The General Data Protection Regulation (GDPR) came into effect on May 25 across all 28 EU member states. A set of regulations meant to protect the personal information of EU citizens, noncompliance entails a hefty fine of €20 million or 4 percent of the gross worldwide annual turnover, whichever is greater. The question is, what about mobile data? Well, any company with a global audience that includes a few clients from that region must follow the new law. Unfortunately, when it comes to mobile data, this is not as easy as it sounds.
GDPR takes hold of mobile data
The conversation regarding the impact of GDPR on the mobile environment was overtaken by the expectation that machine-to-machine and telecommunication data would be governed by the ePrivacy Regulation, a new legal framework that updates the ePrivacy Directive. However, complications arose as the ePrivacy Regulation did not progress beyond draft form while the enforcement of GDPR took place across the EU. So, the ePrivacy Regulation serves as nothing more than a distraction from the present state of play. Mobile operators, users, and marketers must, therefore, focus solely on the effects of GDPR across the industry.
How mobile companies intend to proceed
Of course, the logical solution would be for companies to create a mobile plan that manages data and information from EU contacts without bringing their entire operations into compliance. However, this approach breeds numerous complications as treating customers separately based on location is tricky. Moreover, tighter data laws will inevitably come into effect sooner rather than later. Thus, rather than delaying the process, it makes sense to bring all data protocols into compliance right now.
Potential methods to achieve mobile GDPR compliance
- Improve the mobile opt-in process
Most mobile apps have an opt-in process. When a user enables push notifications for an app, they have to opt-in. GDPR steps it up a notch by seeking voluntary consent from users to send messages. So, no more prechecked boxes. Moreover, customers must have full knowledge of how their personal data will be used. The best way to stay 100 percent transparent about data use is to develop a data policy and share the same with customers.
- Request permissions every step of the way
- Maintain a comprehensive list of records
GDPR requires companies to maintain records of consent. While this poses a challenge for several organizations, documents are a must on who gave their consent, when, and how. IT teams can guide companies on how best to manage the records.
- Data deletion on request
If a company wants to adhere to GDPR, it must provide a simple way for customers to unsubscribe from the service. At the same time, users may opt out and be forgotten at any point. Their data will no longer show up on the servers, and no data will move forward.
- Notifying users during an emergency
GDPR makes it mandatory for companies to inform users about any data breach within 72 hours of the occurrence.
Responsibilities of mobile app owners
- Identity of the user
Mobile app users must remember that personal data is any information about a person or personally identifiable information that enables a person to be identified. This principle proves useful during app development planning. Whether the information closely or directly relates to a given person does not matter — if it identifies a person, it must be GDPR compliant. You will know whether your solutions are GDPR compliant when the de-anonymization needs resources and manpower that is disproportionate to the gathered information.
- Content development apps
Apps that allow users to develop content might store some personal data. This must be considered during app development since every user retains the right to request deletion of private information that could result in his or her identification. If a subject’s personal data was posted without their consent, they should get a line to your data protection officer.
- Third-party involvement
Companies that use third-party solutions to support mobile app development must ensure that the third-party solutions are all GDPR compliant. Check the Terms of Service to find out whether their security certificates adhere to GDPR regulations. Otherwise, your company will be jointly held responsible for mobile data leakage caused by the third-party.
- Written contracts
You might wonder whether a written contract is necessary with third parties in charge of processing data. Thankfully, it is not mandatory as the regulations provide a certain degree of freedom. They also introduce the larger concept of “another legal act.” On your part, you need to find out if the provider whose services you are using has a certificate that complies with GDPR norms.
- Data protection officer
Data protection officers are not mandatory for mobile companies. GDPR offers a certain degree of freedom in this aspect. According to the guidelines, a DPO may either be an employee of the processor or the controller, along with a third-party individual from outside this group of employees. This enables companies to enjoy a certain amount of freedom with their options as well as their capacity to decrease costs.
- Email ID login
Even if the app uses just logins and emails without a first and last name, it is treated as personal data. Mass verification methods cannot determine whether an email ID contains personal data or not. Moreover, certain portals ask for nicknames, and they can be linked to other data. So, if you’re unsure about the elements of the application and whether or not they can identify your customer, prepare for the worst.
- Bug reports
If your app has a bug reporting system, make sure the service provider fulfills all the GDPR requirements. Moreover, check what sort of data is present in the reports and who can access them.
GDPR is a major regulation that will require mobile users, operators, and app developers to change their current policy. Sure, it might take some time to implement the procedures fully. But once complete, mobile data practices will go further in meeting the changing needs of consumers and protecting their personal data.
Featured image: Pixabay
More GDPR Preparation articles
- Are you GDPR compliant? Find out here, because what you don’t know will cost you big time
- It’s a small world after all: GDPR across borders
- Why the GDPR's right to erasure may sometimes be wrong
- Personal information under GDPR: What it is — and what it isn’t
- The 6 GDPR privacy principles you must know — now