GDPR and How Mobile Should Prepare
It’s not just the EU that needs to worry — GDPR will affect developers at a global level
The European Union GDPR, set to take effect on May 25th of 2018 will have a larger impact than the assumed immediacy of the European Union. What this means for mobile developers worldwide is the need to adhere to a new set of regulations; such rules will impact the way in which EU-based user data is captured, stored, and managed. It is important to be prepared, as fines and penalties are slated to be devastatingly impactful should there be a misstep.
Let’s jump into the details.
What is the GDPR?
GDPR, or General Data Protection Regulation, is an EU law that is designed to strengthen privacy and protect data for individuals across all EU countries. At its core, GDPR sets in motion new rules designed to give users, specifically EU citizens, control over their data and knowledge of how it is being utilized. Furthermore, it aims to simplify the regulatory environment so both citizens and businesses can fully benefit from the digital economy.
Some of the key privacy and protection requirements include:
- Requiring the consent of subjects for data processing
- Anonymizing collected data to protect privacy
- Providing data breach notifications
- Regulating the transfer of data across borders to ensure a safe procedure
- Requiring certain companies to appoint a data protection officer to oversee GDPR compliance
GDPR will go into effect on May 25th, 2018, and will enforce stiff penalties if the guidelines are not followed.
GDPR Will Affect U.S. Companies
If your company or organization collects or processes the personal data of an EU citizen, you will be required to follow the set regulations including those listed above. Your team will be on the hook to obtain consent from prospects and customers before collecting additional personal data and furthermore, must offer a clear means for deleting their records upon request.
If your company fails to meet any of the newly set regulations, be prepared for a possible EU-imposed fine. GDPR will apply sanctions to U.S.-based businesses through jurisprudence, and the aid of international law.
- U.S. companies with a physical presence in the EU: GDPR can be enforced directly against [U.S. companies] by EU member state authorities.
- U.S. companies without a physical presence in the EU: GDPR addresses this issue for companies that have more than 250 employees or process large amounts of data “by requiring companies without an establishment in the EU … to designate a ‘representative’ located in the EU.”
The reality is that this won’t apply to every U.S. company or organization, just the ones knowingly and actively conducting business in the EU. In this vein, EU courts have the discretionary ability to determine if any U.S. company was purposely collecting EU resident data and subverting GDPR compliance, which can be upheld under international law.
If your team is unsure of how to broach GDPR, Microsoft has put together a guide to assess your team’s GDPR Readiness.
GDPR for Mobile Apps
Because GDPR defines “personal data” as the recording of any data that could identify an individual, many mobile apps stand to be affected. Names, phone numbers, addresses, as well as digital information including usernames and locations, ultimately signify that publishers will be responsible for the array of user data at their disposal.
Application owners must begin a process with their users towards demonstrating data-transparency, including how and why their personal and usage data are being stored. This requirement will place the onus of communicating updates and processes to EU users by May 25th of this year, a measure that is being touted a ‘first step in data security’ by GDPR regulators.
As an additional measure of security, publishers will be fully responsible for tracking the movement of sensitive data including all digital and physical access to it. As such, it will be imperative for publishers to thoroughly document data changes and maintain pristine logs.
The many regulations mandated by GDPR do have the benefit of falling in line with Shockoe ’s existing best practices. Data security in an age of rising cybercrime means that the responsibility of securing sensitive information falls into the hands of developers. Any mobile environment that exchanges data between app and server should be encrypted; this is a position that Shockoe always stands by with its clients.
Ready to Prep for GDPR?
Here are a few things for your company to consider regarding your mobile technology in preparation for GDPR deployment in spring 2018:
- Determine which data matters to your team and cut out the less-important fields
- Inform users of GDPR updates and obtain consent to store their data
- Respond to user requests in a timely manner
- Encrypt user data
- Ensure users are updated promptly about security incidents
- Know your technology and potential weak links, and address them with urgency
If it’s worth stating, it’s worth restating: Fines can reach up to 4% of global annual revenue or $23,000,000, whichever is higher. With fines this high, organizations can run the risk of severe penalty and even catastrophic failure, which is a sign of how serious the EU is taking consumer privacy through GDPR.
Such a drastic shift in data regulations can be unquestionably daunting and confusing. There are many variables at play and potentially high consequences for not considering them all. If you work for a U.S. based organization, give us a call or send us an email; we’ll be glad to guide you through the required changes or discuss your specific needs.