Due to continuing growth of the Internet and mobile app usage, we have reached a point at which we don’t really know who has an access to our personal data.
Europe’s General Data Protection Regulation that took effect last month is changing how businesses and public sector organizations can handle customers’ personal data.
The Regulation provides users with more control over their data. The most important changes include new transparency framework, compliance requirements, and sanctions system.
But what does it all mean for mobile apps providers?
According to the Regulation, organizations must maintain a record of processing activities under their responsibility.
Data mapping allows identifying the information that your organization keeps and how it moves from one location to another.
A data map also helps you see who has access to the data at any given time and who is accountable for it.
Users must be made aware of the reasons why their data will be collected (see ‘Privacy by Design’).
Providing security of personal data is the basic GDPR requirement.
Mobile apps collect personal, and often sensitive, data. Therefore, collecting user data via mobile app must be absolutely secured. However, depending on the data type, it might be even necessary to do a DPIA.
GDPR poses an obligation to data controllers to perform a Data Protection Impact Assessment when, according to Article 35 (1), the processing is ‘likely to result in a high risk to the rights and freedoms of natural persons’.
Thus, data protection principles should be covered for ensuring compliance with the GDPR, any risks have to be identified and treated.
Privacy by design
According to Article 25, ‘data controllers must put technical and organisational measures such as pseudonymisation in place — to minimise personal data processing’.
In short, with the GDPR, businesses must request and receive consent to collect, use and move personal data. In particular, they have to make clear and transparent for users how and why their personal data will be collected.
It means that all mobile app layers should be evaluated to specify where a user needs to give consent. For example, asking a fitness app user for personal data on age, height, and weight requires an explanation of exact purpose to collect it.
Right to erasure
The new regulation gives EU residents the right to data erasure. Users can request mobile app developers to delete all of their personal data, stop future publication and processing the data by third parties.
However, ‘The Right To Be Forgotten’ is not generally valid and applies only under certain conditions: e.g. when the data became irrelevant to the original processing purposes.
The GDPR significantly expands the territorial scope of the EU data protection regime.
The new regulation considers not only the location of the processing but also the location of the individual whose data is being processed.
It means the legal framework also applies to companies based outside the EU. Data controllers or processors offering a product or a service to EU residents or monitoring their behavior must adhere to the terms of the GDPR.
Online marketplaces, cloud-based apps, and further apps focused on the international market will in all probability be affected.
Click here to find out more about Qulix Mobile App Development Services.