What App Developers Should Know About GDPR Compliance
Privacy is not an option: for app developers, Europe’s GDPR addresses privacy issues through stringent regulations.
Join the DZone community and get the full member experience.Join For Free
There is a price for everything, and the loss of privacy is the price for downloading and using apps on smartphones. As security technologist and cryptographer Bruce Schneier, aptly observes, walking around with a smartphone is like carrying a tracking device 24/7.
The smartphone revolution also brought on app development, with contemporary life revolving around mobile applications. This is especially true for Millennials and Gen Zers, whose desire for information at the press of a button remains unchanged over the years.
Despite this widespread use of smartphones, a recent Eurobarometer survey found that 67% of Europeans worried about not being in control of personal information they provide online, and over 90% of them request the same data protection rights across the EU, despite where their data is processed.
These worries led to an agreement on a data protection standard named General Data Protection Regulation (GDPR), which was approved by the EU parliament on April 14, 2016. Thereafter, GDPR regulations came into force on May 25, 2018, and were added to the law on data protection and privacy in the EU and the European Economic Area.
As these regulations impose new obligations on collecting, storing, or processing personal data of people living in Europe, app developers for Europe need to understand their obligation to comply with GDPR, and also the impact of GDPR on app development.
On the other hand, understanding the detailed requirements of GDPR is complicated, with the law extending to almost 90 pages in length. The details of the law also disclose that GDPR will apply differently to different apps according to their function or the service they provide. Therefore, app developers need to understand how GDPR generally applies to mobile apps, before developing products for post-GDPR Europe.
For instance, the GDPR does not state what an app can and cannot do, but it regulates how an app developer can process personal data via an app.
Obtain Informed Consent, Provide Opt-In and Opt-Out
The critical moment of customer engagement is at the start, when a customer agrees to opt-in to data sharing as outlined by the terms and conditions. GDPR requires an app developer to obtain active, informed consent from apps users. When requesting specific information, developers need to inform users about the purpose of collecting such data and offer individual options, including opting out.
Know and Protect Your User
As an app developer:
- ensure you know what kind of data you hold for each customer.
- ensure secure storage of information with proper protection.
- ensure information is ready to be accessed at the right moment.
Ensure a Legal Basis to Process Personal Data
GDPR requires a valid reason for an app developer to collect, store or use some one’s personal data.
Article 6 of GDPR states six lawful bases to process personal data.
1. Consent: Advertising and an app’s interactions with customer devices specifically require customer consent.
2. Contract: Data processing activity should be according to terms of a contract.
3. Legal Obligation: Data processing should be for a legal obligation, such as an information security, employment or consumer transaction law.
4. Vital Interest: Generally happens in emergency medical situations, where data processing is needed to save a life.
5. Public Interest: Data processed by a government entity or an organization acting on behalf of a government entity.
6. Legitimate Interests: Customers expect an organization to process personal data, for marketing activities and fraud prevention. App developers need to confirm the necessity of obtaining and processing personal data for its functioning.
Adhere to The 6 Privacy Principles of GDPR When Processing Personal Data
2. Purpose Limitation: According to GDPR Article 18, app users can restrict processing of their data, by claiming:
- Unlawful processing.
- Data being unnecessary for original stated purpose.
App developers must immediately stop processing and comply with customer request.
3. Data Minimization: When developing your app, don't collect personal data you don't need.
5. Storage Limitation: Personal data should remain in your database no longer than necessary for the purpose it was collected.
6. Integrity and Confidentiality: Personal data should be secure and protected against unauthorized or unlawful processing, accidental loss, or destruction and damage.
Be aware of a seventh principle of accountability, sometimes included in the list of principles.
Be Mindful of Data Requests and Permissions Needed
One easy way to avoid large GDPR fines is to always get permission from customers before using personal data.
Transparency and informing the public about how their data are being used are two basic goals of the GDPR.
The Right to be Forgotten
The GDPR provides mobile app users the right to the erasure of their data, when no longer needed for the original stated purpose expressed as the "right to be forgotten." Customers can ask for changing or deleting their data in an unrecoverable way.
Despite stringent regulations on data collection and processing, GDPR is not a threat to app developers or businesses. It is only an opportunity for better understanding and efficacy of data use and protection of customer privacy.
Opinions expressed by DZone contributors are their own.