As a mobile application business, you collect a lot of personal data so the EU General Data Protection Regulation (GDPR) has a direct impact on your work.
In this article, I will highlight 10 points that mobile app businesses should consider when laying out the concept and execution of their application.
Step 1: Assess all the data your application aims to collect
Typically, a good amount of Personally Identifiable Information (PII) is gathered through a mobile app. So assessing all the data you collect becomes really essential. You should ideally involve the whole team in this process. You can start with a data audit i.e. create data maps and figure out the categories of data you are collecting. Try to group the categories of data you collect, for example identifiers, behavior or locations.
Step 2: Record and justify the processing of this data
The next step is to compile your Records of Processing Activities (RPA). At every identified step of data collection, make sure you can link it to the overarching goal of your app. Even in mobile apps you cannot receive PII like IP addresses and imprecise locations (although technically easier to get through mobile apps than other platforms) without consent. So make sure you document it!
Step 3: Get consent from your users
In mobile apps, you have two types of consent. One type of consent is collected when a user signs up for your service, they consent to the processing and storing of their data to use your service. The other type of consent is granted to the mobile operating system like Android or iOS. This consent can only be gathered EXPLICITLY, i.e. with permissions. It is more relevant for mobile apps because they can get more reliable access to location, camera and contact lists. It is necessary that you get explicit consent separately for all of these categories of data. In the exceptional case of contact lists, you are getting PII of people without their own consent and instead by asking permission from another party. The only way you can do that as a mobile app is to establish strong legitimate interest.
You could add it to the start of your application allowing the user to switch the permissions on/off for the types of data that you want to collect. For other types of data like location, you can simply ask when the user wants to use the feature that requires it.
Step 4: Secure the data storage
Make sure all this data that you get and the way that you use it is encrypted and stored securely. Access to data or to servers needs to be restricted and only justifiable access should be granted. Make a habit of deleting your logs periodically too and integrate it into a best practices framework.
Step 5: Enforce HTTPS when transmitting data
If you collect any PII through contact us forms or redirect to any other forms that collect data, then you need to make sure your SSL certificate has been properly deployed and is not in any way vulnerable in relation to the SSL protocols.
Step 6: Notify users of data breaches
If these breaches occur, according to the GDPR you need to send out notifications to all users within 72 hours of the incident. Once a breach has occurred, you need to assess it and take all the necessary initial steps to secure your users’ data. You then need to communicate this to your users. This can be done by sending an in-app message to all your users to inform them of the breach.
Step 7: Build Data Subject Requests into the app
Under the GDPR, a user can send you a request for their data anytime asking what you have on them. As a mobile application, to save time this should be part of your user interface design as well. You can allow users to automatically download this through their accounts in a machine-readable format.
Step 8: Allow users to delete their data and account from the app
In terms of compliance, it would be great if users can delete their accounts directly from the app settings. Maybe offer a ‘deactivation’ feature or set a timer, so that the data will not be deleted immediately, but after say 14 days.
Step 9: Be transparent and inform users of your third party vendors
If you use third party services/products, you need to make sure your third party vendors are compliant. If you have a Customer Relationship Management (CRM) tool, a tracking tool or any others that you use, they all need to be listed as your vendors. After you have determined all the vendors that you have, the next step is to inform users of these vendors and who is getting what data from you.
Step 10: Prepare your Data Protection Agreements (DPAs)
The last step is to make sure you have DPAs with all your vendors. The purpose of this DPA is essentially to make sure that third parties’ collection and processing of data that they get through you is documented and safe.
In general, mobile applications are not all that different from other online platforms when it comes to compliance with the GDPR and the principles remain the same. Nonetheless, I hope this helps answer some questions you might have had about GDPR compliance as a mobile app business.