How To Develop A GDPR Compliant App

May 30, 2019

gdpr-appStarting from May 25, 2018, any online business that has customers or users from the European Union must adhere to the GDPR requirements. So if you are an established mobile app publisher or only planning to launch an app of your own, spend some time to figure out how to ensure users’ data security, and what features to improve. Here are some highlights you should consider in order to make a GDPR compliant app:

  • Privacy by design
  • Log and justify data collection
  • Privacy policy page
  • Third-party services
  • Encryption
  • Explicit consent
  • Subject access request
  • Data retention and data-erasion
  • Data breach notifications

When creating a mobile app, you should think about user privacy from the very start. Such an approach is known as privacy by design. Your app will store and operate only an essential amount of user data by default. This way your app will comply with GDPR requirements and at the same time build trust with your users.

Create a secure log to document all the personal data you collect. If customers or users ever ask you about your GDPR policies, you will be able to provide them with these records. Making your app GDPR compliant also means that you can justify which data you collect and why.

Your app also has to include a Privacy policy page. Without it, you won’t be able to deploy your app to app stores. In this document, you should explain to your users how they can protect and manage their own data.

Most likely that you won’t collect users’ data by yourself but will work with third-party services. They can provide either analytics, advertising or push notifications. Your Privacy Policy should contain information about all third-party providers that process your app’s data. In addition, conduct a thorough analysis of these companies to figure out whether they are GDPR compliant.

Mind using strong encryption algorithms to ensure high data protection. For instance, use SSL (Secure Sockets Layer) or HTTPS (Hypertext Transfer Protocol Secure) to establish an encrypted link between a server and your app. Apart from securing external communications, each byte of information your app collects must be encrypted and stored in a safe place.

Make sure to provide understandable opt-in when requesting users’ consent to collect and store their personal data. Asking for explicit consent during the app launch looks like a good idea. Better not to confuse users with long Terms and Conditions list from the start. Instead, simply explain to them exactly how their data will be used. Likewise, give customers a chance to easily withdraw consent at a later stage.

At some point, your users will want to know what you are doing with their data. So make sure to timely respond to all subject access requests you receive.

As outlined in GDPR, you are obliged to specify for how long you store users’ data. Define a certain retention period in your Privacy Policy and make it public.

Follow another GDPR requirement and provide your users with an option to delete their personal details from your database. Allow your users to use their right to be forgotten by creating a contact form or special page where they can request data-erasion. The same applies to the data stored on the servers of third-party data processors.

You also have to be prepared for the risks of a data breach. According to the GDPR, businesses must notify supervisory authorities within 72 hours if their servers were under attack. You should establish a clear procedure about how to react in such a situation.

To sum it up, ensuring GDPR compliance for your app must become your first priority. Since any kind of violation or a data breach will lead your company to sky-high fines: either 4% of annual gross revenue or €20 million, depending on which amount is greater.