned four times.
Rapidly growing cyber breaches and data theft made it an integral part for all app owners to deploy strong encryption.
You can take an example of 'Ashley Madison' data breach that happened in July 2015. The hackers stole more than 25 GB of personal data from the adultery dating website.
The stolen data included names, emails, and addresses of the users. The cause of the breach was an unencrypted data storage that allowed hackers to track the users. This negligence resulted in a wave of blackmail, ruined many lives, and broken marriages.
Website owners had to pay over $11 million to settle ensuing lawsuits.
If, for some legitimate reasons like cost-efficiency or drop in performance, you can’t use encryption as a part of your data protection policy?
In such a case, you should either gather enough evidence to back up your claims or use alternative methods such as pseudonymization.
Guideline # 3: Use HTTPs Protocol
Now it is becoming mandatory to use SSL certification for security. With HTTPs protocols, all the data collected over the ‘Contact Us’ or ‘Billing Page’ is protected. If a web or app owner collects data on HTTP, the information is sent as plain text, which open gates for hackers.
HTTPs Protocols encrypt all the data sent between a client and a server using the SSL/TLS cryptographic protocols. When a user requests an HTTPS connection to your application, it sends him/her your SSL certificate that contains the key required to initiate the secure connection.
Guideline # 4: Use 2 Factor Authentication
2FA or Two-Factor Authentication is one of the most secure ways to protect users from data breaches. 2FA means a combination of a possession factor (such as a mobile number), knowledge factor (password), and inherent factor (fingerprint or face recognition). When users activate 2FA on their app or web application, they received two keys to unlock the account. It can either be a code on the mobile number and a password on email, or it can be a code on email and fingerprint/facial recognition. The account won’t be accessed if a user doesn’t have either of the information.
Guideline # 5: Implement Biometrics
The biometric system is very common among the app owners, especially the ones connected to financial aspects. Integrating biometric recognition in the app will further enhance the security of the user and his/her data collected via the app.
Guideline # 6: Don’t Track Users’ Activity
If you do not provide privacy to your customer, how can you claim to ensure it from third parties? Many apps collect data by tracking users’ activities on the web and app to sell it to advertisers for marketing purposes. If you are an app owner and monitoring the user activities for marketing purposes, you should inform them with a complete explanation. If you fail to do so, you will be penalized as per the GDPR terms. Provide your users with complete anonymity and do not track their footprints.
Guideline # 7: Don’t use Security Questions
Don’t ask users security questions related to personal information, like the name of your grandfather, the city you were born in, your first school name, etc. Hackers can easily track all this information from social media profiles. The best option is to avoid security questions at all and use services like OAuth.
Guideline # 8: Don’t use Cookies to store Information
Under GDPR, visiting the website for the first time doesn’t mean that visitor has automatically granted the consent for processing personal data. Even if you display “If you use this website, you accept cookies,” the consent case is not considered as “freely given” (Recital 42).
Granular consent still applies. So, if you want to track your visitor behaviour and use their data for advertising, you should obtain permission for each activity. You will also need to allow visitors to withdraw their consent easily. Moreover, you can’t block access to your website for the users who withheld their consent.
Guideline # 9: Terms and Conditions
The terms and Conditions (TOC) section of your web and app should be provided in a clear and plain language that users can easily understand. Additionally, users should read those terms and accept them before using your application.
Guideline # 10: Delete Users’ Data
An app owner should delete users’ data in the following circumstances:
- If the user used his/her right to be forgotten and request the app owner to delete the data
- If user have left the app or services and do not wish to come back
- After the set time as per the policies mentioned in the privacy policy
Once the purpose of collected data is fulfilled, the app owner is obliged to delete the users’ data from their servers
Conclusion
Rapidly increasing security breaches and big corporations collecting excessive data about users have become a significant concern for average users and governments. The GDPR was sanctioned in the EU to solve these problems. If you are doing business in the EU or outside, but your customers are the European Union citizens, your application has to follow the terms of GDPR.
While the GDPR helps prevent security breaches and give users more power over their own data, it may be challenging for businesses to make GDPR software compliant. However, in the long term, these practices will bring profit to companies as they will attract more users and gain their loyalty by maintaining honest and secure business-customer relationships.
Selleo can help you with creating a GDPR compliant mobile app. If you feel that your mobile app isn’t yet ready to meet GDPR requirements, you can always contact us, and we will be your guide at every step.