Are you sending data to unsecure third countries?
Becoming GDPR compliant for May 25, 2018 was a great challenge for many companies. Just to get an overview of the personal data in company owned databases and to master the processing of data was a great task for many. This is why your company may have overlooked whether your mobile app complies to the legal demands for the processing of personal data required by GDPR.
Data breaches from mobile apps
When a user downloads your company’s mobile app onto a mobile device, the app begins to collect personal information about the user. This data is shared with your company. However, in the process there is a risk of data breaches to third-party data processors.
Information about usage of the app can also be collected through components embedded in the app during development or via online and cookie identifiers from advertising networks. Furthermore, the users’ personal data may also be shared with third-parties outside the EU/EEA and possibly with an unsecure third country, which is not allowed without a valid consent. If you share personal data to third-parties via your mobile app, you are required to create a data sharing and a data processing agreement with the relevant third-parties.
Data protection authorities across Europe are issuing fines already
Since January 2019, a number of European countries have been fined for breaches to the GDPR. Most notably, the French Data Protection Authority CNIL fined Google €50 million for transparency issues, insufficient information and lack of valid consent concerning personalization of ads.
If you do not have appropriate records and governance of your users’ data in place to be able to demonstrate your GDPR compliance, you may risk being fined. Recently, the European Data Protection Agencies announced that they will regularly fine violations of the GDPR.
The General Data Protection Regulation defines personal data as being data that can be used to identify individual users by name, phone number and address. However, it can also be digital information that makes it possible to identify an individual directly from the information you are processing such as GPS-location, online and cookie identifiers, mobile Ad ID, device ID etc., which can be collected together with the users’ behavioral data collected continuously using the app.
To avoid abuse or misuse of your users’ personal data, as a company you are required to review your digital content in accordance with GDPR guidelines for data processing. This also applies to your data traffic, registration, processing and storage as well as data processing agreements with your suppliers.
It is all about your users’ trust
An analysis by Ofcom (the Office of Communications) and the UK Data Protection Agency reveals that a large portion of the British internet users are concerned that their privacy is not sufficiently protected online. For instance, they are worried that their personal data is being abused or misused. Therefore, it is necessary that you protect your users’ data when they use your mobile app.
Aside from following EU law, offering a GDPR compliant mobile app also maintains and promotes users’ trust in your digital service.
How to get started with mobile app compliance
1. Get a complete overview of your app and document its data collection and data processing
You must have an overview of which personal data your app collects directly from the users’ device, transfers to your company, or to third-parties. Get your mobile app scanned and analyzed in relation to its data collection and data processing.
2. Inform the users of the app about the data collection and data processing
3. Inform the users about when you share their personal data to third-parties
You must inform the users when you share their personal data with third-parties. Clarify, who receive their personal data and why they process the users’ personal data.
4. You are required to collect the users’ consents
You must collect the users’ consents and the content of the consent form must be sufficient to allow the processing of the users’ personal data.
5. Be accessible and available for the users of your app
The users of your mobile app must be able to easily contact your company to gain access to the personal data you store about them.
6. Apply appropriate security measures to protect the users’ personal data
You must implement appropriate technical security measures to protect the personal data processed by your mobile app. Assess whether personal data is stored in a protected format, whether the sharing of data is encrypted via a secure connection, and whether the app applies trusted certificates.
Want to ensure your mobile apps are GDPR compliant? Get in touch with our compliance experts.