Last update: December 2018

5 mins to read

Is Your Mobile App GDPR Compliant?

Time has run out to prepare yourself for the General Data Protection Regulation (GDPR) which strengthens and unifies data protection for all individuals living within the European Union. GDPR has been enforceable since 25 May 2018 and will not be affected by the UK’s decision to leave the EU. Mobile app owners and publishers should read up on the pending regulation to understand how key changes to the law apply to collecting and processing information and the responsibility surrounding using personal user data within push notifications.

What is GDPR?
The purpose of the GDPR is to give back control to citizens and residents over personal data, and to simplify the regulatory environment within the EU. Personal data is referred to as “Any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computers IP address.” At the time of writing this post, GDPR is a living document of which representatives are working on to expand key areas.

Although key principles of data privacy stand in place from the previous Data Protection Act of 1998 (DPA), the main changes include: request for consent, breach notifications, right to access, right to be forgotten, data portability, privacy by design and need for Data Protection Officers (DPO).

Does this apply to me?
GDPR applies to those considered as ‘controllers’ and ‘processors’. The definitions are similar to the existing DPA; the controller states why and how the personal data is processed, whereas the processor acts on the controller’s behalf. Both controllers and processors with have significantly more legal responsibility over user data, ensuring liability for any data breaches. Any organisation operating or offering goods or services to individuals in the EU can be subject to the GDPR.

Why should I care?
Under GDPR, organisations can be fined up to 4% of their annual global turnover or €20 million (whichever is greater), which is the maximum fine imposed for the most serious infringements. It’s important to note that these rules apply to both data controllers and processors – so clouds will not be exempt from GDPR.

How does it translate to notifications?
When GDPR takes effect, organisations will responsible for informing users or customers of their rights over personal data collected. Mobile app companies will be responsible for not only asking new users to get permission, but many companies will need to re-contact their users to collect permissions again, given changes in law. An initial fear stems from companies which see a high opt-out rate to notifications, doing this part wrong may leave to even more opt-outs. Along with this, any notifications that include sensitive user data may be subject to harsher penalties if a customer is compromised.

For data processors, the obligation to protect controller’s personal user data is far greater.

Takeaway actions
The best way to be compliant with GDPR is to read up on the latest updates at EU GDRP. If your company collects any sensitive user information, be sure you understand the responsibilities, obligations and penalties involved with requesting, collecting, accessing and processing that information. Contact your data processors to ensure compliance as well. Consider further advice and actions if data is breached or compromised pertaining to GDPR. Determine if you’re one of the many organisations who are required to have an appointed DPO to meet internal record keeping requirements.



OpenBack’s trusted solution is already prepared
OpenBack has been aware of GDPR since it was adopted on 27 April 2016 and has taken great lengths to prepare and ensure compliance. The 3 main areas where OpenBack excels past the competition include: user consent, private user data and ‘the right to be forgotten’.

Consent – Valid consent must be explicit for fair processing of sensitive user data. Any child user under the age of 16, must be given consent by the child’s parent or custodian (legal guardian).

Solution – OpenBack offers customisable opt-in message templates to gather permissions from new users and re-collect those from existing users. By customizing the message, mobile apps can explain the need to re-ask for user permissions, leading to a higher percentage of opt-ins.

Private User Data – Personal user data should only be accessible by the owner of the data. They have the right to move, copy or transfer the data freely and securely from one IT environment to the next.

Solution – OpenBack acts as a data processor, meaning that user data is always stored on the user’s devices, never centralised – thus reducing any risk if the customer is compromised. Any additional user data requested by the controller can be pseudonymised (key coded) for greater security.

Right to be forgotten – Referred to as ‘the right to erasure’, this give individuals the right to have personal data erased and prevent further processing under specific circumstances.

Solution – OpenBack supports deletion of user data upon request via dashboard/API. Any anonymous (pseudonymised) data will never be sold to advertisers or researchers.

sources: EU GDPRICO.