The General
Data Protection Regulation (GDPR) is a law from the European Union that deals
with personal data and privacy. GDPR is important and has a big impact around
the world, inspiring new legislations, as CCPA and others, expected in years to
come.
Developers
and app owners, who use web or mobile apps that collect and use collected personal
data from EU citizens must follow the GDPR.
It doesn't matter if your app is
run outside of the EU. The GDPR will still be in place, where penalty for
noncompliance with this law might be substantial.
The main goal
of the GDPR is to provide EU people more control over their personal
information. Personal data may be controlled by individuals, and companies can
better handle personal consumer data using GDPR guidelines.
If you are a
web or mobile app developer or app owner, this article will shed some light on
how to implement GDPR-compliant Privacy Policies and procedures of collecting,
storing and processing personal data.
GDPR also
introduces new roles, data Controller and Processor, which may be confusing to
some development teams.
Controllers
are individuals, governmental bodies, and organizations that determine how and
why personal data is collected and used.
A person's
personal information is handled by controllers, so if your app gathers personal
data from your users you are considered to be a data controller in terms of
GDPR.
On the other
side, data processor role is very different, since data processor processes
personal data on behalf of a controller.
Processors don’t decide on how
personal data is handled because they're just following the requirements set by
the controller.
Processes are
nevertheless required to be GDPR compliant even if they are just following
controller instructions, as they handle personal data.
GDPR enforces
some concepts that were previously considered as a part of good practice in web
and mobile app development as Privacy by design, which became mandatory with
the law introduction, but also puts emphasis on a existence of different types
of personal data and gives guidelines on how to approach their collecting,
keeping and processing.
GDPR also
introduces some rights which natural persons have, regarding their personal
data, previously not considered as practice, briefly described below:
Explicit consent from web or mobile app users before collecting their personal information
Explicit
consent is the most important part of the compliance, as user needs to be
introduced with which type of data app collects. Some examples of explicit
consent is Cookie Notice, for websites and Privacy Policy for apps, where all
types of data collected are listed for the potential user to be introduced.
GDPR
requires that all of checkboxes (if any), as “I agree with Privacy Policy”
remain unchecked by default, ensuring that user deliberately checks them during
registration or a similar event.
Data protection by design and by
default
Make
sure to become familiar with Privacy by Design concepts and incorporate them
into your GDPR compliance plan, even in app design stage. You may learn more
about the topic here.
User access to data
As app developers, you need to implement mechanisms for users to access their data
collected. If you collect only their name, surname and email, that is fairly
easy, since you will give them link to their profile. However, if you are
building an app that follows users actions or behavior, you need to provide
them with an activity log or with mechanisms that are at disposal to the users
to get insight into collected data.
Those
mechanisms don’t have to be robust, if you are small team you can even extract
them from your database manually. What matters though, is that data collected
is available (in some manner) to the user and that you have mechanisms in place
that ensure that user will have access within 30 days, a deadline recommended
by GDPR.
No
matter on how do you want to approach user access to data, keep in mind app
scalability and business requirements during the app design, to avoid either
unnecessary development or tons of manual legwork.
Right to data portability
This
right is in strong correlation with the previous one, where GDPR even suggests
the formats and ways of ensuring data portability. By GDPR, the format emphasis
is on machine-readable, not on human-readable formats, as CSV and JSON. This
approach ensures that, potentially, gathered data handled about the, can be
used with different service provider. However, data handled to the user, described
in previous section should be human-readable and of use to the actual user.
Right to be forgotten
For
most application, this right means of putting in place mechanisms that ensure
that personal data about the user can be erased without harm to the structure
of other data, or entire application. To ensure that loss of database
structural integrity is prevented, Privacy by Design mechanisms and
guidelines were also presented.
Stict implementation of the rules
Hefty
fines were set in place for not following GDPR, along with cross border
jurisdiction, so while is not to be expected that your MVP would be subjected
to a law suit, it’s always recommendable to implement GDPR design rules and
guidelines as much as possible, as early as possible.
Right to know when one's data has
been breached
While security by default is also part of Privacy by design guidelines, we also may
expect that some data breaches will happen over application life cycle. If this
happens, you, as data controller are in obligation to inform your users about
the breach and about data which is compromised, as soon as possible, but no
later than 60 days. Failing to do so brings along high fines and other
measures.
This ensures
for transparency, but also encourages tech companies and dev teams to practice
encryption at rest on personal data and different design of their applications.
While some can find GDPR and similar laws as CCPA very
restricting, there is one single purpose behind them: to ensure that only data
needed for running application is actually collected from the user and that
data that is collected is handled responsibly, with specific purpose in mind.
Remember camera apps that want to access your phone
book? Or calculator apps doing same?
If you not, you’re in luck, because they are withdrawn
from the market thanks to GDPR and other, similar laws, ensuring more private
and safer online environment for us all.
So, to ensure that app you’re developing is GDPR compliant
you need to follow some Privacy by Design principles, as:
To make your
life easier, especially during early development, Mars engine provides you with
some built-in GDPR friendly templates, such as the GDPR Template which
can easily be integrated with a login/register editable backend template, for
example, that also contain databases with structure adapted to the GDPR
requirements and user rights.
To learn more
on how to design your apps according to the Privacy by Design guidelines follow this link.
