How Will GDPR Change IT and Mobile App Data Governance?

By Shane Perera / 6 December 2018

GDPR will have an enormous impact on how IT and app development companies handle user data. Compliance can be costly but ultimately ensures the privacy of users' data.

Compliance with GDPR is costly and challenging.

The European Union (EU)'s General Data Protection Regulation (GDPR), launched in May 2018, introduced stricter punishments for companies that do not abide by new rules that increased users' rights to access and control their personal data.

In response, many organizations have implemented policies to ensure their operations are compliant with GDPR.

This article discusses the components of GDPR and how it will change IT and mobile app data governance.

What Is GDPR?

GDPR replaced the 1995 Data Protection Directive, which became outdated and ineffective as digital technology significantly changed how companies collected and used user data. 

GDPR ensures that the organizations are accountable for their users' data and has robust privacy compliance rules. Its accountability is enforced through time limits on reporting data breaches and significant fines for organizations that fail to follow.

GDPR deals with 3 specific areas:

1. Active Consent

Consumers have the right to obtain their information and know how their data is being used by a company.

Users can give or withdraw their consent for companies to share their personal data: their name, photo, email address, social media profiles, location details, medical data, and IP address.

GDPR also gives individuals the right to withdraw consent, known as "the right to be forgotten". 

2. Data Breaches

GDPR requires that organizations notify regulators within 72 hours of a data breach.

Businesses should include the person responsible for notifying authorities in the case of a breach as part of their compliance strategy, especially those with large user bases.

3. Data Protection

Companies must ensure their data maintenance is handled according to the conditions of GDPR when it comes to gathering, storing, processing, and communicating user data.

The best way your company can approach this is to build data protection measures into business processes.

Jurisdiction of GDPR

GDPR includes EU member countries and organizations outside of the EU that provide goods and services to residents of EU member countries.

GDPR Jurisdiction

Source: Coginov

Regulators can work in the EU as well as work separately in different jurisdictions. The fine for any non-compliance is up to €20m ($23.4M USD) or 4% of the company’s global turnover, whichever is higher.

6-Step Framework for Effective GDPR Compliance

Companies need to be diligent to ensure they have a smooth transition from their existing business processes to GDPR compliance.

6 Step GDPR Ready Framework

We at Elegant Media use these 6 Steps of GDPR Ready Framework to encourage mobile app development companies to create frameworks for effective GDPR compliance.

Step 1: Improve Awareness

Increase awareness among everyone that has access or works with user data: staff, contractors, third-party vendors, and consultants.

Work to make sure everyone understands GDPR, its impact, their responsibilities, and potential legal liabilities.

Conduct an assessment to know how compliant your organization is with GDPR and further steps to be taken.

Step 2: Conduct Data Inventory

Take inventory of the customer data you collect and who has access to this data.

All data sources should be documented and updated: what it holds, how and where it was obtained, and how you use the information.

This process will help auditors evaluate your data handling process to identify any gaps in compliance.

Step 3: Assign Responsibility

Protecting customer data is a responsibility for all of your employees.

Having one person whose job is to specifically track this, such as a Data Protection Officer (DPO), may be necessary to ensure accountability and compliance across the organization.

The DPO assesses how data your company handles and transmits data across divisions and works executives to implement compliant processes. 

Step 4: Create Policies That Mirror GDPR Regulations

Create privacy policies, terms of service, and other legal documents that comply with GDPR.

It's important that you communicate a change in policy to your customers and stakeholders as well so they are aware of your new processes and why they are changing. 

Your company should also make sure any third-parties who handles your customers' data have their own GDPR compliant regulations as well.

Step 5: Monitor Compliance Closely

Closely monitor your customer data and upgrade your ability to detect security breaches.

This may require you to invest in new software or technologies. The investment is worth it, though, if it adds strong data encryption for user data and enhances privacy for future projects.

Step 6: Respond to Customer Requests and Data Breaches

Your company needs to have a process in place for when users request that your company erase their data or records.

In addition, you need to prepare a strong privacy-breach response plan that features a point person/team and assignments for each team in the event of a breach. The responsible parties ensure that your company’s response is in line with GDPR.

How Will GDPR Impact Mobile App Developers?

GDPR increases the data security burden for mobile app developers.

Before GDPR, developers could opt-in users to various forms of marketing and other activities without gaining their explicit consent.

Developers must now have consent for collecting user data and process and transfer it to a high level of security.

To accomplish this, app developers need to have strong encryption and be aware of the changing standards with storing user data.

For example, whenever a user changes his or her passwords or security keys, their data will have to be encrypted again.

This may require developers to upgrade their hardware and software to comply with the new regulations.

GDPR Compliance Is an Opportunity for an Upgrade

Mobile app development companies can use GDPR as an opportunity to improve their business process. 

For example, you can market your company as totally modern and supportive of customer privacy by upgrading to more secure, faster, and accountable data storage processes.

Mobile app developers should implement the following guidelines with their products:

  1. Collect only the data you need from your users: email, name, or other personally identifiable information (PII).
  2. Gain consent from users to use their data.
  3. Implement strong data encryption.
  4. Inform users in the case of a security breach.
  5. Upgrade your technology and data inventory to identify security weaknesses, support servers, and add monitoring systems to detect abnormalities.
  6. Foster communication throughout the company about the chain of responsibility related to users’ data privacy.
  7. Consider the integrity of third-party service providers to ensure any shared data is compliant with GDPR. In addition, make sure your mobile app's privacy policy addresses data sharing with third-parties.

These are the basics that any developer should follow when developing an app or any project that handles customer data.

Future Outlook on Privacy With GDPR

GDPR will benefit users by improving data protection and reducing data misuse.

Now is the right time for organizations to create policies that comply with GDPR and focuses on protecting users' privacy

owner