What GDPR means for your app

by: | Apr 25, 2018

The General Data Protection Regulation (GDPR) is coming — on May 25, exactly one month from today — and there are a lot of companies that are in a last-minute scramble, trying to understand the specific nuances that relate to their business, their market, and their users.

As a leading app developer for some big global brands, we’ve been diving into what GDPR means for our clients and their mobile apps. I’m not going to try to cover everything here — while I find it fascinating, this could have been a 100,000 word blog post and our marketing team told me to keep this concise and avoid something they lovingly refer to as “legalese,” whatever that means. So, notwithstanding anything herein to the foregoing, I’ll try to keep it at 30,000 feet.

What is GDPR?

GDPR is a law being enacted by the European Union. It’s designed to regulate how governments, businesses, and other institutions (e.g. universities) use personal data across the region, establishing standardized requirements and safeguards to protect residents of the EU, as well as providing an unprecedented level of transparency and ongoing informed consent as to how that data is used.

So, what does GDPR mean for my mobile app?

Well that, of course, depends on the app. But at the highest of levels, you need to be fully transparent to your users about how, EXACTLY, you are collecting and using any personal data about EU residents that flows through the app. This may require you to make UX and UI modifications to document a user’s ongoing informed consent and show how, where, and in what format that data is being stored.

If my app is only published in the U.S. app store, GDPR doesn’t apply to me, right?

Not necessarily. If your app or service is used in the EU, then you may still need to comply with GDPR. That means, theoretically, even if your app is downloaded in a U.S. app store but can be used in Europe, you may still have some responsibility. It depends on the exact use case — and I suspect that ambiguities relating to the application of GDPR both inside the EU and beyond its borders will eventually be clarified through the usual channels: litigation (hopefully not at your expense!), legislation, or regulation.

As the GDPR web portal states: “The GDPR will also apply to the processing of personal data of subjects in the EU by a controller or processor not established in the EU, where the activities relate to: offering goods or services to EU citizens (irrespective of whether payment is required) and the monitoring of behavior that takes place within the EU.”

Are there examples of what GDPR for apps looks like, in practice?

The most obvious way GDPR will affect mobile apps is the onboarding process. During the app signup process, if you ask for personal information, you need to be clear within the app’s user interface as to how the company will use that data — and then get permission to use the data for each purpose.

Given that these permissions are ongoing and not “one and done,” companies will likely choose to provide a UI solution to allow users to opt out of some or all of the uses to which they previously consented, have their data permanently deleted (“Right to be Forgotten”) or transferred to another controller (“Right of Portability”). Another likely UX solution is to utilize the app for many of the notification requirements of the GDPR (e.g. data breach). This “Privacy by Design” (e.g. UX and UI) is a key tenet of the GDPR and will likely spur an industry-wide leveling up as companies release new, GDPR-compliant versions of their existing applications.

You must also consider the personal data collected by your app that historically has not required consent, such as mobile IDs, IP address, or information related to special categories of data set forth in the regulations. For example, a dating app clearly collects a range of sensitive data under GDPR, thereby triggering even more stringent requirements.

So, what does this look like for a typical consumer app?

Let’s say you are a local services application like Yelp. If you plan to collect and use an email address for a login process — and then use that email address to send an occasional marketing email with restaurant recommendations, you need permission to do so. Ideally, this happens via a separate screen that explains, in clear and unambiguous terms, exactly what you are going to do (or not do) with each piece of data being collected and an active opt-in by the user via checkbox or digital signature.

If you want to send third-party promotions based on past purchase behavior, you need permission (and another screen with a description and permission). If you want to send notifications based on location, you need permission (repeat). Every specific way you plan to use data requires a separate disclosure, an active consent mechanism, and a way for the consumer to revoke consent. And if you later think up yet another way to use data previously collected for a different purpose? You guessed it, you have to go back and get permission for the new use. Suffice it to say, a long-scrolling user license agreement with a single “Agree” checkbox won’t pass muster under GDPR .

Can you explain in simple terms what “controllers” and “processors” are?

A controller is the entity that determines the purposes for and means of collecting and processing personal data. If you have an app or a website — and you’re making the decisions about what is collected, how, and for what purpose, you are a controller.

A processor is an organization that processes personal data on behalf of a controller. For example, it could be third-party services (e.g. analytics, social media, cloud services) that plug into your applications and access or host your customer data (e.g. Amazon Web Services).

What’s important to understand is how each of these parties is liable if there’s an issue. Ultimately, the controller is responsible for safeguarding the data and controlling how the data is managed. But the controller must also have an agreement with a processor — and that agreement will almost certainly pass on some or all of the liability in the event of a GDPR violation related to processing. In some cases, the processor has independant obligations under GDPR, including data security and breach notification. Moreover, the requirements extend to subprocessors of processors, such as subcontractors.

Do I need a Chief Privacy Officer (CPO) or Data Protection Officer (DPO)?

That depends. At a minimum, you should have someone who “owns” your company’s data policies and ensures best practices. For larger companies, this may be a CPO or DPO. Regardless of who it is, this person must review all digital touchpoints that collect consumer data, including web sites, mobile apps, chatbots and voice skills. They need to be comfortable that GDPR regulations are being properly followed, particularly as it relates disclosure and consent in the user experience. Though ArcTouch can’t be the CPO/DPO for our clients, we have been working with them to bring their mobile apps into compliance, implementing UX/UI updates and data storage changes as needed, to hopefully make the CPO/DPO’s job a little easier.

So, what happens to companies that are in violation of GDPR?

Companies in violation of the GDPR can be fined 4% of annual revenue globally. And while this is the “big stick” of these new regulations, companies can still be fined 2% of revenue simply for “not having their records in order” (so make sure your CPO or DPO’s desk doesn’t look like mine).

Do you think something like GDPR will eventually be put into law in the U.S.?

It’s hard to say. But in the wake of recent consumer data scandals like Facebook and Cambridge Analytica, I wouldn’t be surprised to see tougher legislation proposed in the U.S. Most experts to whom I’ve spoken, however, believe odds are slim we would see anything close to the scope of GDPR in the U.S.

Where can I learn more?

Here are a few of the resources that I’ve found to be most helpful:

  • Official GDPR text: The full text of the GDPR, broken down by chapter (WARNING! Admitting you are the only person at your company to have read the entire text of the GDPR is a sure way to be named the new CPO or DPO).
  • EUGDPR.org: A summary of the key changes from the previous law.
  • Adviser Blog: Post explains in depth the roles/responsibilities of Controllers and Processors.
  • Gartner Group blog: Post from Gartner analyst Bryan Yeager reviews the possible impact of GDPR on personalized marketing.
    Wired: Article about the potential impact to different businesses and digital technology.

How do I know if my app is GDPR compliant?

As I said earlier in this post, every app is different. We’re happy to take a look and offer you advice. Contact us to set up a time to talk.