Hester SpaansOn a positive note: Privacy can also provide an opportunity for you as an app provider. With a privacy-friendly app you can differentiate from your competitors and simultaneously show your users that you take their privacy seriously.
Well, the key question remains of course how do you actually launch an app that is privacy-okay. In this blog I explain what you should take into account.
Why is the GDPR relevant for app providers?
Mobile applications can process a huge amount of personal data. For example, an app can:
- Determine the exact location of a user;
- Access photos stored on user's phone;
- Collect login information from social media channels.
The chance that you will not process personal data with your app (and the GDPR does not apply) is small. I am thinking, for example, of an app that has anonymized all data. Still, the basic principle is that you as an app provider must take the GDPR into account and are actually responsible for compliance with privacy legislation.
But how do you do that, taking the GDPR into account ?
Privacy requires customization
I am afraid that I will have to start with a somewhat disappointing message: a one size fits all scenario is unfortunately out of question: privacy requires customization. For example, if you develop a health app, you process so-called sensitive personal data (data that are sensitive by nature and therefore receive extra protection in the law). To be able to process sensitive personal data (such as data about someone's health) you must ask for explicit consent. Explicit means, among other things, that you cannot get away with already ticked boxes or implicit consent (“if you scroll further, we assume that you agree to the processing of your data”). The user of the app must therefore actively give his consent.
Does your app also target children? In that case, be aware that the GDPR contains strict(er) safeguards for the processing of children's data.
Despite the fact that developing a privacy-friendly app requires customization, there are 3 questions that every app provider should start with:
- What type of data do I collect and use?
- Why do I process personal data?
- With whom is this data shared and for what purposes ?
Answering these 3 questions often takes a long time. One tip: sketch it! By drawing the data streams, it becomes a lot clearer.
You need a legal basis
To be able to process personal data as an app provider, you need a valid legal basis. The collection of data without a legal basis is not allowed. The GDPR contains 6 principles:
- Consent
- Necessary for the execution of the agreement
- Compliance with a legal obligation
- Legitimate interest
- Public task
- Protecting a vital interest
After you have mapped out exactly which data flows there are, you will have to check on which basis(s) you can base your processing(s). It is advisable to involve a privacy lawyer in this process, as you want to prevent working from a wrongly chosen basis. For example, it is a misunderstanding that you must always ask for consent (basis 1) for the processing of personal data. Although the basis of “consent” is certainly a common one, it does not always have to be used. Asking for consent when not needed can even be unwise. After all, asking for consent under the GDPR is subject to quite strict requirements. In addition, you must take into account that the user can withdraw his consent at any time. Using consent as a basis by default is therefore not really useful (and that is an understatement).
6 privacy principles to keep in mind
The GDPR contains a number of (6 to be precise) principles that must be observed when processing personal data. As an app provider, it is therefore important to familiarize yourself with these principles and to include them in the development of your app.
# 1 Legality, fairness and transparency
Be transparent to the user about who you are and what, how and why you process personal data. This includes including a privacy statement in your app. Make sure that the privacy statement is easy to find and legible.
Be aware that the user of your app has various privacy rights. The app must therefore be designed in such a way that the user is actually able to exercise his rights.
Transparency also means that you do not secretly make updates that could affect the user's privacy. If an update can affect the user's privacy, you must give the user the opportunity to agree to it.
# 2 Purpose limitation
You may only process data for a pre-specified specific purpose and you may not, in principle, (re)use this data for another purpose. While it may be tempting to formulate a very general purpose, such as “to provide our services”, this is not permitted under the GDPR. At the same time, you don't want to cut yourself off by being too specific. You may therefore not just further process the collected personal data without informing the user and having obtained his consent.
Do you not want to ask for permission (again) but still use the received data for a different purpose? Then it may be interesting to check whether the personal data can be anonymised.
# 3 Minimise data processing
The principle of 'data minimisation' is actually very straightforward: do not collect personal data that you do not need. In other words, check which personal data you really need (and which you don't). If knowing the user's country is enough for your app, then you are not supposed to ask for the user's exact location. Collecting for the sake of collecting should therefore not be the intention.
# 4 Correctness
If you have a legal basis to process personal data, you should ensure that the data you process is correct and up to date. Data which is no longer valid needs to be deleted or corrected. It is important that you allow the user of your app to keep his data up-to-date (for example, in his own account settings).
# 5 Storage limitation
The basic principle is that you may not keep personal data longer than necessary for the purpose of processing. You must therefore destroy or delete data (anonymization is also included here) if it is no longer necessary. For example, it is not privacy okay to treat deleted accounts only as 'inactive users'. Data from such ‘inactive’ users will really have to be deleted after a certain period of time.
By the way, you should be aware of the fact that the users of your app also have a so-called 'right to forget'. In other words, you must be able to delete data when you are requested to do so.
# 6 Integrity and Confidentiality
As an app provider you have a certain responsibility towards your users. For example, you must ensure that all personal data is protected against unauthorized or unlawful processing. For this reason, you must take certain organizational and technical measures. Consider, for example, implementing a control mechanism in your app, with which unauthorized access to a user account can be traced. This also includes encryption or pseudonymisation of data.
Are you able to respond to a privacy request?
The user of your app has certain privacy rights according to the GDPR, such as the right to access data, the right for data portability, etc. As an app provider, you must be able to respond to such requests. Do not wait until the first request comes in and you have to go googling for “privacy rights” in a fit of panic, but make a plan of action before the app is launched. For example, it might be interesting for you to engage a privacy officer who will take care of such requests.
Privacy is never done
Privacy is not something you can wrap up and forget. To stay privacy-okay, you will have to regularly evaluate your app. That privacy is never 'ready', is also evident from Article 32 GDPR, which states that organizations must take 'appropriate technical and organizational measures' to protect personal data. What is 'appropriate' depends, among other things, on the state of the art. So schedule a moment once in a while to take a close look at the privacy of your app and stay informed of relevant technological developments.
Martijn Imhoff
Bas de Vaan
Katja van Weert
