© SafeDK 2018 | All rights reserved www.safedk.

com 1

GDPR IS COMING:
HOW TO MAKE SURE YOUR
MOBILE APP IS READY
THE COMPLETE GUIDE TO EVERYTHING
YOU NEED TO KNOW AND DO TO
COMPLY WITH GDPR FOR MOBILE

www.safedk.com
© SafeDK 2018 | All rights reserved www.safedk.com 2

INDEX

INTRO TO GDPR 3

GDPR MAIN REQUIREMENTS 6

PRIVATE USER INFORMATION CHALLENGES

10
IN THE WORLD OF MOBILE APPS

GDPR FOR MOBILE APPS 12

SAFEDK HELPS MOBILE APPS WITH SDK-

20
RELATED GDPR COMPLIANCE
© SafeDK 2018 | All rights reserved www.safedk.com 3

INTRO
TO
GDPR
© SafeDK 2018 | All rights reserved www.safedk.com 4

INTRO TO GDPR

In the digital era, our private data is much more exposed and
available than before. In the past year, there have been several
massive data breaches, including the leaking of information from
millions of Yahoo, LinkedIn, and MySpace accounts. To provide
European citizens with increased privacy protection, and to
ensure businesses exhibit greater accountability, a continent-
wide personal data protection revolution was of the essence.

Hence, this May, Europe's data protection rules will undergo a

major overhaul. The existing Data Protection Act (DPA), will be
replaced by the European Union’s (EU) General Data Protection
Regulation (GDPR), a framework that will change how businesses
and public sector organizations handle customer personal data
– with significantly greater fines for those who fail to abide by the
new rules.

The new regulation was adopted on April 27th 2016 and the
information commissioner has given businesses and public
bodies covered by the regulation a two year preparation period,
before the regulation becomes enforceable on May 25th 2018.

The GDPR is meant to unify data protection for all individuals

within the EU under one umbrella, as well as control the export
of personal data outside of Europe. It aims to return the control
over personal data to European nationals and residents and to
straighten the regulatory environment in which international
business is conducted. According to the EU’s GDPR website,
the new legislation will harmonize data privacy laws throughout
the continent, providing individuals with greater protection
and rights. With this new regulation, people will have the right
to access their private information held by companies and
businesses will be obliged to obtain clear consent from the
people they collect information about, as well as to conduct
better data management.
© SafeDK 2018 | All rights reserved www.safedk.com 5

Once implemented, the new regulation will be binding of all

companies holding personal data of individuals residing in the
European Union, regardless of the company’s location. This of
course holds true for mobile apps as well.

Businesses will have to prove they have made the necessary

changes to protect user data, or face hefty fines for non-
compliance – 20M Euros or 4% of their annual profit. Furthermore,
mobile apps found to be non-compliant run the risk of being
banned from app stores.

We at SafeDK, have already started preparing for GDPR. We have

conducted thorough research into the new regulation to gain
a comprehensive understanding of the implications for mobile
apps and SDKs. We want to save you the effort of doing the
same by sharing what we have learned so far. We will of course
provide updates if there are any changes to our guide as we get
closer to May 2018.

Here is the complete guide for getting your mobile app ready for
GDPR:
© SafeDK 2018 | All rights reserved www.safedk.com 6

GDPR MAIN
REQUIREMENTS
© SafeDK 2018 | All rights reserved www.safedk.com 7

GDPR MAIN REQUIREMENTS

There are several key requirements in the act that you have to pay attention to:

The right to be Under the GDPR, European nationals have the right to access and
forgotten control their data. Essentially this means individuals have the right
to request that data controllers delete all of their personal data, halt
the future publication of any data and potentially stop third parties
from processing the data, should it becomes irrelevant to the original
processing purposes, or should the consent to their publication be
withdrawn.

Explicit consent According to the new regulation, businesses must request and
receive consent to collect, use and move personal data. This request
must be made, and given, in a clear, intelligible and easily accessible
form, without any confusing legalese. Individuals must be able to
withdraw consent just as easily as they are able to give it.

Mandatory data In the event that a company’s database is breached, businesses

must notify users, as well as authorities, within 72 hours of becoming
breach notifications
aware of the leak. Data processors will have to notify the data
controllers of the breach “without undue delay.” This is extremely
important, as data breaches could result in a risk to the rights and
freedoms of individuals.
© SafeDK 2018 | All rights reserved www.safedk.com 8

Privacy by design Though this is not a new concept, under the GDPR, privacy by design
will become a legal requirement. This means that privacy and data
protection will be required at the start and throughout a project’s
life cycle. According to Article 23 of the GDPR, data controllers must
only hold and process data that is absolutely necessary for a project
to be completed. In addition, data access should be limited to only
those personnel in charge of the processing.

Data Protection Under the GDPR, internal record keeping requirements and the
appointment of data protection officers (DPOs, employees in
Officers
charge with managing data protection) will be mandatory for large
scale operations. DPOs will be hired for their expert knowledge
on data protection laws and practices. They will be provided with
the resources necessary for performing their roles and will report
directly to the highest level of management to ensure data safety.
© SafeDK 2018 | All rights reserved www.safedk.com 9

PRIVATE USER
INFORMATION
CHALLENGES IN
THE WORLD OF
MOBILE APPS
© SafeDK 2018 | All rights reserved www.safedk.com 10

PRIVATE USER INFORMATION

CHALLENGES IN THE WORLD
OF MOBILE APPS

Most mobile apps integrate many 3rd party components – SDKs

– in order to enhance their apps with a variety of capabilities. This
has become a standard in the mobile apps industry, with over
18 SDKs integrated in an average mobile app. But let’s not forget
that these SDKs are in fact black boxes of 3rd party code that app
publishers let into their app; a code that comes with the built-in
ability to access private user information in the end-user device.

The chart below from our latest Mobile SDK Trends Report shows
the percentage of apps that have at least one SDK accessing the
following user information:

Usage ofUsage
SDKs of
That Access
SDKs That Private
Private Data
Data | % of Apps
56.0%
52.4%

40.0% 41.6%

28.1% 29.3%

9.2% 9.2% 9.0% 9.9% 10.2%

8.3%

Location User Apps Contacts Accounts Calendar Microphone

August '17 December '17

*Source: SafeDK December 2017 Mobile SDKs Data Trends Report

You can see that 56% of apps have at least one SDK trying to
access the users’ location and 41.6% of the apps have at least
one SDK trying to access the list of installed apps on the users’
device. This information is not guarded by any permission
that users can grant or revoke, but is rather up for grabs. The
intention is to check for installed apps so they can communicate
with one another whenever possible. However, it appears reality
has proven that this information is being accessed for other
purposes such as selling the data for targeted advertising. As of
February 2018, Google will start enforcing stricter regulations
around private user data access and apps must only access
© SafeDK 2018 | All rights reserved www.safedk.com 11

information integral to their core functionality or provide the

user information about the data being taken.

Going back to SDKs, often they do need user information for their
core functionality, but nevertheless, this creates some potential
exposure for mobile apps with regards to GDPR requirements.
The chart below gives you an idea of the percentage of SDKs that
are accessing specific, private user information:

The charts below can give you an idea of the percentage of SDKs
that are accessing specific user private information.

Private
That Data Access
Private Data | % of SDKs
30.0%
26.8%
25.42%
25.0%

20.0%
16.5%
15.10%
15.0%

10.0% 8.7%
7.60%
5.2% 6.1%
5.25%
5.0% 4.50% 3.8%
3.18%

0.0%

Location User Apps Contacts Accounts Calendar Microphone

*Source: SafeDK December 2017 SDK trends report

Now that we have a better understanding of the potential risks

mobile apps have to deal with, let’s dive into the specific GDPR
implications for mobile apps.
© SafeDK 2018 | All rights reserved www.safedk.com 12

GDPR FOR
MOBILE APPS
© SafeDK 2018 | All rights reserved www.safedk.com 13

GDPR FOR MOBILE APPS

GDPR Implications GDPR defines “personal data” as the recording of any data that
for Mobile Apps could identify an individual. Identifiers can include names, phone
numbers and addresses, as well as digital information, such
as usernames, locations, behavior and more. This regulation
therefore affects all businesses in one way or another, and
mobile apps are no exception.

App developers are entirely and directly responsible for their

users’ data. Therefore, app owners must ensure complete
visibility and real-time control over the app usage and activity.
They must first learn how they obtain, store, transfer and use
data, to improve security. Upgrades to servers and new firewall
configurations may also be essential. Developers and publishers
must keep track of changes within the data, as well as digital
and physical access to it. This means that a complete history of
changes must be documented. Any data that travels between the
app and the server should be encrypted and secured, in addition
to the adequate hashing of user passwords.
© SafeDK 2018 | All rights reserved www.safedk.com 14

Practical guidelines To ensure that data processors can accurately comply with all
for mobile app regulations, the following measures must be implemented in
mobile app design, installs and usage:
compliance
1. Determine whether the app really needs all of the data -
Only save, use and process the data that is absolutely necessary
for the app’s success, to limit what can leak and to maximize
the chances of obtaining user consent. This is also referred to
as data minimalism.

2. Inform the user and obtain consent - Users will have to

agree to a list of personal data that the mobile app wants to
use, the period of time during which data is stored and the
purpose of the data usage. Users should be informed of any
data sharing with third parties (SDKs). Communication must
be clear and straightforward. Mobile apps must present users
with consent forms prior to installation. The consent should
be specific, expressed through an active choice and freely
given. Also, it should be extended to granular consent of every
category of personal data the app would access and use.
Consent must be obtained before any data is read or collected
from the user’s mobile device.

3. Respond to user requests - Accurate information should

always be provided to the user. The option for users to question
data usage, withdraw consent (for each category of personal
data) and have their data erased must also be easily accessed
from the app. When a user requests that their data be deleted,
there must be no way for data processors to later recover that
data, even from backups.
© SafeDK 2018 | All rights reserved www.safedk.com 15

4. Encrypt user data - Ensure personal information is encrypted

with proper and strong encryption algorithms to minimize data
breaches. If data is properly encrypted to the point that it is
rendered more or less unintelligible, breaches would become
pointless and businesses would not have to notify users that
their data was hacked.

5. Ensure users are updated about security incidents -

Users (and the national supervisory authority) must be kept
in the loop about security breaches and data leaks. This
gives users the opportunity to request data deletion and the
authorities the ability to locate the source of the leak.

6. Know your technology - Continuously assess the app’s

current situation. Ensure that initiatives that will render the app
non-compliant are stopped. In addition, care should be taken to
prevent the app from communicating personal data to a third
party in a way that could expose the app to data breaches. If
SDKs have been implemented within the mobile app and the
SDKs try to access identifying data, the app publisher is still
responsible for the data collection and usage. Validating the
compliance of every aspect that goes into the app becomes
critical under the GDPR.
© SafeDK 2018 | All rights reserved www.safedk.com 16

Make sure you have everything covered with the following checklist that
summarizes all of the above to prepare your mobile app for GDPR compliance:

Go over all the data you are requesting from users and analyze whether it is all absolutely
necessary for the app’s success

Rework app flows and screens in case you have changed the amount and type of data
you are collecting

List the exact types of consent you need to gain from your users

Decide if you want to ask for each type of consent separately or all together

If you decide to ask for consent separately, make sure you ask for each consent at the
right time and place in the user flow for minimized interruption

Add an option to your app for users to contact you with questions about their data

Add an option to your app for users to withdraw their consent per data category

Add an option to your app for users to have their data deleted permanently from the app

Decide on the implications of app usage for users who withdrew consent or asked for
their data to be deleted

Ensure deleted data cannot be recovered by you or 3rd parties that access the app, not
even from backups or servers

Make sure the data you are collecting is properly encrypted, segregated and protected
to minimize data breaches

Develop a mechanism for quickly informing users and authorities of data breaches
(email, push notification, etc)

The notification mechanism should also include the ability to provide support and
answer user questions following a data breach (FAQs, WhatsApp support, etc.)
© SafeDK 2018 | All rights reserved www.safedk.com 17

Develop a monitoring process that can identify potential noncompliant activities as

early as possible, so they can be stopped

Make sure that the SDKs (or any other 3rd party) you work with are 100% GDPR compliant
and monitor this requirement continuously to detect potential problems as soon as
possible to avoid risky exposure and liability (see our SDK questionnaire) that can help
you with this task later on in the guide

Put in place enforcement and monitoring measures for all the policies and processes
you develop for GDPR compliance

If you have a EULA, make sure all the changes and compliance processes are
communicated properly

Consider adding a GDPR compliance officer to your team

© SafeDK 2018 | All rights reserved www.safedk.com 18

GDPR compliance "In our increasingly interconnected workplace, companies

issues - Actionable must consider not only their own system integrity but also
the system integrity of any other party with access to their
Solutions for 3rd
computer systems," says Steve Durbin, managing director
party SDKs of the Information Security Forum. "Hackers will seek the
weakest link, and that link is often a third-party provider. A
company's robust internal practices and policies may be futile
if the company's vendors are not secure."

As GDPR enforcement day draws near, mobile app developers

must deal with third party (SDKs) vendors who can access their
users’ data. Any third parties or organizations who will use the
users’ data must be explicitly listed in the consent form, according
to GDPR guidelines. This is because, as mentioned above, the
controller is fully responsible for the readiness and conduct of the
processors that store or use a EU citizen’s personal information.
App owners need to mitigate the risk and stay in control of
the SDKs they work with. Here’s how to effectively manage the
main issues covered:
• Identify and study all relevant SDKs you are working with to
understand what data is collected, stored and processed,
how well each SDK protects personal data, and how they are
working towards becoming GDPR compliant.

• Out of the data collected by the SDKs you are working with,
determine which data items are indeed necessary for your
app functionality.

• Work with the SDK company to eliminate collection of

unnecessary data.

• Make sure that the SDK has adequate security measures to

ensure the safety of your users’ data.

• Understand the exact path the data takes during the

processing lifecycle to ensure adequate security is
implemented at each stage.
© SafeDK 2018 | All rights reserved www.safedk.com 19

• Include strict confidentiality, data privacy and data residency

clauses in any contract drawn up with an SDK.

• Use tools like SafeDK to monitor, control and manage risks

associated with the SDKs you work with.

Want to check if We have prepared a GDPR-Readiness Questionnaire just

your SDKs are GDPR for you. It asks all the important questions to evaluate
compliant? whether your SDKs are GDPR-ready and will not add any
unnecessary exposure to your mobile app. You can access
the questionnaire here.
© SafeDK 2018 | All rights reserved www.safedk.com 20

SAFEDK HELPS
MOBILE APPS
WITH SDK-
RELATED GDPR
COMPLIANCE
© SafeDK 2018 | All rights reserved www.safedk.com 21

SAFEDK HELPS MOBILE APPS WITH

SDK-RELATED GDPR COMPLIANCE
This coming May, the GDPR will revolutionize the way data is
handled by organizations and enterprises. Data protection
regulations will better protect users and hopefully prevent
personal data breaches. To comply with the new regulations and
avoid steep fines, companies, including mobile apps, will have
to modify their data processing and storage practices, which will
include third-party services (SDKs).

SafeDK helps mobile apps with their SDK-related GDPR

compliance:
1. Asses initial SDK related exposure - SafeDK identifies,
using static analysis techniques, which SDKs are accessing
private user data. These are the SDKs that need to be closely
monitored.

2. Monitor all your SDKs, 24/7 - SafeDK monitors SDK activity

in your app 24/7 and provides real-time alerts regarding
personal data access.

3. Act in real-time and protect your app - Our patent pending

technology enables you to instantly turn-off SDKs, or disable
permissions of specific SDKs when needed, with no need for
a version update.

When it comes to SDK related GDPR compliance,

play it safe with SafeDK.

Contact us Contact us to discuss how we can help your

mobile app comply with GDPR.
* Please note that the above references and
recommendations are intended to assist you,
but should not be viewed as professional
advice or guidance. It is up to you to take any
measures that you see fit, upon consulting
with professional consultants of your choice.

www.safedk.com