5 Steps to GDPR Compliance for Mobile Apps

The EU’s General Data Protection Regulation hits May 25, 2018.  And you’re the lucky one responsible for GDPR compliance for your mobile app.  You might be on the verge of panic, with questions like, “What do I need to do to achieve GDPR compliance rapidly?  How hard is it and how much will GDPR compliance cost my company?” There’s good reason to be nervous considering the potential fines for non-compliance.  There’s no sense panicking, though.

Five steps will set you on the path to GDPR compliance:

1. Know the Law – For GDPR compliance, EU law takes precedence over US law.
2. Data Inventory – What do you have?  Where is it? How long do you keep it?  Etc.
3. Permissions – Direct, explicit consent from EU residents to have and use their data.
4. Data Protection Officer – Designate responsibility for continued GDPR compliance.
5. Finding a Solution –  Safeguard the Six Data Rights of EU Residents.

Step 1.  Know the Law – Full Text of the GDPR

On the books since April of 2016, everyone’s had two years to prepare for GDPR’s changes in data protection and privacy for EU residents.  In business, we understand “It isn’t a priority until it becomes a priority.” Unfortunately, that’s a poor legal defense. GDPR-Info.eu provides easy navigation and search utility for the full text of GDPR’s 11 chapters and 99 articles.

GDPR applies to you if you engage in any economic activity that may involve the personal data of EU residents.  This is the case even if you live outside the EU. It also applies even if you have a small business. Reporting requirements under Article 30 are merely reduced if the data handled and processed by your small business is unlikely to risk the rights and freedoms of EU residents and/or when its handling is only occasional or involves any of the numerous “special categories of data” referenced in Article 9.

Step 2.  Conduct a Complete Data Inventory

Data protected by GDPR includes all personal data of a resident of the European Union.  To paraphrase Article 4.1, that basically includes, “Anything that could be used directly or indirectly to identify a person.”  In EU law, but not always under US Law, that includes IP addresses (like 172.16.254.1).

A thorough inventory of all your data is advised. This means reviewing, in detail, all of the information you collect, keep, store, archive, or process across all your data storage systems.  Data storage includes databases, software files, mailing lists, archives, and hard copy files. It includes data stored across all business units, departments, on the cloud, on your own servers, personal computers, laptops, mobile devices and third-party service providers.  It’s easier to say GDPR covers all data you have anywhere that could be used to identify a resident of the EU.

You need to know where all private data of EU residents is stored, what information it includes, why you need it, how it is used, how long it is kept, and to whom it may be provided.  Fortunately, GDPR has no relevance to data that does not pertain to residents of the EU.

Step 3.  Get Permissions from EU Residents to Use Their Data

Over the past few months, you’ve likely been deluged by changes in the privacy policies of mobile apps, websites and online services to which you are subscribed.  This owes to the GDPR. The new regulations warrant a prompt updating of your own privacy policies for your customers and your employees.

Article 7 of the GDPR covers users’ consent in detail, specifying, “the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language.” Moreover, individuals are also able to revoke their consent for you to use their data at any time.  Additionally, parental consent must be obtained when processing the data of children under the age of 16.

Your privacy policy must inform EU residents of their rights and how they may assert their rights – which we will discuss in Step 5.  Obtaining consent is the first visible demonstration that you are working toward compliance and should be your top initial priority.

Step 4.  Designate a Data Protection Officer

The GDPR provides considerable latitude on whether or not you should appoint a Data Protection Officer (DPO) under Article 37.  How many customers you have covered by the GDPR will provide its own guidance on whether you need to appoint a DPO or outsource the responsibility.   Critical DPO requirements include, “Expert knowledge of data protection law and practices,” as defined in Article 39 to advise the business, supervise compliance and cooperate with supervisory authorities, and all this implies.

The median income for Data Protection Officers (UK/EU) and Data Security Officers (USA) runs around $90,000 yearly;  ranging up to $190,000 for Chief Privacy Officers. Note, however, that a shortage of qualified DPOs is expected. So, expect salaries to increase and to dedicate more effort to retain data security personnel.  Outsourcing DPO services present a possibility to better scale to your requirements and budget, by the hour or by service packages. Small businesses with limited exposure might get by assigning DPO duties to an existing employee and perhaps a small service package from a Data Protection Agency.

Step 5.  Find and Implement a GDPR Compliance Solution

The main focus of your GDPR Compliance effort is to secure the rights of EU residents.  The GDPR delineates six essential data protection and privacy rights in Chapter 3. These provide your EU customers the means to:

1. Access any and all personal data held by you, in a timely manner.
2. Rectification, or the ability to correct any data held by you, with minimal delay.
3. Erasure, or the right to be forgotten unless superseded by law or public interest.
4. Restriction of processing – to essentially quarantine or hold their records and data from further use or until they reinstate their permissions.
5. Data portability, ability to receive (and share) their data in “a structured, commonly used and machine-readable format.”
6. Object, essentially, to be excluded from future data collection or processing.

To summarize, individuals are to be given near-complete legal control over their personal data, barring issues of legal, scientific, public health or the public good.  How individuals may exercise these rights should be spelled out in your privacy policy.

GDPR is clear that you need to make it easy for people to exercise their rights and update their information.  If your product or service is highly mobile, that means embedding the means to exercise those rights in your mobile app.

Trying to do GDPR manually might be trivial if you only have 3-4 EU customers.  Start talking hundreds, thousands or millions of customers and you could be facing one hell of a nightmare.  Again, issues of personal data control apply to all departments, software, databases, third-party applications, hard copy files, backups and archives!

GDPR Compliance Options

Like it or not, it’s time to get serious about data privacy and security.  Ultimately, you will probably be looking at one or more of the following solutions:

• Manual compliance. Low upfront cost, but potentially very labor intensive with ongoing vulnerabilities.  This is, at best, a short-term solution.
• Streamline your software and data. Reduce how much data you keep and where you keep it.
• Develop a proprietary solution to work with all the software and file systems used by your company.  Expensive and may take several months.
• Outsource to a SaaS GDPR Compliance service provider.  Likely the fastest and most comprehensive solution with pricing that should scale according to how many EU residents you have.

While there is a lot more to cover, these five steps should put you on the path to GDPR compliance.

We offer an SaaS solution,  GDPR by Design through our parent company, Provectus.  It is based on distributed key management that encrypts Personally Identifiable Information and provides users with complete control over their data. GDPR by Design automates much more that we will address in greater detail in next week’s article. If you get stuck or would like to talk with an expert for an SaaS GDPR Compliance solution, we’d love to help!

Please email us at hello@Reinvently.com or use our contact us form for a prompt response from us.

Is GDPR Really Necessary?

The Herjavic Group projects cybercrime will cause $6 trillion in damages, annually, by 2021 – effectively 5% of global GDP.  Hacking has saturated news in the United States for the past two years.  Something has to be done about the proliferation of hackers, hacking groups and state sponsorship of hacking, not to mention malware and inadvertent software vulnerabilities.

We can’t stop people from trying to hack systems and no one’s trying to ban electronic devices.  The only things we can all do are, a) make it more difficult for hackers to gain access to our systems, and b) render unusable anything they manage to steal.

Severe Penalties and Risks of GDPR Non-Compliance

Businesses discovered to not be in compliance with GDPR risk severe penalties.  Penalties may run the greater of €20 million or up to 4% of worldwide turnover (i.e., sales volume) if caught. Consider at least five risk points before thinking you can hide from GDPR:

1. The risk of getting hacked.
2. Some people will go out of their way to prove you aren’t in compliance.
3. Vendors may refuse to work with you if their due diligence shows you are not in compliance.
4. Government, regulatory and investigative bodies exist to test compliance.
5. Thanks to the NSA, CIA and FBI, we know sometimes that employees and contractors also pose a risk with respect to data theft and leaks.

So, yes, don’t panic.  But do take this seriously.  It may save you from a lot of pain.