DEV Community

Cover image for How to make your Mobile Application GDPR-Ready
Vesi Staneva for SashiDo.io

Posted on • Originally published at blog.sashido.io

How to make your Mobile Application GDPR-Ready

At SashiDo we certainly care about our customers and we strive to be up-to-date on the horizon of the novelties coming up. We’re all working on GDPR these days and we want to help people understand what it is.

What does GDPR mean?

In February we announced that GDPR is coming and SashiDo.io is getting ready and now we will be more specific on how to make sure your mobile app is prepared for the upcoming changes in the European Union region.

As the economy becomes increasingly digitized many companies hold sensitive personal data information. They also pick information about various sources to study customers’ behavior. Data is associated with significant risk if it is stolen and abused. Therefore GDPR, General Data Protection Regulation, was introduced to specify how customer data should be used and protected. GDPR was officially adopted by the EU Parliament in April 2016 following a 2-year adoption process. It will become in force in May 2018 and is applicable to everyone involved in processing data about citizens of the EU, regardless of whether the organization is located within the EU or not.

Nowadays, the digitization of everything around it is growing bigger and bigger and thus our private data is more exposed and available than ever before. A revolution is coming and it is related to the protection of the personal data over the Internet.
Тo supply European nationals with greater security assurance and to guarantee organizations display more noteworthy responsibility, a landmass wide personal data insurance upset was of the substance.

Hence, this May, Europe's information security guidelines will experience a remarkable redesign. The existing Data Protection Act will be followed by the General Data Protection Regulation, a framework that will change how organizations and open part associations handle client personal information - with altogether more prominent fines for the individuals who neglect to keep the new regulations.

The GDPR is intended to bring together information security for all people inside the EU under one umbrella and in addition control the fare of the personal data outside of Europe. It intends to restore the control over personal data to European citizens and inhabitants and to fix the administrative condition in which global business is led. As indicated by the EU's GDPR website, the new regulation will blend information security laws thought Europe, giving people more security and rights.

With this new direction, people will have the privilege to get to their private data held by organizations and businesses. Companies will be obliged to get clear assent from the people they gather data about in addition to conducting better information administration.

Once accomplished, the new control will tie for all organizations holding personal data of people living in the European Union, with no attention being paid to the area where the organization is located. This, of course, remains true for mobile apps too.

Organizations should demonstrate they have rolled out the vital improvements to secure client information or they should confront robust fines for non-compliance - 20M Euros or 4% of their annual profit. Moreover, mobile apps that are non-compliant risk being restricted from the app stores.

We have already started to get ready for the GDPR. We have directed careful research into the new control to pick up an extensive comprehension of the suggestions for mobile apps and SDKs.

We want to spare your time of doing the same by sharing what we have come up to until this point. We will, of course, give updates if there are any changes to our guide as we come closer to May 2018.

It is important to mention some key definitions and their meaning. In this article, we use the words controller and processor quite a lot. What is their meaning? A controller is an entity that determines the purposes, conditions, and means of the processing of personal data, while the processor is an entity which processes personal data on behalf of the controller. For example, SashiDo processes both our clients' and their end-users' data under the highest standards and guarantees for safety and security. Controllers by this means are the mobile app developers that use our platform when creating their functional and beautiful apps.

Here is a guide for preparing your mobile apps for GDPR:

gdpr-graphic

Main requirements

There are some key requirements that you need to focus on:

The right to be forgotten

Under the GDPR, (Article 17) EU citizens have the right to access and control their personal data. Basically, this means that people have the privilege to ask for their information controllers to erase all their personal data and stop third parties from forwarding it.

Explicit Agreement

As per the new control (Article 9), organizations must demand and get agreement to gather, utilize and move personal data. This must be made, and given, in a definite, clear and simple frame, with no confusing legalese. People must have the capacity to pull back consent as simply as they can give it.

Notifications for data breach

If an organization's database is ruptured, organizations must notify their clients and the authorities within 72 hours of understanding about the leak (Article 33). Data processors should tell the data controllers of the rupture immediately. This is critical, as information breaks could bring about a hazard to the rights and freedoms of people.

A warning to the expert must be "no less than": depict the idea of the personal data break, including the number and classes of information subjects and individual information records influenced; give the data protection officer’s contact information; describe the likely consequences of the personal data breach; and depict how the controller proposes to address the rupture, including any mitigation efforts. If not all data is accessible without a moment's delay, it might be given in stages.

What are the news with us related to the GDPR frame that is about to come soon. For your convenience, SashiDo will implement a new feature in our dashboard. We will add a section where you will be able to add your team members (DPOs) who will be responsible for the GDPR compliance for your company. In case something goes wrong, you will have faster access to the contacts of the person responsible for notifying the authorities.

Privacy by design

Thought this isn't another idea, under the GDPR, privacy by design will turn into a lawful prerequisite. This implies security and data protection will be required throughout the whole project lifecycle. According to Article 23 of the GDPR, data controllers must only hang on and process data that is totally fundamental for a project to be finished. In addition, data access ought to be restricted to just those employees responsible for the processing.

Data protection officers

gdpr-dpo
Under the GDPR, internal record keeping necessities and the arrangement of data protection officers (DPOs, workers in control with overseeing information protection) will be obligatory for large-scale tasks. DPOs will be employed for their master knowledge of data protection laws and practices. They will be provided with the assets for performing their roles and will report specifically to the highest level of management to ensure information security.
DPOs must be employed in case of: public authorities, associations that take part in expansive scale orderly observing, or associations that take part in the vast scale preparing of touchy individual information. On the off chance that your association can’t be categorized as one of these classifications, at that point you don't have to select a DPO.

Mobile apps challenges and private user data

SDK-Integration
Most mobile applications combine parts - SDKs - so as to upgrade their applications with an assortment of capacities. This has turned into a standard in the mobile applications industry, with more than 18 SDKs coordinated in a normal mobile application. Yet, how about we do not overlook that these SDKs are in actuality secret elements of third-party code that app developers let into their application, a code that accompanies the work incapacity to get to private client data at last client gadget.

Recent reports say that mobile apps have at least one SDK trying to access client data like location, the list of installed apps on the users' device, contacts list, accounts, calendar, microphone and other. This data isn't protected by any consent that clients can give or deny, yet it is somewhat up for snatches. The expectation is to check for installed apps so they can speak with each other at whatever point conceivable. However, it shows up reality has demonstrated that this data is taken for other reasons, for example, offering the information for focused promoting. As of February 2018, Google will begin implementing stricter directions around private
client data access and apps should just access data indispensable to their core functionality or give the client data about the information being taken.

Going back to SDKs, often they needn't bother with client data for their core functionality yet, all things considered, this makes some potential approach for mobile apps concerning GDPR requirements.

As an app developer, you can make sure that the SDKs you work with don't accumulate and spare information in their own databases, or on the off chance that they do, they are set up to agree to the GDPR when the last rules are issued.

You can also ensure your SDKs are prepared to guarantee the wellbeing of your clients' information. Incorporate strict classification, information security and information residency statements as required in authoritative concurrences with your SDK suppliers.

Since we have a superior comprehension of the potential dangers mobile apps need to manage, how about we plunge into the particular GDPR tips for mobile apps.

GDPR for Мobile Аpps

PAPILON-digital-data-conversion

The GDPR meaning for Mobile apps

GDPR characterizes "personal data” as the recording of any information that could distinguish a person. Identifiers can incorporate names, telephone numbers, and addresses, and also advanced data, for example, usernames, location. The sky's the limit from there. This control, in this way, influences all organizations somehow, and mobile apps are no special case.

App engineers and developers are totally and specifically in charge of their clients' information. In this manner, app owners must guarantee complete visibility and continuous control over the app use and action. They should first figure out how to get, store, exchange and utilize information, to enhance security. Upgrades to servers and new firewall setups may likewise be fundamental. Developers and distributors must monitor changes inside information, and also digital and physical access to it. This implies an entire history of changes must be archived. Any information that moves between the application and servers ought to be encoded and secured, notwithstanding the sufficient hashing of client passwords.
How SashiDo can help you with this? Well, we are safe. We store our customers’ data in separate access-controlled databases for each app. If there are multiple apps thee is assigned a separate database per app. We believe this will mitigate the risk of unauthorized access between applications.
The access of the SashiDo’s staff to the operating systems is limited and requires a username and key authentication. Our operating systems do not allow password authentication to prevent password brute force attacks, theft, and sharing.

Useful rules for mobile application consistency

To guarantee that the information processor can precisely conform to all directions, the accompanying measures must be executed in mobile application configuration, introduces and use.
Screen-Shot-2018-01-16-at-19.30.19-1

Determine whether the app really needs all of the data

Just save, utilize and process the information that is totally essential for the application's prosperity, to restrict what can leak and to amplify the odds of getting client assent. This additionally alludes to information moderation.

Inform the client and get assent

Clients should consent to a list of individual information that the mobile app needs to utilize, the time of amid which information is put away and the motivation behind the information use. Clients ought to be informed of any data sharing to third parties (SDKs). Correspondence must be clear and direct. Mobile apps must present clients with agreement forms prior to installation. The assent ought to be particular, communicated through a dynamic decision and unreservedly given. Likewise, it ought to be reached out to the granular assent of each class of users data the application should access and utilize. Assent must be gotten before any information is used or gathered from the client's device.
If you don’t have the time to build this solution from scratch there are a useful tools like ConsentCkeq that may help you take the consent of the customers.

React to client demands

Precise data ought to always be given to the client. The choice for clients to address information use, pull back assent (for every classification of individual information) and have their information erased should likewise be effortlessly given from the application. At the point when a client asks for that their information to be erased, there must be no chance to get for information processors to later recover that information, even from backups.

Encrypt user data

Guarantee individual data is encrypted with a legitimate and solid encryption algorithm to limit information outages. On the off chance that information is appropriately encrypted to the point that it is rendered pretty much incoherent, outages would end up futile and organizations would not need to tell clients that their information was hacked.

Guarantee clients are refreshed about security episodes

Clients (and the national supervisors specialist) must be kept on the up and up about security ruptures and information leaks. This gives clients the chance to ask for information deletion and the experts the capacity to find the source of the leak.

Know your technology

Constantly evaluate the application's current situation. Guarantee that activities that will render the application rebellious are ceased. What's more, you should take care to keep the application from sharing personal data to an outsider in a way that could open the application to data leaks. In the event that SDKs have been executed inside the application and the SDKs endeavor to get to the personal data the application distributor is as yet in charge of the information gathering and use. Approving the consistency in each angle that goes into the application winds up basic under the GDPR.

Checklist

social-checklist

Ensure you have everything covered with the following checklist that summarizes all of the mentioned above to set up your mobile application for GDPR consistency

  1. Go through the information you are asking for from clients and decide whether all is totally essential for the application's prosperity. Use data that is totally essential for the apps’ needs.
  2. Adjust application flows and screens on the off chance that you have changed the amount and type of information you are gathering.
  3. Make a list of all sorts of agreements you need to receive from your clients.
  4. Choose if you need to request each kind of assent independently or all together.
  5. When you choose to request assent independently, ensure you request each assent at the proper time and place in the client’s stream for a limited interruption.
  6. Add an option to your application for clients to get in touch with you with inquiries concerning their personal data.
  7. Add an option to your application for clients to pull back their assent per information classification.
  8. Add an option to your application for clients to have their information erased forever from the application.
  9. Settle on the ramifications of application utilization for clients who pulled back assent or requested their information to be erased.
  10. Guarantee erased information cannot be recovered by you or outsiders that entrance the application not even from backups or servers.
  11. Ensure the information you are gathering is legitimately encoded, isolated and secured to limit information leaks.
  12. Build up a system for rapidly informing the clients and authorities for information leaks (email, push notification or other).
  13. The notice component ought to likewise incorporate the capacity to offer help and answer clients' inquiries following information leaks (FAQs, talk bolster and other).
  14. Build up a checking procedure that can distinguish a potential noncompliant action as soon as could be expected under the circumstances, so it can be ceased.
  15. Ensure that SDKs (or some other outsider) you work with are 100% consistent with the GDPR and screen this continuously to recognize potential problems at the earliest opportunity to maintain a strategic distance from dangerous exposure.
  16. Set up authorization and checking measures for every one of the arrangements and procedures you produce for GDPR consistency.
  17. On the chance that you have EULA, ensure every one of the progressions and consistent forms are conveying appropriately.
  18. Consider adding a GDPR specialist to your team members.

An actionable solution for third-party SDKs

As GDPR authorization day moves closer, mobile application engineers must manage outsider (SDKs) merchants who can get to their clients' information. Any outsider or associations who will use the clients' information must be recorded in the agree frame as indicated by GDPR rules. This is on account of the controller who is completely in charge of the availability and direct of the processors that store or utilize an EU citizen’s personal data.

Application developers need to mitigate the risk and remain responsible for the SDKs they work with. Here is a powerful method to deal with the fundamental issue secured:

  1. Recognize and study all SDKs you are working with to comprehend what information is gathered, put away and handled, how well each SDK secures individual information and how they are functioning towards getting to be GDPR consistent.
  2. Out of the information gathered by the SDKs you are working with, figure out which information is without a doubt vital for your application to work.
  3. Work with the SDK organization to take out all the gathering of superfluous information.
  4. Ensure the SDK has satisfactory safety efforts to guarantee the security of your clients' personal data.
  5. Comprehend the correct way the information takes amid the handling lifecycle to guarantee satisfactory security is executed at each stage.
  6. Incorporate strict classification, information security, and information residency conditions in any agreement drawn up with an SDK.
  7. Use instruments to screen, control and oversee dangers related to the SDKs you work with.

Need additional info about GDPR?

It is available on the following links:
GDPR FAQ
5 steps to becoming GDPR compliant on mobile apps
What does the EU GDPS mean for your app
The GDPR and mobile application protection
What does GDPR mean for Mobile App Owners - 12 use cases
WTF is GDPR?

GDPR, Sentry, and You
The complete guide to everything you need to know & do to comply
GDPR Email Copy

You are also welcome to contact us over the live chat or send us an email at support[at]sashido.io.

Top comments (1)

Collapse
 
softwaredevelopmentcompanyuk profile image
Schnell Solutions Limited

Nice article. We also wrote an article on Privacy and GDPR compliance in Custom Software Development here