6 key steps to make a GDPR-compliant mobile app

5 min to read

As you probably know in 2016-2018 companies in the EU had to change the way they collected and stored user data according to the General Data Protection Regulation (GDPR). So, how to build a GDPR-compliant mobile application or make changes to the existing one?

Protect user data and user sessions

First of all, you need to encrypt user data within your database including all its backups. This means that anyone who accesses this data from DB is not able to read it as a text. That's why the encryption algorithm should be rather complicated.
User sessions must be protected too. You may use SSL for external connections to transfer data, especially logins, passwords, payment details, etc. Also, you may implement two-factor authentication. This is one of the best ways to be sure that the user is logged in with his own username and password.

Let users control main operations with data

According to the rules of GDPR users of your application have a right to delete all their data from your database. So, the best deal is to provide them with such an opportunity. Moreover, you need to ask permission for collecting and processing user data when they fill out the forms inside your application.
And here we talk not only about control but also about informing users, publication of the user agreement, and privacy policy. Users of your application have a right to know what way you are using their data and how long are you going to do it.

Collect only what you need

Another important provision of GDPR is collecting only the necessary data. This means you should somehow use this data. There is no need to ask for emails or credit card numbers if your application doesn't perform any operations with it.

Check services and SDKs for GDPR compliance

It may seem a little bit surprising, but all the SDKs and third-party services connected to your app must be GDPR-compliant too, and you have to check it out. If you are quite sure they are you have to sign a Data Processing Agreement with them. This is another important requirement of the GDPR.

Log the data collection activities

We strongly recommend you log the data collection activities. In case of investigation, it will help you to show that your work was fully correct. So, realize what kind of activities you should document and prepare a task for developers to implement it. First of all, it can be receiving, handling, and deleting user data.

Hire data protection officers

If you are responsible for the implementation of GDPR in your company you'll probably need to hire a data protection officer (DPO). He will consult your employees on the main principles of data storage and collection, control the internal compliance with the GDPR, and connect users with authorities if needed. Although hiring DPO is a requirement only for large-scale companies we decided to consider it in our article to give you complete information.
And if you think that it's time to make your app GDPR-compliant, feel free to contact us via chat or e-mail.

Book a call to learn more -
Volodymyr Andrushenko
Co-founder, Business Development Manager at CookieDev
Made on