How do you develop a privacy and GDPR friendly app?

Developing an app comes with many choices: design, user-friendliness, software, investments, and so on. Since there is so much to consider, most companies are not so eager to add another task on their already too long to-do list. The privacy side of the app is therefore often underexposed. Unfortunately, you cannot get away with such a lax attitude in the GDPR era. Aside from possible fines, users are also becoming increasingly conscious about their privacy. Moreover, it are often mobile applications that cause the most embarrassing privacy scandals. Since apps generally process large amounts of data, this is also not very surprising.

On a positive note: Privacy can also provide an opportunity for you as an app provider. With a privacy-friendly app you can differentiate from your competitors and simultaneously show your users that you take their privacy seriously.

Well, the key question remains of course how do you actually launch an app that is privacy-okay. In this blog I explain what you should take into account.

Why is the GDPR relevant for app providers?

Mobile applications can process a huge amount of personal data. For example, an app can:

Determine the exact location of a user;
Access photos stored on user's phone;
Collect login information from social media channels.

The chance that you will not process personal data with your app (and the GDPR does not apply) is small. I am thinking, for example, of an app that has anonymized all data. Still, the basic principle is that you as an app provider must take the GDPR into account and are actually responsible for compliance with privacy legislation.

But how do you do that, taking the GDPR into account ?

Personal information being saved in an app

Privacy requires customization

I am afraid that I will have to start with a somewhat disappointing message: a one size fits all scenario is unfortunately out of question: privacy requires customization. For example, if you develop a health app, you process so-called sensitive personal data (data that are sensitive by nature and therefore receive extra protection in the law). To be able to process sensitive personal data (such as data about someone's health) you must ask for explicit consent. Explicit means, among other things, that you cannot get away with already ticked boxes or implicit consent (“if you scroll further, we assume that you agree to the processing of your data”). The user of the app must therefore actively give his consent.

Does your app also target children? In that case, be aware that the GDPR contains strict(er) safeguards for the processing of children's data.

Despite the fact that developing a privacy-friendly app requires customization, there are 3 questions that every app provider should start with:

# 1: What type of data do I collect and use?

# 2: Why do I process personal data?

# 3: With whom is this data shared and for what purposes ?

Answering these 3 questions often takes a long time. One tip: sketch it! By drawing the data streams, it becomes a lot clearer.

You need a legal basis

To be able to process personal data as an app provider, you need a valid legal basis. The collection of data without a legal basis is not allowed. The GDPR contains 6 principles:

Consent
Necessary for the execution of the agreement
Compliance with a legal obligation
Legitimate interest
Public task
Protecting a vital interest

GDPR check, ask for permission to your users?

After you have mapped out exactly which data flows there are, you will have to check on which basis(s) you can base your processing(s). It is advisable to involve a privacy lawyer in this process, as you want to prevent working from a wrongly chosen basis. For example, it is a misunderstanding that you must always ask for consent (basis 1) for the processing of personal data. Although the basis of “consent” is certainly a common one, it does not always have to be used. Asking for consent when not needed can even be unwise. After all, asking for consent under the GDPR is subject to quite strict requirements. In addition, you must take into account that the user can withdraw his consent at any time. Using consent as a basis by default is therefore not really useful (and that is an understatement).

6 privacy principles to keep in mind

The GDPR contains a number of (6 to be precise) principles that must be observed when processing personal data. As an app provider, it is therefore important to familiarize yourself with these principles and to include them in the development of your app.

# 1 Legality, fairness and transparency

Be transparent to the user about who you are and what, how and why you process personal data. This includes including a privacy statement in your app. Make sure that the privacy statement is easy to find and legible.

Be aware that the user of your app has various privacy rights. The app must therefore be designed in such a way that the user is actually able to exercise his rights.

Transparency also means that you do not secretly make updates that could affect the user's privacy. If an update can affect the user's privacy, you must give the user the opportunity to agree to it.

# 2 Purpose limitation

You may only process data for a pre-specified specific purpose and you may not, in principle, (re)use this data for another purpose. While it may be tempting to formulate a very general purpose, such as “to provide our services”, this is not permitted under the GDPR. At the same time, you don't want to cut yourself off by being too specific. You may therefore not just further process the collected personal data without informing the user and having obtained his consent.

Do you not want to ask for permission (again) but still use the received data for a different purpose? Then it may be interesting to check whether the personal data can be anonymised.

# 3 Minimise data processing

The principle of 'data minimisation' is actually very straightforward: do not collect personal data that you do not need. In other words, check which personal data you really need (and which you don't). If knowing the user's country is enough for your app, then you are not supposed to ask for the user's exact location. Collecting for the sake of collecting should therefore not be the intention.

# 4 Correctness

If you have a legal basis to process personal data, you should ensure that the data you process is correct and up to date. Data which is no longer valid needs to be deleted or corrected. It is important that you allow the user of your app to keep his data up-to-date (for example, in his own account settings).

# 5 Storage limitation

The basic principle is that you may not keep personal data longer than necessary for the purpose of processing. You must therefore destroy or delete data (anonymization is also included here) if it is no longer necessary. For example, it is not privacy okay to treat deleted accounts only as 'inactive users'. Data from such ‘inactive’ users will really have to be deleted after a certain period of time.

By the way, you should be aware of the fact that the users of your app also have a so-called 'right to forget'. In other words, you must be able to delete data when you are requested to do so.

# 6 Integrity and Confidentiality

As an app provider you have a certain responsibility towards your users. For example, you must ensure that all personal data is protected against unauthorized or unlawful processing. For this reason, you must take certain organizational and technical measures. Consider, for example, implementing a control mechanism in your app, with which unauthorized access to a user account can be traced. This also includes encryption or pseudonymisation of data.

Are you able to respond to a privacy request?

The user of your app has certain privacy rights according to the GDPR, such as the right to access data, the right for data portability, etc. As an app provider, you must be able to respond to such requests. Do not wait until the first request comes in and you have to go googling for “privacy rights” in a fit of panic, but make a plan of action before the app is launched. For example, it might be interesting for you to engage a privacy officer who will take care of such requests.

Respond to privacy requests of your user

Privacy is never finished

Privacy is not something you can wrap up and forget. To stay privacy-okay, you will have to regularly evaluate your app. That privacy is never 'ready', is also evident from Article 32 GDPR, which states that organizations must take 'appropriate technical and organizational measures' to protect personal data. What is 'appropriate' depends, among other things, on the state of the art. So schedule a moment once in a while to take a close look at the privacy of your app and stay informed of relevant technological developments.

About the author

Hester is a jurist and co-founder of the Spaans&Spaans legal office and prefers to deal with matters that are at the intersection of technology and law.

She has completed several masters in law at the University of Amsterdam and had the privilege of studying for six months at the University of Hong Kong. Frustrated by the dusty legal world, she decided to take matters into her own hands and start as an entrepreneur. Customers describe her as professional, thorough and pragmatic.

Hester shares her legal knowledge through platforms such as Frankwatching and Internet Marketing Unie. In order to keep her knowledge up to date, she is a member of various trade unions such as the Copyright Association.