GDPR Compliance For App Developers

General Data Protection Regulation (GDPR) is an EU law framing the legal bounds of personal data and privacy and goes into effect on May 25, 2018.

Why it matters

Foreign companies outside the EU are required to adhere to the regulations when processing personal data involving EU residents. As a result, many see GDPR as a new standard for apps serving a global audience.

Thanks to massive breaches of trust at Yahoo, Facebook and Sony, officials and politicians all over the world are taking note. Personal privacy is becoming a staple in mainstream current events.

What developers need to know

In the last six months, we’ve been told multiple times that budget has been allocated for a project specifically to prevent an embarrassment on the scale of Equifax. Our team is auditing existing applications, upgrading or phasing out legacy apps, crafting rules to automatically purge data, and creating new utilities that give users the ability to request and update their information.

The best advice we can give is something we’ve said before on this blog. Companies should anonymize data because you can’t lose what you don’t have. Collect and secure the personal data you need, stop asking for data that isn’t of value, and anonymize your data before using it for secondary purposes such as analytics or logs.

Important action items

Your app is likely in good shape if you feel good about the following action items.

1. Know what data you have and where you keep it. Data finds its way outside of databases easily. It’s important that your developers have a map of the sensitive fields in your database schema.
2. Ensure your data is safeguarded to the best of your company’s ability. This is a tough one even for large companies. If you expose an API, audit the permissions and write tests to ensure sensitive data requires authentication.
3. Give your users the ability to request, edit or purge their personal information. This is both a GDPR requirement and an opportunity to think about how you securely send and remove user data.
4. Keep your internal and external teams up-to-date through trainings. If you don’t have a formal training, start with a lunch and learn where your team can ask questions.

One resource we’ve been sharing with clients is GDPRchecklist.io, a checklist put together by the folks at Knowlex. The checklist summarizes top level considerations and links to the full text of the corresponding law.

Contact us with your compliance questions. We’re happy to hop on a call to answer quick questions. And if you’d like a formal audit, our team will analyze your code and provide a recommendations document with actionable steps to improve your app.