Checklist of GDPR compatibility for mobile apps

5 min to read

Today the probability of having customers in the EU is very big. And you might know that from 2018 this adds significant restrictions on handling their data. The list of restrictions is reflected in GDPR, the General Data Protection Regulation, approved by EU Parliament in 2016. Even if your company doesn't work in the EU you have to follow the rules of GDPR. So, let's see how to do it the best way.

Ask permission for every action

First, you have to find out for what purposes you will use the data. Let's imagine you are selling something. Then if the user is registering in your app you may use his data for invoicing, showing relevant offers, sending emails or SMS with newsletters, etc. But before you start you have to get the user's consent for all these things. The simplest way to implement it is to place the "I agree" checkbox in the form with data. And if the user marks this checkbox he automatically permits performing all needed actions.

Update permissions in case of changes

Don't forget to ask permission again if you change the way you use the data. For example, today you use it only for invoicing, and tomorrow you start to send the company newsletters. Of course, in this case, you should ask permission twice.

Collect only the necessary data

Think about the data that really needs to be collected and constantly used by the app. If you need a phone number to authorize users that's OK. But there is no need to collect a huge list of data for this. Also, there is no need to store this number if you use it only once. Keep in mind that the biggest fines you can get for misusing data.

Encrypt the data

To protect data from unwanted actions you need to encrypt it. Everybody who gets unauthorized access should not be able to read it as a text. To realize it, you may send data to the cloud via HTTPS, ensure reliable data storage in the cloud, or save the encrypted data on the smartphone.

Create and update Privacy Policy

Privacy Policy should contain info about what data you collect, how you collect it, for what purposes, how you use this data, what organizations can it be transferred to, and how users can manage it. Privacy Policy should be easily accessible for all users of your app.

Be ready to show users their data

According to GDPR, any user may ask you to show all the data you store about him. And you have 30 days to do it. So, probably the best idea is to work out this procedure to be ready for such a request.

Also, be ready to delete the data

Another provision of GDPR is the right of the user to delete all his data from your DB and withdraw from the agreement with your company. So, this procedure should be worked out as well.

Inform users about hacking if it happens

If you get hacked you need to inform your users about it as soon as possible. Unfortunately, cyber-attacks have become common nowadays. And no one can guarantee the impossibility of a data breach.

Make sure the services and SDKs you use are GDPR-compliant

And finally, if you exchange data with 3-d party services and SDKs you need to make sure that they all are GDPR-compliant. After that, you should sign a Data Processing Agreement with their developers.
Seems that we've considered all common issues with collecting and processing data according to GDPR. And if you need help with checking your application for GDRP compatibility, feel free to contact us -
Volodymyr Andrushenko
Co-founder, Business Development Manager at CookieDev
Made on