4 min read

GDPR compliance checklist for your mobile application

GDPR compliance checklist for your mobile application
Photo by Philipp Katzenberger / Unsplash

We use mobile applications for 24hrs and don’t even calculate how much data are we transmitting over the internet. As the internet and mobile app users are growing, there are quite a big issues of data theft and misuse of data. Most of the governments are now very clause about data of their citizen. This indeed is leading in addition of policy for data protection.

What is GDPR?

“The General Data Protection Regulation (GDPR) is a legal framework that sets guidelines for the collection and processing of personal information of individuals within the European Union (EU).”

By Investopedia

The General Data Protection Regulation (“GDPR”) is a European Union (“EU”) regulation that imposes obligations on companies that collect, store, or process the personal data of EU residents. Any company that holds personal data of EU residents is covered by the GDPR, regardless of the company’s physical location.  

What is personal data?

Personal data is data that can identify someone as a living individual. It doesn’t include anonymized data, i.e., data for which all identifying particulars have been removed.

Data Protection Principles

Under the GDPR compliance, there are six data protection principles with which the Company must comply. These provide that the personal data we hold is:

  1. Processed lawfully, fairly and in a transparent manner.
  2. Collected only for specified, explicit and legitimate purposes.
  3. Adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed.
  4. Accurate and where necessary kept up to date.
  5. Not kept in a form that permits identification of individuals for longer than is necessary for the purposes for which the data is processed.  
  6. Processed in a manner that ensures its security using appropriate technical and organizational measures to protect against unauthorized or unlawful processing and against accidental loss, destruction or damage.

What updates do I need to perform to make an application with GDPR compliance?

1) Update your architecture to protect User Data

While building an application, you need to consider user data flow and its security while defining your app architecture. You need to make sure your user data should not be dump through API’s as well on the UI. Every user will get data which is authorized and explicit to have permission to use data which is provided on the mobile app.

2) Allow the user to delete the account

The user should be able to delete his account and opt for not using his/her data for any other reason. The user can request for all data related things like photos, videos or files which have been uploaded to the server. You need to provide all data like comments and post which may relate to the user. You need to create a process to return user data as well as delete the user account. Also, mention this process in the application and in terms & condition document so the user can utilize it correctly.

3) Add “Right to Be Forgotten” for user

“Right to Be Forgotten” is very simple, the user can request to remove all data footprint on our platform. You need to manage this request with a process where the user needs to verify all his/her data is removed from the server.  Mention this process in the documentation, you need to submit user data with the mentioned timeline.

4) Specific Permission to collect user data

As per mobile app goes you need to ask permission to the user to collect user data. You need to ask permission when you are using user personal data for any other reason.  

When you collect data for an advertisement, analytics, and other services. The user can opt for not sharing his/her information. If sharing data is a compulsory option you need to mention this before user opts for your service.

5) Data store location

The server location is very important. Many countries insist to save their citizen data in their own country.  So this way data will not be used by others without proper authority. Also, this way you can always compile with host country policies as user data will not be shared across the globe without permission.

6) Privacy Policy and Terms

Without privacy policy and terms, you can’t publish the application on both app store or play store. You also need to mention data protection policies specified in section so the user can read it properly. You need clear all points very specifically without any abstraction.

7) Data Breach notify

You need to maintain trust between your customer. As customer data is the property of customer if it been misused you need to inform the customer about this breach. You also need to mention which specific information is been stolen and how this will affect the customer.  

 

What additional points you might need to consider?

1) API security and local storage encryption

For security, you need to provide an API security policy for user data protection. Also, you need to provide local storage encryption to protect user data on their phone. Maintain good architecture to store data locally using which you can maintain user data.

2) Data sharing policies and framework

If you need to share your data with your partner apps then you need to specify this with policies. You need to maintain framework such a way that user data can be used with proper manner. You need to inform the user about data sharing and allow the user to remove specific access if requested.

3) Data Security Audits

The audit is necessary for maintaining security of your application.  You can include data audit in your audit framework. You can hire a third-party verification team to maintain your data protection policy.  You can share this audit report with the user, this will help your user to understand the value of their data.

4) Get privacy policies reviewed by a lawyer or certified professional  

The policy document needs to drafted carefully. This is because many startup founders use an online template and update by themselves. If you know how to write good privacy and policy then no need to worry but not having a good privacy policy will impact your app. Also, the play store or app store will unpublish your application if privacy policy and terms are not drafted correctly or missed some points.

 

Moreover, having GDPR compliance for application is an important issue and it’s up to its creator to maintain the integrity of the application as well as user data. As entrepreneur integrity is a very important aspect. For making good business, following ethics is very crucial. So follow data protection policies irrespective of the need of the hour. Ultimately customer data is as important as your idea. If you don’t handle it correctly then you will surely lose a customer.