Data Protection Regulation (GDPR) is a law from the European Union that deals
with personal data and privacy. GDPR is important and has a big impact around
the world, inspiring new legislations, as CCPA and others, expected in years to
and app owners, who use web or mobile apps that collect and use collected personal
data from EU citizens must follow the GDPR.
It doesn't matter if your app is run outside of the EU. The GDPR will still be in place, where penalty for noncompliance with this law might be substantial. The main goal of the GDPR is to provide EU people more control over their personal information. Personal data may be controlled by individuals, and companies can better handle personal consumer data using GDPR guidelines.
If you are a web or mobile app developer or app owner, this article will shed some light on how to implement GDPR-compliant Privacy Policies and procedures of collecting, storing and processing personal data. GDPR also introduces new roles, data Controller and Processor, which may be confusing to some development teams.
are individuals, governmental bodies, and organizations that determine how and
why personal data is collected and used.
A person's personal information is handled by controllers, so if your app gathers personal data from your users you are considered to be a data controller in terms of GDPR.
On the other side, data processor role is very different, since data processor processes personal data on behalf of a controller.
Processors don’t decide on how personal data is handled because they're just following the requirements set by the controller. Processes are nevertheless required to be GDPR compliant even if they are just following controller instructions, as they handle personal data.
some concepts that were previously considered as a part of good practice in web
and mobile app development as Privacy by design, which became mandatory with
the law introduction, but also puts emphasis on a existence of different types
of personal data and gives guidelines on how to approach their collecting,
keeping and processing.
GDPR also introduces some rights which natural persons have, regarding their personal data, previously not considered as practice, briefly described below:
Explicit consent from web or mobile app users before collecting their personal information
Data protection by design and by default
Make sure to become familiar with Privacy by Design concepts and incorporate them into your GDPR compliance plan, even in app design stage. You may learn more about the topic here.
User access to data
As app developers, you need to implement mechanisms for users to access their data collected. If you collect only their name, surname and email, that is fairly easy, since you will give them link to their profile. However, if you are building an app that follows users actions or behavior, you need to provide them with an activity log or with mechanisms that are at disposal to the users to get insight into collected data.
Those mechanisms don’t have to be robust, if you are small team you can even extract them from your database manually. What matters though, is that data collected is available (in some manner) to the user and that you have mechanisms in place that ensure that user will have access within 30 days, a deadline recommended by GDPR.
No matter on how do you want to approach user access to data, keep in mind app scalability and business requirements during the app design, to avoid either unnecessary development or tons of manual legwork.
Right to data portability
This right is in strong correlation with the previous one, where GDPR even suggests the formats and ways of ensuring data portability. By GDPR, the format emphasis is on machine-readable, not on human-readable formats, as CSV and JSON. This approach ensures that, potentially, gathered data handled about the, can be used with different service provider. However, data handled to the user, described in previous section should be human-readable and of use to the actual user.
Right to be forgotten
For most application, this right means of putting in place mechanisms that ensure that personal data about the user can be erased without harm to the structure of other data, or entire application. To ensure that loss of database structural integrity is prevented, Privacy by Design mechanisms and guidelines were also presented.
Stict implementation of the rules
Hefty fines were set in place for not following GDPR, along with cross border jurisdiction, so while is not to be expected that your MVP would be subjected to a law suit, it’s always recommendable to implement GDPR design rules and guidelines as much as possible, as early as possible.
Right to know when one's data has been breached
While security by default is also part of Privacy by design guidelines, we also may expect that some data breaches will happen over application life cycle. If this happens, you, as data controller are in obligation to inform your users about the breach and about data which is compromised, as soon as possible, but no later than 60 days. Failing to do so brings along high fines and other measures.
This ensures for transparency, but also encourages tech companies and dev teams to practice encryption at rest on personal data and different design of their applications.
While some can find GDPR and similar laws as CCPA very
restricting, there is one single purpose behind them: to ensure that only data
needed for running application is actually collected from the user and that
data that is collected is handled responsibly, with specific purpose in mind.
Remember camera apps that want to access your phone book? Or calculator apps doing same?
If you not, you’re in luck, because they are withdrawn from the market thanks to GDPR and other, similar laws, ensuring more private and safer online environment for us all.
So, to ensure that app you’re developing is GDPR compliant you need to follow some Privacy by Design principles, as:
To make your
life easier, especially during early development, Mars engine provides you with
some built-in GDPR friendly templates, such as the GDPR Template which
can easily be integrated with a login/register editable backend template, for
example, that also contain databases with structure adapted to the GDPR
requirements and user rights.
To learn more on how to design your apps according to the Privacy by Design guidelines follow this link.