Professional Documents
Culture Documents
com 1
GDPR IS COMING:
HOW TO MAKE SURE YOUR
MOBILE APP IS READY
THE COMPLETE GUIDE TO EVERYTHING
YOU NEED TO KNOW AND DO TO
COMPLY WITH GDPR FOR MOBILE
www.safedk.com
© SafeDK 2018 | All rights reserved www.safedk.com 2
INDEX
INTRO TO GDPR 3
INTRO
TO
GDPR
© SafeDK 2018 | All rights reserved www.safedk.com 4
INTRO TO GDPR
In the digital era, our private data is much more exposed and
available than before. In the past year, there have been several
massive data breaches, including the leaking of information from
millions of Yahoo, LinkedIn, and MySpace accounts. To provide
European citizens with increased privacy protection, and to
ensure businesses exhibit greater accountability, a continent-
wide personal data protection revolution was of the essence.
The new regulation was adopted on April 27th 2016 and the
information commissioner has given businesses and public
bodies covered by the regulation a two year preparation period,
before the regulation becomes enforceable on May 25th 2018.
Here is the complete guide for getting your mobile app ready for
GDPR:
© SafeDK 2018 | All rights reserved www.safedk.com 6
GDPR MAIN
REQUIREMENTS
© SafeDK 2018 | All rights reserved www.safedk.com 7
There are several key requirements in the act that you have to pay attention to:
The right to be Under the GDPR, European nationals have the right to access and
forgotten control their data. Essentially this means individuals have the right
to request that data controllers delete all of their personal data, halt
the future publication of any data and potentially stop third parties
from processing the data, should it becomes irrelevant to the original
processing purposes, or should the consent to their publication be
withdrawn.
Explicit consent According to the new regulation, businesses must request and
receive consent to collect, use and move personal data. This request
must be made, and given, in a clear, intelligible and easily accessible
form, without any confusing legalese. Individuals must be able to
withdraw consent just as easily as they are able to give it.
Privacy by design Though this is not a new concept, under the GDPR, privacy by design
will become a legal requirement. This means that privacy and data
protection will be required at the start and throughout a project’s
life cycle. According to Article 23 of the GDPR, data controllers must
only hold and process data that is absolutely necessary for a project
to be completed. In addition, data access should be limited to only
those personnel in charge of the processing.
Data Protection Under the GDPR, internal record keeping requirements and the
appointment of data protection officers (DPOs, employees in
Officers
charge with managing data protection) will be mandatory for large
scale operations. DPOs will be hired for their expert knowledge
on data protection laws and practices. They will be provided with
the resources necessary for performing their roles and will report
directly to the highest level of management to ensure data safety.
© SafeDK 2018 | All rights reserved www.safedk.com 9
PRIVATE USER
INFORMATION
CHALLENGES IN
THE WORLD OF
MOBILE APPS
© SafeDK 2018 | All rights reserved www.safedk.com 10
The chart below from our latest Mobile SDK Trends Report shows
the percentage of apps that have at least one SDK accessing the
following user information:
Usage ofUsage
SDKs of
That Access
SDKs That Private
Private Data
Data | % of Apps
56.0%
52.4%
40.0% 41.6%
28.1% 29.3%
You can see that 56% of apps have at least one SDK trying to
access the users’ location and 41.6% of the apps have at least
one SDK trying to access the list of installed apps on the users’
device. This information is not guarded by any permission
that users can grant or revoke, but is rather up for grabs. The
intention is to check for installed apps so they can communicate
with one another whenever possible. However, it appears reality
has proven that this information is being accessed for other
purposes such as selling the data for targeted advertising. As of
February 2018, Google will start enforcing stricter regulations
around private user data access and apps must only access
© SafeDK 2018 | All rights reserved www.safedk.com 11
Going back to SDKs, often they do need user information for their
core functionality, but nevertheless, this creates some potential
exposure for mobile apps with regards to GDPR requirements.
The chart below gives you an idea of the percentage of SDKs that
are accessing specific, private user information:
The charts below can give you an idea of the percentage of SDKs
that are accessing specific user private information.
Private
That Data Access
Private Data | % of SDKs
30.0%
26.8%
25.42%
25.0%
20.0%
16.5%
15.10%
15.0%
10.0% 8.7%
7.60%
5.2% 6.1%
5.25%
5.0% 4.50% 3.8%
3.18%
0.0%
GDPR FOR
MOBILE APPS
© SafeDK 2018 | All rights reserved www.safedk.com 13
GDPR Implications GDPR defines “personal data” as the recording of any data that
for Mobile Apps could identify an individual. Identifiers can include names, phone
numbers and addresses, as well as digital information, such
as usernames, locations, behavior and more. This regulation
therefore affects all businesses in one way or another, and
mobile apps are no exception.
Practical guidelines To ensure that data processors can accurately comply with all
for mobile app regulations, the following measures must be implemented in
mobile app design, installs and usage:
compliance
1. Determine whether the app really needs all of the data -
Only save, use and process the data that is absolutely necessary
for the app’s success, to limit what can leak and to maximize
the chances of obtaining user consent. This is also referred to
as data minimalism.
Make sure you have everything covered with the following checklist that
summarizes all of the above to prepare your mobile app for GDPR compliance:
Go over all the data you are requesting from users and analyze whether it is all absolutely
necessary for the app’s success
Rework app flows and screens in case you have changed the amount and type of data
you are collecting
List the exact types of consent you need to gain from your users
Decide if you want to ask for each type of consent separately or all together
If you decide to ask for consent separately, make sure you ask for each consent at the
right time and place in the user flow for minimized interruption
Add an option to your app for users to contact you with questions about their data
Add an option to your app for users to withdraw their consent per data category
Add an option to your app for users to have their data deleted permanently from the app
Decide on the implications of app usage for users who withdrew consent or asked for
their data to be deleted
Ensure deleted data cannot be recovered by you or 3rd parties that access the app, not
even from backups or servers
Make sure the data you are collecting is properly encrypted, segregated and protected
to minimize data breaches
Develop a mechanism for quickly informing users and authorities of data breaches
(email, push notification, etc)
The notification mechanism should also include the ability to provide support and
answer user questions following a data breach (FAQs, WhatsApp support, etc.)
© SafeDK 2018 | All rights reserved www.safedk.com 17
Make sure that the SDKs (or any other 3rd party) you work with are 100% GDPR compliant
and monitor this requirement continuously to detect potential problems as soon as
possible to avoid risky exposure and liability (see our SDK questionnaire) that can help
you with this task later on in the guide
Put in place enforcement and monitoring measures for all the policies and processes
you develop for GDPR compliance
If you have a EULA, make sure all the changes and compliance processes are
communicated properly
• Out of the data collected by the SDKs you are working with,
determine which data items are indeed necessary for your
app functionality.
SAFEDK HELPS
MOBILE APPS
WITH SDK-
RELATED GDPR
COMPLIANCE
© SafeDK 2018 | All rights reserved www.safedk.com 21
www.safedk.com