Before I start, I would like to thank PreEmptive for inviting me to write a guest post.
I would like to start my blog with a discussion about the growing cyber threats worldwide. I assume readers are well aware of cyber threats and how they are addressed by people, processes, and technology. The continuous planning and advancement of security in the cyber world, including but not limited to applications, is an interesting read. In my blog, I would like to discuss how companies can support mobile application security for better and safer use of stored data.
Mobile apps are inevitably required to meet standards and guidelines to ensure that the stored data is secure within the apps. Being compliant gives that assurance to app users across the globe that their personal and sensitive data is secured by the apps they frequently use.
Let me discuss this in context with a recently established privacy regulation, GDPR. The General Data Protection Regulation, or GDPR, is an Act established in 2016 by the European Union. In May 2018, the GDPR Act became effective for companies that collected or processed EU citizen data. It is a privacy regulation that deals with the identifiable information of the citizens of the European Union and the protection associated with it.
The General Data Protection Regulation Act regulates several ways in which any mobile application developer on any platform can process and control users’ data. The most important requirement for GDPR is to have a lawful basis for processing any personal data provided by EU users using any application. That means no app can store, collect, or process users’ data without consent. It is obvious that when an app developer collects or processes the user’s personal data, they need consent and a clearly defined objective.
Six lawful bases (mentioned under Article 6 of GDPR) can be considered while developing an application. These bases are Consent, Contract, Legal Obligations, Vital Interest, Public Task, and Legitimate Interests.
The GDPR Act consists of 99 articles recorded in 11 chapters. Two relevant Articles, Articles 25 and 32, address App Security and Data protection for users.
Article 25: Data Protection by Design and Default – This principle states that data processors and controllers must consider privacy while designing the application, new system, or processor. For reference, click here to read the detailed article.
Article 32: Security of Processing—This principle states that application developers, data controllers, and processors are required to implement necessary and sufficient organizational and technical measures to assure the integrity of processing data and deploy a level of security appropriate to the risk of breach, loss, unlawful destruction, or modification of data. For reference, click here to read the detailed article.
What should you know as an app developer? At Secureflo, we have discussed this with some of our clients. My advice would be to document your overall design and development process, make the application transparent, test the integrity of data, and review source code for vulnerabilities.
Documenting your design makes it easier to comply with regulations like GDPR and fix any risks and vulnerabilities found after the application is developed. Understanding regulations like GDPR and their application to your specific development is complex; work with a security advisor or advisory firm that understands the regulation and its relevance to your data flows. As an app developer, you must be aware of privacy rules that are relevant to applications. GDPR specifically states that when developing an application, you must do the following:
Before you collect personal data from users, you need documented consent. If you open an application on your mobile device, you should always include a checkbox for ‘terms and conditions’ governing the use of the application. Once you continue your ‘sign-up’ process, you will automatically agree to their ‘terms and conditions and ‘privacy rules.’ For EU users, these applications require an additional step where you “Agree” and “Sign” the terms.
In general, if we recommend using the Store Review Guidelines in Apple Devices, Apple is clear that Apps from the Apple Store need users’ permission and/or consent before collecting their personal data. Also, it states that collecting data under the ‘Legitimate Interest’ is only possible when it is done with GDPR compliance.
Data breaches under GDPR can lead to massive fines for application developers. According to Article 83, an app developer can be fined up to € 20 million or 4% of the total annual turnover worldwide, whichever is higher. For reference, click here.
GDPR went into effect on May 25, 2018. After one year of operation, nearly 59,000 minor and major data breaches were reported for GDPR in the UK – the region with the highest number of reported data breaches. The largest fine to date has been £44 million by the French Data Regulator to Google for the personal data breach. The following article covers this particular case: GDPR Compliance And The Right to be Forgotten, One Year On
A preliminary report published by the European Data Protection Board states that over 200,000 cases were filed across 31 countries in the European Economic Area.
I already discussed earlier in the blog that Application developers need to meet guidelines and standards for compliance and data protection. Any app developer must make sure that their app has a clearly defined objective and data flow as it relates to GDPR compliance.
At Secureflo, we provide compliance as a service to help clients meet security and privacy requirements outlined in regulations and standards. Along with the specialized In-App Security solutions offered by PreEmptive Solutions that secure .NET, Android, Java, JavaScript, etc., you can look to us for compliance on an affordable subscription service for small and medium-sized businesses. Secureflo has the expertise and a keen understanding of various compliance regulations. in addition to GDPR, we have worked with HIPAA, PCI, FISMA, CCPA, NYDFS, and 21CFR11, amongst others. Secureflo works relentlessly to provide the best possible service in security and privacy for your application so that you can increase the value of your application and platform and, in doing so, succeed. We help you succeed by creating trust through security and privacy. As a company, our focus is “Listen, Learn, Innovate”. We look forward to having the opportunity to work with the folks using PreEmptive tools to create value.
You can get more information from here.
Note: As a developer who has developed a compliant application following GDPR, specifically Articles 25 and 32, you need to be aware that this application can have additional vulnerabilities if the device, protocols, business use cases, and data transmission are not performed in a secure and private manner.