The GDPR Countdown Has Begun. Is Your Business Ready?
The opinions, recommendations and statements in this guest post do not necessarily represent those of AppsFlyer.
This coming May, Europe’s data protection rules will be revamped to reflect modern risks and needs. The existing Data Protection Act (DPA), will be replaced by the European Union’s (EU) General Data Protection Regulation (GDPR).
As a result, businesses and public sector organizations may, among others, be forced to transform the way they collect, process, access and treat customers’ personal data. Those who fail to comply with the new rules will face tough sanctions, but we’ll get to that soon.
The goal of the GDPR is to streamline and strengthen data protection for all individuals within the EU. The new regulations are meant to address the matter of personal data exportation outside of Europe as well, to ensure that personal data of European nationals and residents is secured. The hope is that the GDPR will birth a simpler and clearer regulatory environment for international business interactions.
Under the new regulation, businesses will have to document and provide evidence that they have taken the necessary measures to protect user data, including personal data of mobile app users (within the EU, regardless of the company’s location). This includes responsibility over third party service providers processing personal data.
Failure to comply will put organizations at risk of paying heavy fines: 20M euros or 4% of their annual profit. Moreover, mobile apps found to be noncompliant could find themselves banned from app stores; a disaster for any business.
In fact, Google has already started ‘cracking down on apps’ that collect private user data even before the GDPR comes into effect. Google’s “Safe Browsing Team” has added some critical user data collection restrictions. These newly added restrictions are now an integral part of the Google Play Developer Policy. App developers have less than 30 days to comply.
Be very wary of any vendor claiming full GDPR compliance or being GDPR certified. Though this may sound reassuring on a sales call, these claims are clearly false since there are no final GDPR guidelines yet and there is no GDPR certifying body.
So, what will the GDPR require of mobile businesses?
Here are some important changes that the GDPR will require of businesses in general and mobile apps specifically. Be sure to take these into consideration when preparing your mobile app compliance with the new regulations:
Explicit, Unambiguous and Informed Consent
Under the new regulation, businesses are required to request and receive consent to collect, use, store and move personal data. This request for consent must be easy for mobile app users to understand and clearly state the purposes for the collection and use of the personal data. Consent should be given in a straightforward and easily accessible manner. In the same vein, the user must be able to withdraw consent just as easily as it was granted.
The Right to Be Forgotten
The GDPR will provide individuals within the EU the right for data erasure. This means that should people desire to have all of their personal data deleted and the future publication of any data stopped from being processed by third parties, data controllers (the mobile app developers in our case) must adhere to their wishes. Under the GDPR, personal data must be collected, used and stored for the minimal period of time necessary in order to provide the original purpose of the data collection. Accordingly, deletion of personal data is required once the data becomes irrelevant to the original processing purposes.
Privacy by Design
According to Article 23 of the GDPR, controllers must only hold and process user data that is absolutely critical for a project to be completed. In addition, data access should be limited to business employees charged with the task of data processing. Though this is not a new concept, the GDPR will prescribe that privacy be considered throughout the design cycle as a legal requirement.
Mandatory Data Breach Notifications
While we hope to avoid data breaches altogether, should your database be hacked, you will have to notify both users and authorities within 72 hours of discovering the leak. This is because data breaches can result “in a risk for the rights and freedoms of individuals,” the reason for the GDPR in a nutshell.
Data Protection Officers
The GDPR will also establish new internal record keeping requirements and formal corporate policies, including the mandatory appointment of data protection officers (DPOs, employees charged with managing data protection) by large enterprises to oversee the entire data storage process. DPOs must be experts in the fields of data protection laws and practices.
How can app developers prepare to comply with the GDPR?
Mobile app developers utilize unique or personal identifiers to help optimize their app’s effectiveness and marketing. The GDPR is extremely relevant to app development, marketing and operations. Users’ (actual) names, phone numbers and addresses and digital information such as usernames, locations and behavior are under the direct responsibility of app developers and publishers. They must ensure complete visibility and real-time control over app usage and activity – at all times.
To ensure that they are complying with the GDPR’s personal data security requirements, app owners should first engage in mapping — learning everything about how they obtain, store, transfer and use data. The knowledge they acquire may indicate a need for upgrades to servers and new firewall configurations. Changes within the data and access to it must also be followed — on both digital and physical levels. This requires scrupulous documentation of a complete history of changes. User passwords must be adequately hashed and any data travelling between the app and the server should be encrypted and secured.
How can this be properly implemented?
Here’s a list of 6 key measures to take in mobile app design, installs and usage that will ensure data processors create a complete and accurate history of change while guaranteeing confidentiality:
- Does the app really need all the data it accesses? Strive to use only what is absolutely necessary for the purposes of the service provided to your end users.
- Obtain informed and unambiguous user consent for the collection and use of personal data and for the specific purposes for which you are collecting this data.
- Encrypt user data and make sure your third party APIs or SDKs are encrypting data as well.
- Respond to users’ requests, including consent withdrawal
- Report security incidents and notify affected users
- Identify potential weak links within your technology
[SDKs] Third-party tools: A potential blind spot
Third-party code developers using SDKs (Software Development Kits) can become a blind spot, even for the most GDPR-aware mobile app developers. Special care should be taken to prevent the app from communicating personal data to a third party in a way that can expose the app to data breaches.
“In our increasingly interconnected workplace, companies must consider not only their own system integrity but also the system integrity of any other party with access to their computer systems,” says Steve Durbin, managing director of the Information Security Forum. “…A company’s robust internal practices and policies may be futile if that company’s vendors are not secure.”
App publishers may be responsible for data collected or used by SDKs that access identifying user data. As the GDPR will take effect in May, mobile app developers and publishers (data controllers) must ensure that any partner (SDK) vendors (data processors) will not put their organization at risk. For example, you may want to list in the consent form any third parties or organizations who will use the mobile app’s data, as well as to maintain constant contact with these SDK providers to avoid GDPR violations and minimize exposure to risk.
Here are our best practices:
- Preference to established and popular third party tools that follow the top industry standards.
- It is important to remember that final GDPR guidelines have not yet been issued. When speaking with providers, look for those who are already working to implement draft guidelines and are working with outside counsel to ensure full compliance with the final guidelines.
- Be very wary of any vendor claiming full GDPR compliance or being GDPR certified. Though this may sound reassuring on a sales call, these claims are clearly false since there are no final GDPR guidelines yet and there is no GDPR certifying body.
- Determine what data is stored and processed by all relevant processors, how well each processor protects personal data, and what measures they are taking to become GDPR compliant.
- Ensure you have a strong internal security policy and enforce it.
- Segregate and protect your own data. Modify data collection and storage practices if necessary.
- Map out the data processing lifecycle and ensure adequate security is employed at each stage along the way.
- Make sure that the SDKs you work with don’t gather and save data in their own databases, or if they do, they are prepared to comply with the GDPR when the final guidelines are issued.
- Make sure your SDKs are equipped to ensure the safety of your users’ data. Include strict confidentiality, data privacy and data residency clauses as needed in contractual agreements with your SDK providers.
- Consider hiring a DPO (depending on the scale of your business).
- Use automated tools to stay in control and consistently monitor third party providers’ impact on your app (like us, SafeDK). Which can also provide real-time alerts and help you handle problematic areas.
- Preference to established and popular third party tools that follow the top industry standards.
European citizens, residents and governments are looking to develop and implement stricter privacy policies and rules. In particular in light of recent data breaches, businesses and organizations now must exhibit greater accountability and compliance. The result, the GDPR is nothing less than a continent-wide personal data protection revolution.
While final GDPR guidelines are not yet available and as such, vendors cannot yet speak to their compliance, now is the perfect time to start organizing your internal team and preparing for your GDPR audit.
To comply with the new regulations, better protect users and hopefully prevent data breaches, companies, including mobile apps, may have to modify their data processing and storage practices. This includes data handled by third-party services and SDKs. Automated monitoring and control tools can be extremely helpful in this situation.
This guest post was written by Ronnie Sternberg, co-founder and CBO at SafeDK. Please note that the references and recommendations in this blog are intended to assist you, but should not be viewed as a professional advice or guidance. It is up to you to take any measures that you see fit, upon consulting with professional consultants of your choice. The opinions, recommendations and statements in this post do not necessarily represent those of AppsFlyer.