The European Parliament and European Council have adopted GDPR i.e. General Data Protection Regulation, which is aimed to strengthen individuals inside the European Union. This regulation came into effect in May 2018. Major firms are complying with it as there is die hard need to safeguard important information of users. Here’s everything about GDPR to give you an idea about what it is and how it works:
What is the significance of the GDPR for the security of the mobile application?
It has become quintessential for the business organizations to secure their private data in order to safeguard their business interests.
If answers to any of the following questions are assertive then you must follow following steps to make your software applications to abide by GDPR compliance services:
- Do European citizens make use of your solution?
- Does your website make use of subscribing function?
- Is there any comments section on your website?
- Are users able to log in to your website with third-party apps?
Areas that need to be focus as part of GDPR Compliance Services
- While transferring data across borders
- Processing of data
- Subject rights of data
- Consent and notice
- Accountability
- Vendor management and third party management
- Communication and transparency of information
- Data storage and security, breach of data and notification of breach of data
- Training and awareness
GDPR Compliance Checklist
Companies need to be careful about few points:
- All procedures, policies and privacy programmes must be reviewed
- Documentation must be prepared after processing the data
- Employees must be given training upon data privacy procedures
- Data subject request, privacy by design and data protection impact assessments must be implemented
- Contracts with third party vendors must be updated
What Steps Must Businesses Follow to Become GDPR Compliant on Mobile Apps?
App development Firms must ensure that all new projects to be undertaken must be GDPR compliant. This will essentially allow citizens of the modern world to regain control of their data. This goal of European general data protection regulation came into effect on 25th May.
1. It must be checked whether all the data that application stores are really important? In order to make the application compliant and future ready, it must ensure that the only very essential data must be collected from users.
2. Data must be encrypted from end to end to avoid any possibilities of the data breach. Encryption helps scramble the data so that it becomes unintelligible for those who don’t have the decryption keys.
3. Making use of HTTPS, which is a secure version of HTTP communication protocol is important to encrypt all the data sent between a client and server that make use of SSL/TLS cryptographic protocols.
4. The user will require to take a clear affirmative action. Therefore, there must not be any pre-ticked opt-in boxes and the consent form will default to a “no” or will be “blank”. The mobile application owner will not be able to force users to actively opt-out.
5. Granular opt-in will be implemented in a way such that if the app owner wants to reach out to his clients for marketing purposes he will have to take their exclusive consent in order to do so. In case he wishes to send a promo email, an offer, a phone or a post, each option would be mentioned in separate opt-in boxes.
6. The name of the third parties to whom the app owner is going to share customer details must be clearly mentioned in the consent form. E.g. – There must be separate checkboxes asking the users – “I’d prefer not to receive any emails from ABC”, “I’d prefer not to receive any emails from XYZ”. In GDPR, there must be separate checkboxes for opting in various services and offers instead of opting out.
7. The app owner will have to ask separately for user-agreement in case of handling personal. E.g. – Terms and Conditions, Contact Permissions (Yes please, I’d like to hear about the offers and services, No thanks, I don’t want to hear about offers and services)
8. App owners are not allowed to hide their terms and conditions as this is not an appropriate practice according to data protection regulation. The users are required to acknowledge that they have read all the terms and conditions and agree to them before getting access to the app.
9. According to GDPR, Mobile Apps must be built in a way such that the users are not bound to use it and can freely unsubscribe and move away at any point of time. They must have the facility to remove their consent at any point in time.
10. Cookies that allow an app owner to identify the users via their devices are absolute subjects to GDPR. Cookies can be used for advertising, analytics and functional cookies that allow websites to remember user preferences. Online identifiers can be combined with unique identifiers and other information received by servers, may be used to create profiles of natural persons and identify them.
11. Security questions that ask users to reveal their personal information must be avoided. Security questions while signing up for new accounts are strictly prohibited under the new law. E.g. – Security questions asked while signing up for the new account, that asks users to disclose their personal information are a big “No” according to new GDPR law.
12. Two-factor authentications that combine a user’s passwords with fingerprints and phone numbers are powerful deterrents for cybercriminals.
13. The system must not make use of IP addresses in the authentication process. With the new protection law, it becomes the responsibility of mobile app owners to inform users if their log contains such data, why and how you store them and for how long will such data persist in your system.
14. All the e-commerce app owners will require explicit consent if they wish to track users preferences and keep an eye on user’s purchase behavior with the inception of new GDPR law. In case users reject tracking, app owners will have to respect their preferences. App owners will not be able to recommend and suggest something to users based on their previous purchase history according to the new law.
15. With new GDPR, users will have the right to delete their accounts with all the personal data. It becomes app owner’s duty to show users that they have deleted their data from all backups and storages.
16. Privacy Review for User Interface – App development firms have to be very clear about how they collect data. They can no longer hide behind a never-ending Terms and Conditions sheet. Considering the privacy of data, all layers of the app must be checked to see if it consents to the needs of the users. Taking an example of fitness, if you are an owner of a fitness app, you must convey the purpose for which you wish to collect all the essential data of the user like height, weight, BMI, Age etc. UI of the mobile app must ensure the privacy of data.
17. System and Data Mapping – It is important to bridge the gap between data and system and object-oriented modeling techniques are the best option to do so. Security of the app always remains a major issue in safeguarding the business.
Articles in GDPR important for Mobile Applications
Two articles relevant to mobile application protection are:
- Article 25: (Data protection by design and by default): This article introduces the principle of data protection design. This enables processors and data controllers to consider privacy during the entire development lifecycle of new systems and processes that make use of personal data.
- Article 32: (Security of processing): This includes implementation of certain technical measures while building an app to ensure the integrity of data, processing systems, and processes. This measure will help in counter-acting accidental risks like destruction and sudden loss, modification of data and disclosure to third parties.
Both these articles have to be strictly adhered or else mobile app development companies will have to pay a fine of up to 2% of the annual worldwide turnover that will be almost Euro 10 million, according to Article 83 (General conditions for imposing administrative fine).
Conciser
Mobile applications are an integral part of almost every business these days. It is important to analyze which process suits best to safeguard the application from vulnerabilities and ensure confidentiality of processed data in the context of the GDPR. Mobile applications can be reverse engineered in no time which enables hackers to have an idea to intrude into the structure of the application, extract information which might include encryption keys, API keys etc. which can further be used to access private data and tamper the application further.
Thus applications must be protected by making use of a dual approach, in order to reverse the engineering and protect user’s data:
- Making use of Runtime application self-protection (or RASP) mechanisms within the mobile applications
- Protecting mobile applications from a man in the middle attacks by ensuring that the server is able to communicate with the intended recipient
- Making use of white box cryptography which ensures that every mobile application has a data encryption key, which cannot be lifted from the application and used to decrypt stored or transmitted data