The General Data Protection Regulation (GDPR) came into effect within the European Union (EU) on May 25th of this year. This event got enterprises across Europe and beyond scrambling to stay compliant while going about their business as usual.
At it’s most basic, GDPR can be described as a set of rules that are focused on protecting people’s data and privacy. Furthermore, it also provides a new set of guidelines that have to be followed when collecting consumer data.
Even if you don’t reside within the EU, GDPR may apply to you if you’re running an online store or collecting personal data of people living in the U.K. and the EU. It also comes into effect if your mobile app is published within EU markets.
Non-compliance will have serious ramifications, so businesses need to take an in-depth look at both the configuration and design of their applications. The aim here is to reduce the risk of leaking personal data as much as possible.
Even if you have a great track record of following cybersecurity best practices, you’ll now be required to add new reporting policies to remain compliant. As a result, many companies have gone through a “controller” who determines the purposes and means of processing personal data.
Sometimes, if a lot of GDPR issues pop up, the controller will be forced to designate a data protection officer. This is often an excellent idea for organizations even if they’re not on the edge of violating GDPR rules.
What Are the Consequences of Non-Compliance To GDPR?
All the countries that belong to the EU (and most other countries around the world) have already established some supervisory authority to oversee how businesses use personal data.
These authorities are often government-appointed bodies that have undisputed power to inspect, enforce, and penalize organizations that fall short. These penalties can take the form of warnings and fines, but there is also the very real prospect of being forced to cease collecting data altogether.
These authorities will also investigate any complaints that they receive from various entities and carry out the desired action based on the situation.
Under GDPR’s data protection law, all businesses have to report data breaches within 72 hours. If they don’t, they can expect to be fined as much as €20 million or up to 4% of the previous year’s revenue. In some cases, the users who have been affected should also be notified within 72 hours.
Whenever a business is found to be non-compliant, you never know if the company will be fined, get a warning, or get banned temporarily or permanently. As a result, it’s safe to say that the stakes are high.
EU citizens who have been victims of non-compliance can also sue your company for compensation. So your troubles might not end with a fine or warning.
So How Should Mobile Apps Be Secured to Ensure GDPR Compliance?
Ensuring GDPR compliance starts with securing your app from a data breach. One way to achieve this is to encrypt the data from end-to-end. This means that the data will be encrypted whether it’s in storage, transit, or backup.
While data encryption is now part of application development best practices, it’s important to think beyond your SSL certificates and ensure that customer data is always encrypted.
The most significant change here is that GDPR requires businesses to explicitly state how the data will be processed once obtaining consent from the end-user. This doesn’t just apply to all new users, it refers to everyone.
So to remain GDPR compliant, enterprises need to offer individual consent checkboxes for each data processing capability. Businesses also need to inform users and non-users if their personal data has been stored. In this scenario, just about anyone could submit their email address and find out what personal information resides within the company’s databases.
These users can choose to edit the collected data (if it’s incorrect) and ideally they should be awarded the freedom to do it without contacting the company.
If they want to be forgotten, you have to delete all their personal data upon request, it’s their right under GDPR. This also applies to any third-party integrations you may have used to send the data.
If you’re already following app development and cybersecurity best practices, you probably have most of the requirements covered. However, it won’t hurt to go back and take a look at the overall application against GDPR guidelines.
For businesses that have the required resources, it’s best to take it a step further and engage in security audits and penetration testing.