Is your Mobile App GDPR Compliant? Learn how to secure your App
Published on July 23, 2019 by Jyotin Gambhir
Before I start, I would like to thank PreEmptive for inviting me to write a guest post.
I would like to start my blog with a discussion about the growing cyber threats all over the world. I assume readers are well aware of cyber threats and how they are addressed by people, process, and technology. The continuous planning and advancement of security in the cyber world including but not limited to applications is an interesting read. Here, in my blog, I would like to discuss how companies can support mobile application security for better and safer use of stored data.
How does compliance work for App developers?
It is inevitable that mobile apps are required to meet standards and guidelines to assure that the stored data is secure within the apps. Being compliant gives that assurance to app users across the globe that their personal and sensitive data is secured by the apps they frequently use.
Let me discuss this in context with a recently established privacy regulation, GDPR. General Data Protection Regulation or GDPR is an Act established in 2016 by the European Union. In May 2018, the GDPR Act was effective for companies that collected or processed EU citizen data. It is a privacy regulation that deals with identifiable information of the citizens of the European Union and the protection associated with it.
The General Data Protection Regulation Act regulates several ways in which any mobile application developer on any platform can process and control users’ personal data. The most important requirement for GDPR is to have a lawful basis for the processing of any personal data provided by EU users that are using any application. That means no app can store, collect, or process data of the users without consent. It is obvious that when an app developer is collecting or processing personal data of the user, they need consent and a clearly defined objective.
There are six lawful bases (mentioned under Article 6 of GDPR) which can be considered while developing an application. These bases are Consent, Contract, Legal Obligations, Vital Interest, Public Task, and Legitimate Interests.
The Article under GDPR for Mobile App Development
GDPR Act consists of 99 articles recorded in 11 chapters. Among which, there are two relevant Articles, namely Article 25 & 32. These two articles address App Security & Data Protection for users.
Article 25: Data Protection by Design and By Default – This principle states that data processors and controllers are required to consider privacy while designing the application or new system or processor. For reference, read the detailed article on https://gdpr-info.eu/art-25-gdpr/.
Article 32: Security of Processing – This principle states that the application developers, data controllers, and processors are required to implement necessary and sufficient organizational and technical measures to assure the integrity of processing data, and deploy a level of security appropriate to the risk of breach, loss, unlawful destruction, or modification of data. For reference, read the detailed article on https://gdpr-info.eu/art-32-gdpr/.
App Security and GDPR Compliance
What should you know as an app developer? At Secureflo, we have discussed this with some of our clients. My advice would be when developing an application, document your overall design and development process. Make the application transparent; test the integrity of data and review source code for vulnerabilities.
If you document your design, it is easier to comply with regulations like GDPR and fix any risks and vulnerabilities that are found after the application developed. Understanding the regulations like GDPR and their application to your specific development is complex; work with a security advisor or advisory firm that understands the regulation and its relevance to your data flows. As an app developer, you must be aware of privacy rules that are relevant to applications. GDPR specifically states that when developing an application, you must do the following:
- Consent of the users – Acquire
- App design – Document
- Access to data – Secure
- Data portability – Define
- Data forgotten – Provide
- Data Breach – Notify
- Implementation of the Rules – Educate
Before you collect personal data from users, you need documented consent. If you open an application on your mobile device, you should always include a checkbox for ‘terms and conditions’ governing the use of the application. Once you continue with your ‘sign-up’ process, you will automatically agree to their ‘terms and conditions’ and ‘privacy rules’. In the case of EU users, these applications require an additional step where you “Agree” and “Sign” the terms.
In general, if we recommend using the Store Review Guidelines in Apple Device, Apple is clear about the fact that Apps from the Apple Store need users’ permission and/or consent before collecting any of their personal data. Also, it states that collecting data under the ‘Legitimate Interest’ is only possible when it is done with the GDPR compliance.
You don’t want to be fined. Do you?
Data breach under GDPR can lead to a massive burden of fines for the application developers. According to Article 83, an app developer can be fined up to € 20 Million or 4% of the total annual turnover worldwide, whichever is higher. For reference, see https://gdpr-info.eu/art-83-gdpr/.
GDPR went into effect on May 25, 2018. After one year of operation, nearly 59,000 minor and major data breaches were reported for GDPR in the UK – the region with the highest number of reported data breaches. The largest fine to date has been £44 million by the French Data Regulator to Google for the breach of personal data. The following article covers this particular case: https://www.forbes.com/sites/danpitman1/2019/06/04/gdpr-compliance-right-to-be-forgotten-one-year-on/#20864e6564d2.
A preliminary report published by the European Data Protection Board states that over 200,000 cases were filed across 31 countries in the European Economic Area.
What can Secureflo do for App Developers?
I have already discussed earlier in the blog that Application developers need to meet guidelines and standards for compliance and to ensure data protection. It is necessary for any app developer to make sure that their app has a clearly defined objective and dataflow of user data at it relates to GDPR compliance.
You can get more information from here.
Note: As a developer that has developed a compliant application following GDPR specifically Articles 25 & 32, you need to be aware that this application can have additional vulnerabilities if the device, protocols, business use cases, transmission of data is not performed in a manner that is secure and private.