With the implementation of the EU’s General Data Protection Regulation (GDPR) last month, many clients are wondering how GDPR impacts app development stateside. While there is, of course, no simple answer, this post will review some key implications of GDPR at a high level so you know where you might need to dig deeper.
What is GDPR?
GDPR is designed to protect the individual rights of citizens in the European Union, providing a high level of transparency on how entities collect, store, and utilize personal information. It also puts control and ownership of that data back into the hands of the person. There are four key individual rights that GDPR ensures:
Right to easy access of personal data. Organizations must provide individuals with easy-to-access information on what data they have, and how that data is collected and processed.
Right to data portability. Organizations must provide a simple and straightforward way to request an export of all personal data.
Right to be informed of a data breach. Organizations are required to notify individuals of a hack as soon as possible.
Right to be forgotten. Organizations must completely erase a user’s personal data upon request, provided there are no legitimate legal reasons for retaining it.
Who does GDPR impact?
Data protection standards have long been in place, but previously the scope of the regulations were mostly in the context of service provider location. The new rules are in the context of the user, regardless of the location of the service provider. So, if you expect your app to be utilized by people residing in the European Union, then GDPR compliance will be required.
Obviously, those hardest hit will be those whose business models rely on collecting and leveraging large amounts of consumer data. However, even an enterprise oriented app that will be utilized by EU employees must comply to the regulations set forth by GDPR.
How will GDPR impact app development?
There are a few different places where GDPR could have a significant impact in your mobile app development:
Permissions: “Privacy by design” is a key tenet of GDPR, so it’s critical to understand what constitutes personal data. Personal data is any collection of information that could be used to reasonably identify an individual. Beyond clear data points such as name, SSN, email, and address it begins to boil down to context. If you collect a person’s occupation, that likely wouldn’t qualify, as many people likely have the same occupation. However, once you start combining that data with, say, company and IP address, it might become much more clear who someone is. So what’s the safest bet? Collect as little personal information as possible in your application.
That said, some amount of personal data will likely be collected by almost every mobile app that is created. As a result, one of the most obvious ways GDPR will affect app development is in the on-boarding process. You will need to be clear within the app interface as to how each piece of data requested will be utilized – and get permission for each usage situation. Even data that has not historically required consent (e.g. IP addresses) must also be considered.
For example, if you collect a user’s email address for app login, but have intentions of using that email for other purposes, you need to provide specific disclosure and an opt-in consent mechanism for each unique instance. In other words, one long user license can no longer be leveraged to cover the occasional marketing email, location-driven notifications, and re-marketing. You also must ensure there is an easy mechanism for revoking consent for any of those options.
Data Exchange and Management: Another area that GDPR impacts app development pertains to the regulations that support additional data exchange between the user and the service provider. As noted, the new rules call for the user to be able to ask if their data is being processed, get a complete copy of their personal data, and ask for complete erasure from the service provider’s system.
Any of these items are simple enough for a one-off manual process on a small scale. But, for a service provider, the potential for constant or high-volume inquiry may be enough to invest in automated mechanisms.
Another consideration is identity verification by the service provider; i.e. how can they confirm they are responding to a valid user request for data? For systems with login credentials, there is a built-in mechanism. But certain edge cases will likely muddy the waters and gaps in GDPR could potentially be exploited for fraud.
A year ago, if a service provider of an online loan application web site were to be asked by a user out of the blue to “please give me all of my personal information in a portable format and then also erase me from your system” you would be very suspicious. With GDPR, this now becomes a completely legitimate request that you need to process in a relatively short timeframe.
Data Security: The companies that will have success are those that already take security practices very seriously. Here are a few general guidelines that most applications should be following:
– Use HTTPS everywhere and avoid using services that don’t use HTTPS
– Use database-level encryption
– Keep sensitive and personal information out of log files
– Protect your system’s credentials and API keys, including keeping them out of committed code
– Favor two-factor authentication over security questions
That’s by no means an exhaustive list, but you’d be surprised how many applications out there don’t follow those basics. From there, you can begin evaluating your specific application. For instance, what types of user-generated content might you need to remove to comply with full erasure? What tests do you need to create to ensure full erasure? If you share user-identifiable data with 3rd-party systems, are you clearly communicating that to your users?
Should GDPR be treated like a best practice?
You’ll also need to decide if you want to support GDPR-like processes as a matter of general course, or only in cases where it’s absolutely required. While implementation could require more creative design and add some cost to development, GDPR does actually provide important protection for individual rights and may bring value for your business.
It could be cheaper to take a minimal approach at first, but we advise everyone to perform some type of upfront cost analysis. You may find that it’s less expensive than you thought to lay some of the initial groundwork. The bottom line here is that user privacy, including the new GDPR changes, is not something that can be bolted on after that fact. It needs involvement from managers, designers, developers, product owners and so on.
How do I learn more about GDPR?
Whether you need to learn more for business purposes, or just desire help in getting to sleep at night, the best place to learn all the details about GDPR is the General Data Protection Regulation official web site. If you already were fairly versed in the prior data protection directive from 1995, you might find this site on GDPR Key Changes more useful.
If you’ve got a particular app development project in mind, or are uncertain about the implications of GDPR on an app you’ve already built, we’re happy to help. Please contact us to set up a time to talk.