If you’re looking to create an app to streamline or improve your business in some way, you’re going to plan to be GDPR compliant from the offset. You have until May 28th 2018 to do this, and can be charged up to 4% of your turnover if you’re found to be acting irresponsibly with customer data.
We recently attended some GDPR training and wanted to share some takeaways. Let’s have a quick look at what creating a GDPR compliant app involves…
Disclaimer: we’re not GDPR experts, you should seek your own advice from those that are. However, we’re aware of the key elements and are using this knowledge to guide our clients. If any GDPR experts read this and disagree with anything, please leave a comment below. We’ll get it corrected.
1. Get permission for everything
Let’s say you’re a hotel chain and you’re building an app. You want to allow customers to place a booking for a room. When your customer launches the app you ask them to register and login. The usual stuff.
You’re going to probably use that data for lots of things.
- Pre-filling their details as they make a booking.
- Invoicing them.
- Working out their personal preferences so you can show them more relevant offers.
- Mailing them offers once they’re staying at one of your hotels.
- Sending them an SMS reminding them of their reservation.
- Drip feeding them promotional emails.
You need to get consent for all these things. And you need to make it very clear and obvious to the customer what you’re going to do with the data, and what the lawful basis for that is.
When you implement a solution to do this In your app, you can give them one big list of options and a checkbox saying “I agree”. Or you can break it down and ask for permission on a granular level.
2. Only collect what you need
The goal here is to minimise the personal data that you collect.
If your app has registration forms and user profile forms, you need to make sure you have a purpose behind collecting any personal data. Make sure your app only collects the data you need to carry out your processing. If you’re investigated, you’ll be expected to demonstrate why you collect the data and what you use it for. “It might be useful one day” is no longer good enough.
3. Forget customer data quickly
The biggest fines come from misuse of data.
Imagine your hotel booking app captures their phone number so you can send them an SMS reminding them of their check-in date. You need to delete that phone number as soon as you’ve sent the SMS. You need to forget or archive customer information once it’s served its purpose. You don’t want it floating around in your live systems just in case you need it.
Another way of looking at this is to only get the data you need for the job in hand. Then get rid of it.
4. Create a paper trail
A good way to start your GDPR compliance is to arrange to walk through all your business processes that involve customer data and map it out. Then look for places where you need to get consent. Then look for places where you need to “let go” of the data after it’s used. Document the entire process. Repeat it every year.
This way, if anyone complains, you’ll have evidence showing you’re taking GDPR very seriously and are less likely to end up getting a fine.
5. Ask their permission again when things change
If you change how you want to use their data, you have to get permission again. So you need a way for the app to request permission to use data in the new ways you want to use it. This is fairly trivial, but important to remember.
6. Be secure
When you store data, you need to do it securely. You can be fined up to 2% of turnover if there is a data breach where somebody gets hold of private customer data. Because cyber attacks are commonplace these days, GDPR is acknowledging this and setting a smaller penalty. You still have to take good modern security practices into account.
Fortunately, creating a secure mobile app is pretty straightforward.
- Send data to the cloud over secure channels (HTTPS)
- Use the local encrypted storage on the phone.
- Practice good cloud security (no root access, whitelisted ssh IPs, 12-factor apps, strong passwords, team password management tools, workplace security, firewalls to reduce attack surface, clean desk policies etc)
7. Be prepared to give people their data
If a customer wants to see all the data you hold about them, you have 30 days to provide that. And you can’t charge for it. Before you deter these requests by charging a tenner. Not any more.
8. Avoid capturing confidential data
There are special types of data that need special treatment. Or which you should avoid capturing. These are things like ethnic origin, religion, trade memberships, genetics, health, sexuality, convictions and politics.
The best thing to do is encrypt this data so it’s even more difficult to get at than other data.
9. 3rd parties
You need to make sure that everyone you deal with in business is also compliant. This is your responsibility. If you don’t check and your supplier has a breach, that’s your fault. So, send out supplier assessment questionnaires. Then keep a record of the responses.
If outside EU protection may not be adequate. E.g. Google uses privacy shield, which is generally deemed ok. What about your other non-EU suppliers?
The Data Protection Act was invented in 1990. That’s before the internet took off. Before the iPhone was invented. Well before we put smartwatches on our wrists. And before shops started taking contactless payments. The Data Protection Act is old.
So, despite protecting many of our interests, The Data Protection Act needed updating for our a new world. And it will probably be in effect for decades.
GDPR is the new Data Protection Act. It’s a big set of guidelines for how to handle peoples privacy and security. If you’re not seen to be taking it seriously you can get heavily fined.
Need some help?
If you need an experienced mobile development team to implement these changes, or offer some guidance around what you should do, please get in touch. We’re here to help you make great use of mobile apps to grow and evolve your businesses.