6 privacy principles to keep in mind
The GDPR contains a number of (6 to be precise) principles that must be observed when processing personal data. As an app provider, it is therefore important to familiarize yourself with these principles and to include them in the development of your app.
# 1 Legality, fairness and transparency
Be transparent to the user about who you are and what, how and why you process personal data. This includes including a privacy statement in your app. Make sure that the privacy statement is easy to find and legible.
Be aware that the user of your app has various privacy rights. The app must therefore be designed in such a way that the user is actually able to exercise his rights.
Transparency also means that you do not secretly make updates that could affect the user's privacy. If an update can affect the user's privacy, you must give the user the opportunity to agree to it.
# 2 Purpose limitation
You may only process data for a pre-specified specific purpose and you may not, in principle, (re)use this data for another purpose. While it may be tempting to formulate a very general purpose, such as “to provide our services”, this is not permitted under the GDPR. At the same time, you don't want to cut yourself off by being too specific. You may therefore not just further process the collected personal data without informing the user and having obtained his consent.
Do you not want to ask for permission (again) but still use the received data for a different purpose? Then it may be interesting to check whether the personal data can be anonymised.
# 3 Minimise data processing
The principle of 'data minimisation' is actually very straightforward: do not collect personal data that you do not need. In other words, check which personal data you really need (and which you don't). If knowing the user's country is enough for your app, then you are not supposed to ask for the user's exact location. Collecting for the sake of collecting should therefore not be the intention.
# 4 Correctness
If you have a legal basis to process personal data, you should ensure that the data you process is correct and up to date. Data which is no longer valid needs to be deleted or corrected. It is important that you allow the user of your app to keep his data up-to-date (for example, in his own account settings).
# 5 Storage limitation
The basic principle is that you may not keep personal data longer than necessary for the purpose of processing. You must therefore destroy or delete data (anonymization is also included here) if it is no longer necessary. For example, it is not privacy okay to treat deleted accounts only as 'inactive users'. Data from such ‘inactive’ users will really have to be deleted after a certain period of time.
By the way, you should be aware of the fact that the users of your app also have a so-called 'right to forget'. In other words, you must be able to delete data when you are requested to do so.
# 6 Integrity and Confidentiality
As an app provider you have a certain responsibility towards your users. For example, you must ensure that all personal data is protected against unauthorized or unlawful processing. For this reason, you must take certain organizational and technical measures. Consider, for example, implementing a control mechanism in your app, with which unauthorized access to a user account can be traced. This also includes encryption or pseudonymisation of data.