GDPR compliance checklist for app development

Nowadays, smartphones are a bit like one-man-armies: we use them to communicate with each other, to organize our lives, to find accurate up-to-date information, and simply to unwind from time to time. As they accompany us 24/7, developers need to design mobile apps that run faster and with higher capacity – not to mention that software creators compete in terms of attractiveness and prospective popularity of their solutions as well.

There’s one more challenge that developers need to rise to: namely, that of security as mobile applications should guarantee the protection of personal data. This condition is essential in times of frequent data breaches – especially if we take into consideration the General Data Protection Regulation. The well-planned software development process plays an important part in fulfilling it. After all, data protection ought to be discussed on both the technological and business level. For now, however, let’s start with a short introduction to GDPR.

What is the GDPR?

GDPR replaced the Data Protection Directive 95/46/EC (which came into force in 1995 – you read it right, that’s 25 years ago!) to introduce new definitions and requirements which were to reflect recent technological changes. In principle, the policy empowers individuals in terms of what happens to their personal data, holds organizations accountable for the way their customer’s data is used, and calls for more consumer-friendly wording around privacy terms and conditions.

GDPR defines personal data as “any information relating to an identified or identifiable natural person”. To give you an example, the term refers to a wide variety of personal information such as name, email, bank details, health-related information, IP address, etc.

Personal data also means data of special categories, sometimes referred to as sensitive personal data, described as information revealing:

  • racial or ethnic origin,
  • political opinions,
  • religious or philosophical beliefs,
  • trade union membership,
  • genetic and biometric data,
  • health condition,
  • sex life or sexual orientation.

Knowing the above-mentioned definitions is key while developing GDPR compliant mobile apps since it mentions things like IP addresses, mobile device IDs, browser fingerprints, MAC addresses, cookies, telemetry, and any other form of system-generated data which identifies a natural person – not to mention data (including sensitive personal data) that can be provided by the user.

Why should I care about GDPR?

First and foremost, because European data protection rules are extraterritorial. As such, they affect your European users as well as your company as a provider whose customers live in the EU countries. If you have interests in Europe or collect information from European users, you must protect their personal data by means of making your software GDPR compliant.

It’s safe to say that GDPR impacts your business processes and actions of all parties involved in the project work, including development, UX, marketing, legal, and management teams. It means that you need to think about the way you gather and store personal data of your web or mobile app’s users as well as how the new functionalities you plan to introduce will work. At this point, it’s worth mentioning that failure to comply with the GDPR legislation can result in costly fines up to either 4% of annual global turnover or €20 million, whichever turns out to be higher.

GDPR Compliance Checklist

GDPR makes businesses document how they comply with data protection requirements so that it’s clear the company does not allow for data breaches. It also calls for taking special care of the privacy policy, highlighting precisely what a company does to protect users’ data, and making it easier for them to opt out.

As data protection is a complex topic, we’ve created a GDPR compliance checklist to ensure you and your company are following best practices and working in accordance with the EU guidelines.

Process the bare minimum of data

One of the key changes that the GDPR introduced was the inception of the legal requirement to follow Privacy by Design and Privacy by Default rules. The former means that you should think about how to ensure the highest level of data protection from the very beginning of the app development process rather than treating this issue as an afterthought. And although we’re discussing privacy by design in reference to the regulation that was implemented in 2016, the framework is not a new concept as it’s been in operation since the 1990s. It’s based on seven principles, which you can read more about in Smashing Magazine.

Privacy by Default, on the other hand, assumes that once your product has been launched, “the strictest privacy settings should apply by default, without any manual input from the end-user” and “any personal data provided by the user to enable a product's optimal use should only be kept for the amount of time necessary to provide the product or service”. In relation to software development, we need to stress out that according to GDPR Article 23, your app may demand from the user to provide nothing more than data required by law, necessary to provide services, or justified by your legitimate interest. Even then, however, you must justify why you are collecting certain information. Other data – meaning the non-necessary information – can be provided by the user voluntarily, e.g. when they decide to share it with other users.

To sum up, data protection as a design process begins with minimizing. At this point, you need to think about the reasons for processing user data, check them against Articles 6 and 9 of GDPR, and process no more than the bare minimum of personal data.

Establish coding standards to build a bullet-proof data protection workflow

To avoid unnecessary data capture or loss, it’s advisable that everyone in your project uses a clearly defined set of code libraries, tools, and frameworks. To make it happen, we recommend drafting a list of approved standards, methodologies, and tools used for coding as well as testing.

The coding standards you establish should be preventive. For instance, consider asking developers to disable unsafe modules, particularly in APIs and third-party libraries. Code reviews, on the other hand, ought to involve an audit for privacy by design rules and refer to data mapping and the ways of protecting user data.

Run a Data Protection Impact Assessment (DPIA)

We can’t discuss data protection without mentioning DPIA: a process designed to identify and analyze the security risks of a given project and a living document that needs to be shared with all parties involved with the project work. As such, DPIA helps you not only take into account the requirements of the GDPR but also demonstrate the measures that have been taken to apply these provisions.

As it’s written in Article 35 of the GDPR,

where a type of (data) processing (...) is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.

In practice, it means that DPIA ought to be applied in the case of:

  • apps using the user’s financial history to automatically determine whether or not that person is eligible for a mortgage;
  • life-logging applications that process personal information about eating habits, driving style, time spent, etc. to, let’s say, increase the price of the insurance;
  • technology that monitors user behavior and uses that information to build marketing profiles;
  • apps that profile customers to identify shopping preferences and automatically set promotional prices based on the created profile;
  • job board websites that collect large scale of personal data from consumers who wish to apply for a given position online;
  • applications for monitoring purchases and shopping preferences;
  • software that uses fingerprints or face recognition to grant access to certain functionalities;
  • applications that monitor employees' working time and the tools they use (e-mail, internet);
  • applications for monitoring sports achievements linked to fitness bands that use cloud computing.

Of course, this list is by no means a finished one. Some examples mentioned here may not meet the requirements for conducting DPIA and vice versa – an off-list application, for instance, may be innovative or risky enough to be the subject of a DPIA.

Ask for explicit consent by using checkboxes

One of the core GDPR requirements is to ask for users’ consent to collect, use, and transfer their personal data every time it’s needed. This consent needs to be granted before you start collecting information whose processing requires obtaining user consent beforehand. It means that once the customer signs up to your mobile application and you don’t have any valid legal basis to process their personal data, you need to ask them to agree to have their data processed. It also means that such a request should be made only if you don’t have any other legitimate basis for processing users’ personal information – when you process only data required to provide services to the user, you don’t really have to ask for permission twice.

Furthermore, if you want to send marketing content to the users of your application, you should ask for their consent to receive it electronically, e.g. via e-mail or push notifications. In this event, create one checkbox for accepting the app's regulations (that work as a contract between you and the user) and the other one regarding consent to receive marketing information. In some cases, additional checkboxes may be required, e.g. if your application tracks users’ actions such as shopping activity. On top of that, all users who expressed their consent ought to be informed how, where, why, and for how long their personal information data is going to be stored.

It’s also worth mentioning that you can’t pre-select a consent checkbox. What’s more, consent must be a conscious action – the failure to tick a box equals a lack of consent and the user ought to be informed about it. Finally, your GDPR compliant software should include a dedicated landing page where users can control their data, e.g. opt out or ask for their data to be removed.

Make your actions transparent with Privacy Policy

Next on our GDPR compliance checklist is equipping your application with a transparent Privacy policy that will elaborate on the rights that GDPR grants to the users, e.g. the right to withdraw their consent at any time and lodge a complaint with the President of the Personal Data Protection Office. As a Data Controller, you are bound to provide contact details and inform customers about the legal basis and the purpose for processing of data. You also have to indicate whether the app is profiling its users and if it transfers data to other entities, including third countries. Moreover, you are required to specify what kind of information and for how long the app will be processing.

All in all, make sure that Privacy Policy is easy to find within your mobile app and that it’s written in a clear way. Also, if there is any change within terms and conditions, let users know about it and have them accept it before they continue using the application.

Be ready to respond to users’ requests

To be fully GDPR compliant, your application should give users control over consent settings through control panels, account settings, or privacy centers. Account setting screens and privacy dashboards are ideal for achieving this goal.

Then, you should be ready to answer any questions concerning the way your software processes users’ personal data. According to regulations, you have a month to do so  – or, in exceptional circumstances, even two if the requested information is too complex to process within a month.

To streamline the process, it’s worth creating a dedicated page with contact details for users who want to access their data. This way, you’ll prevent your mailbox from getting messy and overloaded. In some cases, there might be a need to appoint a personal data officer, in which scenario they will be the ones to respond to users’ queries and demands.

Exercise the right to be forgotten by making sure users can have their data erased

Article 17 of the GDPR highlights the right to erasure or the “right to be forgotten”. What does it mean for application creators? It’s fairly simple: if a user asks for the erasure of their data from your database and at least one of the conditions listed in Article 17 of the GDPR is met, you must do it. In this event, you’re obligated to remove every personal detail you hold about them in the system. Moreover, if the retention period of data is over, it should be deleted or anonymized – either automatically or through user action.

Another fact worth pointing out is that you ought to give the users a possibility to delete their accounts. The best way to handle this is to make sure your mobile app has a way for users to delete accounts together with all data that you no longer need for specific legitimate purposes. If you want your app to be GDPR compliant, make it possible to delete data directly from the application.

Finally, remember that you will also need to cooperate with third parties (e.g. a cloud service provider) whom you send data to or from whom you receive information so as to ensure that a request for data deletion also removes sensitive information on their end.

Implement data encryption to ensure data security

According to Article 32 of the GDPR, app owners must ensure the ongoing confidentiality, integrity, availability, and resilience of their data processing systems. The risk of a data breach is much higher when data is stored as a plain text which is why your dev team should make use of robust encryption algorithms and employ SSL or HTTPS for external communications.

Speaking of encryption, your backups should subject to it as well – not to mention the contact form! In case your application uses security questions to confirm the user’s identity, make sure the questions don’t include any personal components. Instead of implementing security questions, it might be a good idea to use two-factor authentication.

Inform users about logs

Article 30 of the GDPR indicates that each data controller or their representative “shall maintain a record of processing activities under its responsibility”. In simpler terms, it means that you must document all the data that your app is collecting. To do that, create a secure log of your data collection activities, make sure the logs don’t store any sensitive information, and don’t forget to encrypt the logs. Remember that the users should be informed about how you store and process the logs, as well as how long the log and IP address will be stored within the system.

Alert users of data breaches

Last but definitely not least, GDPR enforces strict deadlines for notifying apps users as well as the concerned authorities in the event of a data breach. The disclosure of such information to data protection authority must take place within 72 hours from the moment it was discovered. So as not to risk any dangerous delays, you may want to invest in technology and tools that inform you when such risks occur. Also, it’s crucial to have a proper plan in place for how to handle a data breach within your app that includes, among others, the best and shortest way to notify your users.

GDPR compliance: business owner and tech team perspective

At first, it may seem that reading about all GDPR-related restrictions is enough to give one a headache. And you aren’t entirely wrong if you think so – after all,  the EU legislation forces business owners to be fully transparent about how they gather, process, and use data, as well as be more careful about their development and documentation processes than ever before. The truth is, however, ensuring compliance of your app with GDPR equals profit and greater trust on the part of its users in the long run.

Since, as we mentioned before, GDPR influences the actions of all stakeholders, here’s a short summary of what your and your developers’ duties are.

GDPR compliance checklist for software development | Merixstudio

Legal restrictions are one of the things you need to bear in mind when embarking on a software modernization journey. See what else you should take care of if you wish to both modernize and grow.

Navigate the changing IT landscape

Some highlighted content that we want to draw attention to to link to our other resources. It usually contains a link .