Best Practices for GDPR Mobile App Development
Come May 25th, 2018, the European Online Data Privacy law, which was passed in January will be enacted. For organizations that handle or process personal data of European citizens, this means having to implement measures to meet the regulations laid down by GDPR, as failure to do so can attract huge fines in the range of €1 million or 2% of the global turnover or €2 million or 4% of the global turnover, depending on the sensitivity of the data.
What is GDPR?
The General Data Protection Regulation (GDPR) is designed to protect the way in which data of any European citizen is collected, processed and stored. Additionally, it places importance on the ability of the user to control personal data, including provisions to port, opt-out or remove their data whenever they want.
For mobile app developers, this means ensuring that their apps not only include systems that allow opt-in, collection and storage of personal data of the user but also the necessary infrastructure to opt-out or forget the user’s data as part of the compliance required by the Act.
Points to consider for making an app GDPR compliant
1. Consent Under GDPR
It’s vital to obtain user consent before storing cookies, saving data on the cloud or through third-party apps or before tracking user behavior or activities. As per the guidelines of GDPR, consent must be freely given, specific and unambiguous. This means that the user should agree to his data being collected. Additionally, the consent should clearly define the specific data being collected, stored or processed. The terms and conditions, as well as privacy policy, must be worded in simple language that is easy for any user to comprehend.
Separate consents need to be obtained for each type of process. For example, at the time of opt-in, the user accepts the terms & conditions and privacy policy, but this cannot be taken as a blanket consent for opting in for other services offered by the app
2. Purpose of collection of Data Under GDPR
The process of collecting data should be made transparent so that the user is aware of the purpose for which the data is being collected. This should be built into the app so that the user is informed of the reason that specific data such as a phone number or email address is being collected (for example, to update them on the latest offers).
3. GDPR & User Control of Subscriptions
After the user opts in for receiving alerts on offers, deals or other information, he should have the right to manage his subscription options and preferred mode of communication. The app should have all the options set to ‘off’ by default, giving the user the choice of opting for communication by email or phone as well as the type of information that he wants to receive.
4. Duration of Data Access Under GDPR
As per GDPR, the user should be allowed to restrict the time during which his data can be tracked or accessed. The app should include a provision for obtaining consent for the use of data as well as the period for which it can be used. For instance, when a user is in a new location, the app should get his consent before sending him localized offers and deals. Additionally, once the authorized period of tracking expires, the data should be archived or deleted.
5. Allow Users Access to View, Edit or Delete Data Under GDPR Mobile Apps
Users should be able to access or download his data at any time, so he can view the personal information collected by the app. Additionally, the app should allow the user to modify details or delete the data collected within a specific date range. This can include his browsing history, location data or any other information.
6. Deleting the User Account in GDPR
While the user should be allowed to delete his account whenever he chooses, he must be informed of the consequences of his actions. Additionally, as a safeguard, the app should mandatorily ask for a password confirmation before deleting the account.
7. Keeping User Data secure Under GDPR Compliance
Protection of data is one of the most crucial aspects of GDPR compliance as failure to do so can attract penalties. The followings measure can be implemented to secure personal data of users.
- Secured protocols like https should be used to transfer data on the network.
- Single sign-in protocols such as OAUTH can be used to allow users to create an account by linking another account. This way, no data other than the authentication ID is stored by the app.
- Sensitive information such as passwords should be hashed and saved to encrypted databases with restricted access to IPs.
- Cookies should be destroyed after a period of inactivity or after logout.
At TechAhead, we are geared to help companies build apps to comply with the new regulation that keeps personal data secure while providing a superior experience to the user. During the design process, we evaluate and collect only the essential data required to provide insights and analytics to help companies understand their audience without going against the regulations of GDPR.