Categories: Developers / Mobile Apps
It’s been almost a year since the rollout of the GDPR. If you need a refresher, the GDPR is the EU’s General Data Protection Regulation. It’s dramatically reshaped how companies and organizations handle user data.
Under the GDPR, users now have to opt in to have their data collected. They also have a right to view any data collected on them, and to request to have that data scrubbed at any time. Companies now have to be highly privacy minded when collecting, storing or sharing data. Those who breach the rules are subject to major penalties – Google was just fined $57m for doing so.
The big deal about the GDPR is that it doesn’t just apply to European companies or users. Any businesses whose products and services may be accessed by an EU citizen fall under the GDPR. So if your app is on the App Store or Google Play, that means you.
Ensure that you don’t get fined 4% of your global turnover by making your mobile app GDPR compliant. Here’s how.
1 Active consent
GDPR policies state that before you collect data from your mobile app users you need to get their informed consent. Just signing up for an account no longer counts. If you’re going to collect data, you need to get explicit permission – and explain what it’s for. Note that pre-checking that “sign me up” checkbox doesn’t fly any more. Users need to actively check the box to provide consent. One more thing: if you’re going to be collecting different types of data, you need permission each time.
2 Opt-out policies
Not only do mobile app users need to give consent for their data to be used, but they also need to be able to opt out at any time. It’s a good idea to provide a dedicated page on your app where users can either unsubscribe from your lists or ask that their data be removed altogether.
3 Visibility and transparency
4 User requests
If a mobile app user requests access to their data, you’re required to provide it. In general, you have one month to respond to these requests, so don’t delay! Ensure that your business is set up to be GDPR compliant in the first place, and responding should be a breeze. Depending on the size of your app, you may want an internal process for handling these requests.
5 Being forgotten
Under the GDPR, users can ask to have their data scrubbed at any time. If someone asks you do to this, you need to remove any and all personal data on them you’ve collected through your app. This also applies to third-party vendors connected to your app.
6 Breach notifications
Suffered a data breach? You can no longer sweep it under the rug. GDPR rules now require that you let users and supervisory authorities know within 72 hours. Updated security and data monitoring is a must for being able to meet this deadline.
7 Data storage
Is the data you collect encrypted and securely stored? Under GDPR regulations, it has to be. Use SSL and HTTPS for external communications, and use encryption when sharing data. You should also encrypt backups and let users know how long their data will be kept for. Extra security should be added for apps that deal with sensitive information like medical or financial data.
8 Justify your data
Collecting data just because is a no-go under GDPR laws. Mobile apps now need to carefully log everything that they collect, and justify their need to collect it. This includes noting why, where and how you’re storing data, as well as how long you plan to keep it.
Making your mobile app GDPR compliant is a must
Failing to make your mobile app GDPR complaint could at best result in removal from the App Store and Google Play, and at worst result in significant fines. If you’ve been slow to get on the GDPR bandwagon, now’s the time to rethink. GDRP regulations affect most mobile apps, so ensure that yours is compliant.
Need some help building a GDPR-compliant mobile app? Get in touch!