GDPR regulation, enforced in May 2018, has heavily affected the way online businesses process their users’ data. The law applies to all organizations that operate in Europe or have users among EU citizens. One of the principal directives of GDPR is to allow users to be in control of their personal data collection initiated by web and mobile services. If you want to implement a GDPR compliant mobile app, you should incorporate the following guidelines.
Gather as minimum personal data as possible
Your app should save as little of the users’ personal details as possible. While this won’t work for some apps, it’s better to collect only essential amount of data required for your app to function.
Provide data encryption
In order to protect users’ personal information, use strong encryption algorithms. One of the most widespread encryption methods is hashing. This will prevent any form of data exposure if there is a breach.
Use single sign-in protocols
Provide your users with an option to register in your app via their other accounts. Acquiring their authentication ID is more than enough.
Secure external communications
Use HTTPS or SSL for your website to encrypt personal information even of your app doesn’t require an authentication. Otherwise collected data will be vulnerable to exposure. Ensure that SSL certificate is properly deployed and securing all connections from your app.
Destroy cookies after user’s logout
Do not force cookies on users of your app: allow people to choose whether or not to accept them. Moreover all sessions and cookies must expire/be erased after the user has logged out of your app.
Ask for users’ consent for tracking
Make sure it’s up to users to allow you to track their Internet activity for the sake of business intelligence. Clearly explain to them how long you will store their search history and offer option to stop the tracking anytime.
Ensure logs encryption
Store logs with user information in a safe place and encrypt them with reliable algorithms.
Make your terms and conditions are clear
According to GDPR, page/screen with terms and conditions needs to pop up during onboarding and be accessible within an app onwards. Users should be able to use your app once they agree to the terms and conditions. Each time the terms are changed, make an update and again ask for user’s consent.
Notify users about data breaches
By one of the GDPR directives you should inform users about data breaches in a timely manner. Adjust your data breach policy accordingly and define steps you will follow if personal data of your users leaks into the Internet / gets exposed.
Tell users about who you share their data with
If you use third-party services, such as advertising providers, analytics or push notifications services, to collect and process user data, your should mention it in the terms and conditions. Make sure that your partners are also GDPR compliant and don’t have privacy issues.
Respect users’ right to be forgotten
In case users want to stop using your service, you should satisfy their request / to cope with their wish. Delete user account and all related data when they cancel your service. Moreover you should also grant the data erasion whenever user asks for it. Make sure to inform the third-party affiliates if they need to delete user information from their servers as well.