What Is GDPR, and Should Your Mobile App Be GDPR Compliant?
Time has run out to prepare yourself for the General Data Protection Regulation (GDPR) which strengthens and unifies data protection for all individuals living within the European Union. Governing bodies in the EU have been enforcing GDPR since May 25, 2018. This remains unaffected by the UK’s decision to leave the EU. Mobile app owners and publishers should educate themselves on the pending regulation. Mobile apps and websites are responsible for ensuring that they are GDPR compliant, if the regulation applies to them. Moreover, it helps to understand how key changes to the law apply to collecting and processing information. This benefits not only the mobile app itself, but it protects the privacy of your users.
Download OpenBack’s whitepaper outlining our unique approach to data privacy and regulation compliance:
What is GDPR?
The purpose of the GDPR is to give back control to citizens and residents over personal data, and to simplify the regulatory environment within the EU. Personal data is referred to as “Any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computers IP address.” At the time of writing this post, GDPR is a living document of which representatives are working on to expand key areas.
Although key principles of data privacy stand in place from the previous Data Protection Act of 1998 (DPA), the main changes an operator must follow to be GDPR compliant include: request for consent, breach notifications, right to access, right to be forgotten, data portability, privacy by design and need for Data Protection Officers (DPO).
Does this apply to me?
GDPR applies to those considered as ‘controllers’ and ‘processors’. The definitions are similar to the existing DPA; the controller states why and how the personal data is processed, whereas the processor acts on the controller’s behalf. Both controllers and processors with have significantly more legal responsibility over user data, ensuring liability for any data breaches. Any organisation operating or offering goods or services to individuals in the EU can be subject to the GDPR.
Why should I care?
Under GDPR, organisations can be fined up to 4% of their annual global turnover or €20 million. (Whichever is greater.) This is the maximum fine imposed for the most serious infringements. It’s important to note that these rules apply to both data controllers and processors – so clouds will not be exempt from GDPR.
How can I ensure my mobile app is GDPR compliant?
When GDPR takes effect, organisations will responsible for informing users or customers of their rights over personal data collected. Mobile app companies will be responsible for not only asking new users to get permission, but many companies will need to re-contact their users to collect permissions again, given changes in law. An initial fear stems from companies which see a high opt-out rate to notifications, doing this part wrong may leave to even more opt-outs. Along with this, any notifications that include sensitive user data may incur harsher penalties if a customer is compromised.
For data processors, the obligation to protect controller’s personal user data is far greater.
The best way to be compliant with GDPR is to read up on the latest updates at EU GDRP. If your company collects any sensitive user information, ensure you understand the responsibilities, obligations and penalties involved with requesting, collecting, accessing and processing that information. Contact your data processors to ensure compliance as well. Consider further advice and actions if breach or compromise of data occurs pertaining to GDPR. Determine if you’re one of the many organisations who required to have an appointed DPO to meet internal record keeping requirements.
OpenBack’s trusted solution is ready-to-go
OpenBack has taken great lengths to prepare and ensure their product is GDPR compliant by default. The 3 main areas where OpenBack excels beyond the industry standard include: user consent, private user data, and ‘the right to be forgotten.’
Valid consent must be explicit for fair processing of sensitive user data. Any child user under the age of 16, must be given consent by the child’s parent or custodian (legal guardian).
Solution – OpenBack offers customisable opt-in message templates to gather permissions from new users and re-collect those from existing users. By customizing the message, mobile apps can explain the need to re-ask for user permissions, leading to a higher percentage of opt-ins.
Private User Data
Personal user data should only be accessible by the owner of the data. They have the right to move, copy or transfer the data freely and securely from one IT environment to the next.
Solution – OpenBack acts as a data processor. This means that user data remains securely on the user’s devices, rather than sent to a centralised cloud servers. This reduces any risk to the customer they are compromised. OpenBack can then pseudonymise (key-code) additional user data if requested by the controller for greater security.
Right to be forgotten
Referred to as ‘the right to erasure’, this give individuals the right to have personal data erased and prevent further processing under specific circumstances.
Solution – OpenBack supports deletion of user data upon request via dashboard/API. We will never sell anonymous (pseudonymised) data to advertisers or researchers.
To learn more about how OpenBack will keep your mobile app GDPR compliant, as well as compliant with HIPAA, COPPA, CCPA, and all other localized data privacy regulations, get in touch with one of our experts.
Calculate how much your revenue would increase per month using OpenBack: