The European Union’s (EU) General Data Protection Regulation (GDPR) goes into effect May 25, 2018. The policy has broad implications for every global company with strong business interests in Europe. This is especially true of GDPR for app developers. 

GDPR is set to replace the Data Protection Directive (DPD), which went into effect in 1995. The new policy gives more power to individuals when it comes to how companies use their personal data. GDPR keeps organizations accountable and calls for more consumer-friendly wording around privacy terms and conditions.

Fueled has created a guide to help explain GDPR for mobile app developers to be prepared for the coming changes that GDPR will bring. We will bring you up to date on the policies and provide a helpful checklist to ensure your company is following the proper guidelines.

What is General Data Protection Regulation (GDPR)

Most mobile apps gather user data in some way. This can be from using location data, personal information for profiles, and in many cases data on user usage and activity within the app. These three main threads are the most important to understanding GDPR for app developers.

GDPR Compliance Means Increased Documentation and Transparency

GDPR requires businesses to document, and be able to show how they comply with data protection requirements. This means increased documentation and transparency of systems, processes, and procedures. Businesses will need to update privacy policy and highlight exactly what their company is doing to protect user’s data and make it easier for them to opt out.

What Is Privacy By Design

GDPR requires the adoption of the Privacy by Design framework, a seven-point development methodology which mandates optimal data protection to be provided as standard, by default, across all uses and applications. The PbD framework has seven foundational principles, which are explained in detail by Smashing Magazine:

• Privacy must be proactive, not reactive, and must anticipate privacy issues before they reach the user. Privacy must also be preventative, not remedial.
• Privacy must be the default setting. The user should not have to take actions to secure their privacy, and consent for data sharing should not be assumed.
• Privacy must be embedded into design. It must be a core function of the product or service, not an add-on.
• Privacy must be positive sum and should avoid dichotomies. For example, PbD sees an achievable balance between privacy and security, not a zero-sum game of privacy or security.
• Privacy must offer end-to-end lifecycle protection of user data. This means engaging in proper data minimization,  retention and deletion processes.
• Privacy standards must be visible, transparent, open, documented and independently verifiable. Your processes, in other words, must stand up to external scrutiny.
• Privacy must be user-centric. This means giving users granular privacy options, maximized privacy defaults, detailed privacy information notices, user-friendly options and clear notification of changes.

Consumers Gain More Data Rights

Under the DPD, the EU granted individuals the right to access and correct personal data held by an organization. To further this initiative, GDPR introduces the right for individuals to obtain and reuse personal data across different services, and the right of erasure, which gives the individuals the right to erase personal data without further pretext.

Fueled’s Recommended GDPR For App Developers Resources:

• This podcast provides a 30-minute breakdown that brings to light why everyone from founders to product managers and developers need to be informed about GDPR: 

• Stripe is an e-commerce platform that helps companies integrate payment processing into their websites and mobile applications. They have put together an overview clearly laying out individual’s rights, consequences of non-compliance, and a brief checklist for businesses: https://stripe.com/guides/general-data-protection-regulation#a-gdpr-checklist-for-your-business
• Read the General Data Protection Regulation in its entirety here. All 99 pages of the policy are searchable making it an extremely useful resource no matter the industry, or role in the organization:  Article 1. Subject-matter and objectives | GDPR made searchable by Algolia. Chapters, articles and recitals easily readable

GDPR Requirements For App Developers: The Checklist 

GDPR is about holding companies accountable for their data handling and privacy practices. Compliance is relatively straight-forward, and only requires taking a few pragmatic steps to align with GDPR’s policies. This is a great starter checklist.

1. Review Data Mapping
   1. ☐ Review which of your products or services collect and process personal data.
   2. ☐ Review which data you collect is absolutely necessary. The less data you collect the less you need to monitor.
   3. ☐ Document all the touchpoints involved in the data journey. Try this data mapping exercise to get a better understanding.
2. Rewrite Your Privacy Policy
   1. ☐ Rewrite your privacy policy. Extraneous Terms & Conditions pages are no longer in line with privacy guidelines. You must be clear and transparent regarding the data you collect and how it is being used.
   2. ☐ Ensure user consent explicitly. GDPR requires you to ask for the user’s consent upfront and in clear and simple language. This applies to account creations, contact forms, newsletter subscriptions, marketing conditions etc.
   3. ☐ This is a good example of a new privacy policy.
   4. ☐ Growth & Marketing professionals, this one is for you.
3. Ensure Data Collection and Storage Systems Are Secure
   1. ☐ Enforce secure communications through HTTPS
   2. ☐ Encrypt all personal data
   3. ☐ Delete the data of users who cancel your service
   4. ☐ Use this guide to ensure your apps are GDPR compliant
4. Update Internal and External Notices for GDPR Compliance
   1. ☐ Ensure that your customer contracts and that any third parties solutions you use are GDPR compliant. This GDPR Checker will be a great tool when evaluating the third party vendors you are working with.
   2. ☐ If you haven’t already, assign a team member to handle data protection and privacy monitoring.