Disclaimer: this article contains only some general information about GDPR. In order to make sure that your business is GDPR compliant, you should get professional assistance of a lawyer.
Have you heard of GDPR? Of course you have! If you run a business or work with data of your company’s clients, partners or employees, it’s probably one of your major concerns now. Long story short: you simply need to do your best to take care of the data entrusted to you in the right way.
However, the challenges you face are slightly different in each scenario. In this article, I’ll try to cover the case in which you have a web application that requires users create their accounts.
If you somehow you still don’t know what this whole fuss is about and how it affects creators of web applications, I recommend you start with reading this article: What is GDPR and how does it affect my business? But if you are already familiar with the basics, it’s time to have a look at what you need to do in order to make your app GDPR-compliant.
Do I need to implement any changes?
According to the official text of the Regulation, GDPR applies to the “processor” who is
a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller; (Chapt. 1, Art. 4)
where the ‘’controller’’ means
a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. (Chapt. 1, Art. 4)
Speaking straight: GDPR affects all the companies, agencies, organizations and anyone else who processes personal data of their clients, users, or subscribers. No matter if it’s for the purpose of sales, marketing, or providing a service – if you process EU residents’ personal data, you must make sure that your product complies with the Regulation.
What do we understand by ‘personal data’? That’s any information relating to an identified or identifiable natural person:
- identification number
- email address
- location data
- online identifier
- phone number
- factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person (biometrics such as face, fingerprint, and iris recognition, and genetic information).
To sum it up, if your app has an option to set up an account, requires payments, or uses tools for analytics and remarketing – you need to make sure that it is compliant with the GDPR.
What aspects of GDPR apply to web applications?
GDPR is a complex act of law describing the new regulations for data protection and privacy for individuals within the EU. Its most important aspects regarding web applications are:
1. Data processing agreement.
If you want to process anyone’s personal data, they need to agree to that. Note that there is no such thing as an implied consent (nor “default acceptance” in checkboxes). The fact that users fill in a form on your website or in your app does not imply that they want to receive emails from you or that they want you to process that data in any other way.
2. Comprehensive information about the way that the Processor will use the data.
It should cover the aim of processing the data. Don’t forget about cookies! If you use them to collect any analytics data or for remarketing, you need to provide information about that and list all third-party companies that will have access to that data. Speaking of which…
3. Information about third-party companies.
If any companies have access to the information about your users through your app, the users have a right to be aware of that. Therefore, you should list all these companies and state what the aim of sharing data with them is.
4. Easier access to user’s own data.
Individuals will have more information on how their data is processed and this information should be presented in a clear and understandable way. That means you need to provide easy access to that information and make sure it’s simple and comprehensible.
5. The right to be forgotten.
When the user no longer wants you to proceed his or her data, you need to delete it. The option to resign from subscription or to delete an account should be easy to find and to follow.
6. The right to know when user’s data has been hacked.
In case of such incident, you need to be able to inform your users about it as soon as possible. And of course, it’s your duty to prevent it from happening in the first place, taking care of data security and following all the procedures regarding its safety.
In order to follow these regulations, there is a list of changes that you need to implement in your organization (we will cover this topic next week) and the changes you probably need to implement in your software product. They will help you make sure that your users are aware of how (and why) you store their data, of their rights regarding their data, and assure them about the security of that data.
What changes should I implement in the app?
In order to make sure that your app is GDPR compliant, you need to:
- Add checkboxes to your signup forms (if you don’t have them yet). They should be explicit, informative and easy to understand. They must not be preselected (no implied consent, right?) and they should cover the information about how the collected data will be processed.
- Check what tracking codes you have in your app. Make sure that they are really necessary for you to analyze the behavior of your app users and you have access to all the data that these codes collect.
> Disambiguation/definition of key words and phrases
> User rights and responsibilities
> Proper or expected usage; definition of misuse
> Accountability for online actions, behavior, and conduct
> Payment details such as membership or subscription fees, etc.
> Opt-out policy describing procedure for account termination, if available
> Arbitration detailing the dispute resolution process and limited rights to take a claim to court
> Disclaimer/Limitation of Liability clarifying the site’s legal liability for damages incurred by users
> User notification upon modification of terms, if offered
Remember to make sure that your users read the updated document! A good practice is to send an email listing the changes and linking to the full document. Here is an example:
- Store all the data in a safe place. Make sure that an unauthorized person will not have access to that data. We will write more about it in the next article, covering the changes that you need to make in your organization.
About the app itself, the regulation requires you to evaluate the risks inherent in the processing and implement measures to mitigate those risks, such as encryption (GDPR, Recital 83). Focus particularly on the data from registration forms as they probably contain the most sensitive data such as name, email address or phone number.
- Make sure sessions and cookies expire and are destroyed after logout.
- Enforce secure communications through HTTPS. If you don’t have an SSL certificate, it’s high time you create it! It protects the integrity of your website, the privacy and security of your users and apart, it’s a requirement for many new browser features.
Note that implementing the changes inside the app does not make you prepared for the GDPR. The next step is to implement changes regarding data administration, sales & marketing in your organization. We will write about these in the next article. Disclaimer: this article contains only some general information about GDPR. In order to make sure that your business is GDPR compliant, you should get professional assistance of a lawyer.