Skip to main content

What do app developers need to know about GDPR?

(Image credit: Image source: Shutterstock/Wright Studio)

As the 25th May 2018 deadline fast approaches, the General Data Protection Regulation (GDPR) is going to mean big changes for all businesses; data consent must be proven and the consumers can now withdraw consent at their discretion, at any time. Of growing concern, is that few organisations appear to be ready for it. According to a study by W8data, only 25 per cent of existing customer data will meet GDPR requirements by the deadline later this month, risking backlash from users, enforcement authorities over non-compliance.

But it is now just businesses and large organisations that need to be aware of this new ruling: in the age of mobile-first enterprise, what do app developers need to know about GDPR and its impact on apps?

Under the GDPR, data processors have a lot more legal responsibility. App developers, publishers and marketers all need to get up to speed on their new obligations. It’s no longer about keeping customers’ information safe - app operators are also required to keep a complete record of all processing operations under their responsibility as well as setting up appropriate security measures and inform users about how they plan to use the data collected.

As an app developer, the most important element of the GDPR regulation is staying aware of the way that you communicate to users and customers about the compliance terms required of all parties – users included. Effective communication will also require maintaining complete visibility over app usage and data activity in a controlled way.

GDPR is not a threat to app developers and businesses - it offers an opportunity to understand your data better, use it more effectively to improve the customer offering and ensure that the protection of user data is at the core of your business’ agenda from now on. The information out there for businesses, app developers and data protection officers is dense with legal formalities and compliance language – often overwhelming and confusing to wade through. We’ve identified the top 5 steps that every app developer should know about and can proactively take now, to make sure they are ready for 25th May deadline.

1.      Know your user

Mobile app developers rely heavily on customer data as part of app optimisation, effectiveness and marketing tactics, so this regulation is especially relevant to crucial operations. To ensure compliance, the first thing that app owners should do is make sure they know what kind of data they hold for each customer, ensuring that it is carefully stored and ready to access at the appropriate moment.

By getting up to speed with the data you currently have, app developers can use this as an opportunity to conduct a risk analysis or Data Protection Impact Assessment (DPIA). It’s essential that current processes are benchmarked against the GDPR requirements to identify any vulnerabilities that will require protective measures from mobile apps.

2.      Ready to opt-in…

The most important moment of the customer engagement cycle is right at the start, when a customer agrees to opt-in to data sharing as outlined by the terms and conditions. Making sure your level of disclosure at the moment of opt-in meets the new consent terms is an explicit requirement that all app developers should focus on.

3.      …And the right to be forgotten…

Importantly, app developers need to keep in mind that responding to user requests is at the heart of this offering. Under the new regulation, all businesses handling customer data will be required to respond as appropriate to ‘right to be forgotten’ requests. Users can ask for their data to be changed or even deleted – in which case there must be no way to recover that data, including from backups. The consent part for opting in and requesting data deletion must be easy to understand and visible to all mobile app users, clearly stating the purposes for collection and use of their personal data.

Of course, there are specific circumstances where data must be held onto for legal or business purposes, so it is just as important that you clarify this and provide explanation around the requirement maintain the data, in a particular scenario.

4.      Stay up-to-date with your data

Data protection does not just cover safe-keeping of information, but also engaging in a regular assessment of any changes that need to be made to the way data is stored and can be accessed. This means recording a complete history of changes to any data stored, transmitted or collected via mobile applications.

Establishing new processes and modifications of existing applications will ensure ongoing data protection and compliance with GDPR during the acquisition, transfer, storage and handling processes. Security surveillance software can be integrated to support the auditing of operations that involve EU citizens’ data – a crucial component of the requirement, regardless of where in the world your business operates from.

5.      Know who else is involved

As soon as the customer data you gather is passed onto a third-party, they need to become aware of and involved in your compliance activities. Customer relationship management systems and any email service providers are examples of the kinds of third-party organisations that app developers will already be working with every day.

It is critical that, as well as maintaining good communication with users and customers about data management, you as a data controller also maintain ongoing assessment of the third-party vendors that are granted access to customer data too. This includes keeping them up-to-date on any changes to data protection policy as well as working with them to identify any loopholes and establish solutions to remain compliant.

Communication is critical

In conclusion, app developers and publishers are directly responsible for their users’ data; how it is collected and used; third-part access to it; secure storage, access and erasure. Compliance towards these obligations will be more straightforward if maximum transparency and direct communication is maintained. Simplifying the communication with your users as well as being proactive and well-prepared in your data handling will offer an enhanced experience for all parties and ensure consumers maintain confidence in your ability to service them efficiently and securely.

James Eggleston, CTO, appScatter (opens in new tab)
Image source: Shutterstock/Wright Studio

James Eggleston is CTO at appScatter, the scalable B2B platform that allows users to distribute and manage their apps on multiple app stores around the world.