DEV Community

Cover image for 4 steps developing GDPR-compliant apps
san4opan4o
san4opan4o

Posted on

4 steps developing GDPR-compliant apps

Technological growth has come with an unprecedented increase in the amount of personal data collected by various online platforms. For the sake of user privacy, the dedicated law was introduced to improve the means of data protection used by businesses in the European Union.

Since virtually any mobile application can gather data about user actions, authorities call on companies and various different companies to provide information and disseminate about DSGVO to ensure the safety of users by minimizing the amount of data collected. To do this, companies are advised to conduct an audit before starting product development. This is necessary to assess the risks that the user is exposed to when the app collects and processes their personal data.

Mobile apps & Personal data protection

Alt Text

The main GDPR message centers around minimizing the amount of personal data that applications collect from users' phones. Mobile apps should process only the information necessary for their functioning.

The law applies not only to EU-based companies but also to all those businesses that, theoretically, can interact with the EU residents and gather their data. Thus, compliance is mandatory for every company that brings its applications to the European market. 

There are a few steps you should take to develop a GDPR-friendly mobile app. 

Alt Text

Dura lex, sed lex: The law is harsh, but it is the law

First things first — you need to know the law and understand what you will have to comply with. The full text of the GDPR law is available on the official website, where you can find a convenient guide and a search engine in order to find something specific.

Get user approval

Alt Text

According to the law, all companies that intend to interact with EU-based customers are required to warn them about personal data collection and ask them to agree to it. As you can imagine, this data may come from anywhere — analytics, promotions, and logs. However, you can no longer use the standard approach with the terms and conditions page. You may have such a page, but before gathering any data, you still have to ask the user about it. The question should be simple and clear, with no confusing terms.

This can be implemented as a pop-up window before the application launch. Probably, this could scare off a certain percentage of users. But most of them will still proceed with the app. 

In addition, you must also provide users with the ability to delete their data, and this process should be as simple as possible. 

So, what should you include in your mobile app?

  • A message during each app start, warning users about the collection of their data;
  • A notification that the data collection process has begun, explaining what this information will be used for;
  • An option for the user to delete their data if they wish so.

Outline clear Privacy Policy

Alt Text

According to the GDPR law, users must have an idea of how their data is gathered and stored. This understanding is achieved through a clear and structured Privacy Policy.

This should not be news to mobile developers, as this is also a requirement from the App Store and Google Play. Applications that do not have a separate page of their Privacy Policy and the corresponding section are deleted.

Besides, if your application interacts with any third-party services (analytics, advertising, etc.), this should also be reported to users in the Privacy Policy section. The developer's task is to make sure that all third-party services, which have access to the app’s user data, are also GDPR-compliant. In order to acknowledge this, it is necessary to conclude data processing agreements with all parties involved.

Review all places where data can be stored

Alt Text

User data spreads like a virus to various places. For your application to meet data protection parameters, you need to index all user data and understand where it can be stored. These are not only databases, but also servers for social networks, third-party services, advertising agencies, and so on. You will be surprised to learn how much user data is deposited on the side.

To facilitate the process, work out a data roadmap. It will give an understanding of which channels the data comes from, by whom it is processed, and where it will settle. Moreover, this is necessary to provide a quick response to any leaks, as well as to assure users that their data has been deleted everywhere (if they require so).

In conclusion

Alt Text

Let's summarize what you need to remember if you want your mobile application to meet data protection standards and to operate in the European Union.

All companies dealing with the EU residents' data must follow the rules above. We again strongly recommend you to read the full text of the law following the link at the beginning of the article, as well as this more tech-oriented guide. The requirements also apply to companies that provide third parties with access to such data.

If these rules are not met, the application developer will suffer serious issues in the form of fines and loss of user confidence. While the fact of compliance means that your company values user privacy and makes every effort to protect personal data. 

Top comments (0)