12 Essential Steps for GDPR Compliant Mobile App
The new GDPR regulation, which was enacted in May 2018, will completely change the way companies use and manage personal data of their users. For organizations that operate in Europe or gather personal data of EU citizens residing in any part of the world, this means reviewing the technical implication that these updated laws will have on their web applications or online operations.
One of the principal directives of the EU law is that it gives individuals the power to control their personal data. As a result, organizations or entities that gather personal data online from users need to inform them exactly what will happen to that data, from the time when it is submitted.
The following are the four most important aspects of the law:
- “Easier access to your own data: individuals will have more information on how their data is processed, and this information should be available in a clear and understandable way.”
- “A right to data portability: it will be easier to transfer your personal data between service providers.”
- “A clarified ‘right to be forgotten’: when you no longer want your data to be processed and provided that there are no legitimate grounds for retaining it, the data will be deleted.”
- “The right to know when your data has been hacked: For example, companies and organizations must notify the national supervisory authority of serious data breaches as soon as possible so that users can take appropriate measures.”
How do you implement an application that’s compliant with the EU directive that provides complete control of personal data to users? Here are 12 guidelines:
1. Analyze whether all the personal data requested by the app is actually needed
Ideally, a privacy implementation should save as little as possible of the users’ personal details, such as birth date, name, country of residence, etc. While this is not possible for all apps, as some need more information, in all cases, the developers and management should clearly define and collect only such data that is essential for the functioning of the app.
2. All personal data should be encrypted, and users informed about it
If an application needs to save personal information, this data should be encrypted using reliable and strong encryption algorithms, such as hashing. The importance of this has been evident since the Ashley Madison data breach, in which all the breached data was in clear text, causing huge consequences for its users. Users should be explicitly informed that all their personal data, including phone numbers, country of residence, and address, will be encrypted and hashed to prevent any form of data extraction and potential exposure in case of a data breach.
3. Use protocols such as OAUTH for data portability
Single sign-in protocols such as OAUTH allow users to create accounts by simply providing details of another account. Additionally, they ensure that no personal data is stored other than the authentication ID from the other service.
4. Use HTTPS to enforce secure communications
Many entities do not use HTTPS for their websites because they do not consider it necessary. For example, if the application does not require any form of authentication, then HTTPS might not seem essential. However, this can result in certain things being overlooked. For instance, some applications use ‘contact’ forms to collect personal information. Unless this information is encrypted, it will be exposed to the Internet. Furthermore, steps should be taken to make sure that the SSL certificate has been properly deployed to prevent exposure to vulnerabilities related to SSL protocols.
5. Inform users about personal data from ‘contact us’ forms and encrypt the data
Most applications collect information not only through authentication or subscription but also through contact forms. Much of this information, such as email address, phone number, and country of residence, is personal. Therefore, users must be informed about the way this data will be stored and of the duration for which it will be retained. The use of strong encryption is highly recommended for storing this information.
6. Make sure sessions and cookies expire and are destroyed after logout
Users must be made aware of the use of cookies by the application. Besides this, users should have the option of accepting or denying cookies, and cookies must be properly destroyed following a period of inactivity or after logout.
7. Get users’ consent to track activity for business intelligence
Many web-based e-commerce applications track users’ searches or product purchases to determine their tastes and preferences. Often, companies such as Amazon and Netflix use this sort of information to provide recommendations. Whenever user behaviour is being monitored and stored for business intelligence, the users should be given the option to accept or reject tracking. If users decide to accept such tracking, then they need to be informed about how the data is saved in the system and for how long. Additionally, any personal information should be encrypted.
8. Inform users about logs that save location or IP addresses
Many applications use IP addresses or locations as parameters that help with authentication and authorizations. This information is then logged to prevent attempts at bypassing authentication controls. Users should be told about this process, as well as how long the logs will be saved in the system. They should also be advised not to include sensitive information such as passwords in the logs.
9. Encrypt logs and store in a safe place
Keep logs that contain user information in a secure location place and update users about what happens to these logs: how they are stored and how long are they retained. The logs should preferably be encrypted.
10. Prevent security questions from turning on users’ personal data
It’s not uncommon for applications to use security questions as a method to confirm user identity. These questions should not include personal information such as mother’s maiden name or favourite colour. It’s advisable to replace these questions with two-factor authentication. In case that isn’t possible, users should be allowed to create their own questions, but warn them against the risk of framing questions containing personal data as responses. Any information related to the questions should be encrypted.
11. Provide clear terms and conditions and ensure visibility so that users read them
Under the new EU privacy laws, terms and conditions need to be placed on the landing page of any web application. Additionally, they need to be extremely visible to the users when they navigate the application. A mechanism should be put in place to ensure that users agree to the terms and conditions before they gain access to using the app. This should be done whenever the terms are changed. The terms and conditions should also be written in language that is easy for anyone to understand.
One of the most important aspects of the EU law is the right of users to be informed of data breaches when they occur. Organizations must implement clear policies that define roles and steps to follow to inform users promptly about any breach.
12. Keep users informed about any data sharing with third parties and delete data on service deactivation
Organizations or entities that share personal data with third parties, including external plugins, affiliates, or government organizations, should mention the fact in the terms and conditions. Users should be given clarity about what happens with personal data after the cancellation of the service or deletion of an account. Since users have the right to be forgotten, companies should respect that and take steps to delete all their account information and related data when the user cancels the service. Users should be aware that they can request all their data to be deleted once they leave service. Companies that treat deleted accounts as merely inactive could run into trouble with the authorities.