GDPR and its implications for app developers

The General Data Protection Regulation (GDPR) is going to be effective from 25th May 2018 and enterprises across the globe are already geared up to update their data privacy rules in compliance with the GDPR regulations.

In this article, we will outline what GDPR means for app owners and how they can ensure that their app is GDPR compliant.

What is GDPR?

GDPR is a set of regulations that every enterprise collecting user data should comply with. The primary objective of GDPR is to give control to citizens and residents over their personal data and to simplify the regulatory environment for businesses by unifying the regulation within the EU (European Union).

Although most European countries have their individual data privacy laws, GDPR aims to standardize these rules and make safeguarding users’ data stronger, easier, and more uniform across the EU, unifying existing data protection regulations across its 28 member states.

What are the aspects that come under GDPR?

Besides the data collected by enterprises through their digital interactions with the customers on websites, apps, etc., GDPR also protects user-generated data such as social media posts, personal images uploaded to any website including those which might not have been uploaded by the individuals themselves. Additionally, any other uniquely personal information commonly uploaded or found online about the user will come under the purview of GDPR.

Essentially, GDPR is aimed to protect all personal user data across every online platform

Here are some of the key changes to come into effect with GDPR:

• Expanded rights for individuals: The GDPR grants users the right to be forgotten and the right to request a copy of any personal data stored in their regard.
• Compliance obligations: GDPR requires organizations to implement appropriate policies and security protocols, privacy impact assessments, maintain detailed records on data activities and have written agreements with vendors.
• Data breach notification and security: Under GDPR organizations will have to report certain data breaches to data protection authorities, and under certain circumstances, to the affected data subjects.
• New requirements for profiling and monitoring: The GDPR places additional obligations on organizations engaged in profiling or monitoring behavior of EU individuals.
• Increased Enforcement: In case of failure to abide by GDPR regulations, authorities can fine organizations up to the greater of €20 million or 4% of a company’s annual global revenue.

What does GDPR mean for enterprises?

It means for enterprises across the globe interacting with customers in the EU region will have to ensure stringent compliance with GDPR. Even if a business doesn’t operate in the EU, they will still have to be GDPR compliant if the business holds data of EU citizens.

This means businesses will need to provide and be accountable for information like:

• How was the data collected?
• How will the data be used?
• Have users given approval to use their data?
• How long will the business hold the user-data?
• Did businesses give users a chance to opt out?
• Ensuring that users are able to access all the data businesses have on them if they want.

It will also imply that businesses will have to shift from an ‘opt-out’ approach for collecting user data, to an ‘opt-in’ approach. Which means enterprises will have to ensure that users have the option to opt-out of sharing the data they do not want to share, beforehand.

While right now this approach will only become a mandate when it comes to EU based customers, adopting such approach at a global scale will be helpful for enterprises in a long run, in the light of the recent data fiasco of Facebook.

How will GDPR affect app owners?

GDPR is one of the most significant data protection legislation that has been introduced in the European Union. Apps will be one of the platforms which will be most affected. While GDPR will also apply to websites, for websites it will be a lot easier to comply with the changed regulations. However, in case of apps, it will be a bit complex since they will have to be updated with the new SDKs that are used by apps for analytics.

As mentioned earlier, GDPR fundamentally ensures that no data is collected about a user and the device to which the user is associated with, unless the user specifically opts in. While it might be possible that that app owners might by default continue to collect the data, it will be mandatory for them to give users an opt-out option.

Role of the mobile app ecosystem in the purview of GDPR

To understand GDPR it’s important to first understand the three roles in the mobile app ecosystem.

• Data Subjects – This is you, me and everybody else who uses a mobile app
• Data Controller – This is the app developer or the company that develops the app.
• Data processor – This is the company whose SDK is integrated into the app. E.g. Localytics, CleverTap, Amplitude, MixPanel, Firebase analytics etc.

The revised definition of personal data

With the introduction of GDPR, the definition of personal data has changed. It goes beyond traditional personally identifiable information – name, email address, etc., it will now include identifiers such as device sensors, IP address etc, which when combined with other data, can identify an individual. This is a huge change in the way we think about personal data.

Impact of GDPR on the app ecosystem

The impact of the GDPR, although is limited to the EU region it will have a widespread impact on the entire app and analytics ecosystem. If a business has an app that uses an analytics SDK of any kind to track the user or a device then they are affected by this regulation. If the app is available in the EU region then they have to update it with the latest version of the analytics SDK that complies with the GDPR.

What can app owners do to ensure GDPR compliance?

Just updating the SDK is not enough. Even if an app owner doesn’t operate in the EU region, if the app is available in this region then it is mandatory to comply with the GDPR.

Here is what enterprises and app owners would need to do:

• Businesses will have to ask for explicit consent from the user of the digital asset such as a website or an app whether the user would like to opt-in to collecting the data. This can be done via a custom screen in your app or some SDKs provide their own default messaging dialogue asking the user’s consent.

• Based on the user’s consent they can use the methods in the SDK to enable or disable data collection for that user.

• Businesses will also have to take care of conditions where the user might be using multiple devices in which case they have to cascade the consent setting across multiple devices based on whether he has opted out from the first device or not.

• If a single device is used by multiple users they also need to take care of that situation wherein the data still continues to be collected for a user who has opted-in as opposed to a user who has opted-out even though they are using the same device.

How will GDPR impact targeting options

GDPR will have a huge impact on reaching the customers via targeted communication. At this moment it is a bit ambiguous whether GDPR requires the data processors to delete the existing user profile data by default or will the users have to explicitly do it after this regulation comes into effect. So, at present, we can assume that app owners will be able to reach out to users whose data might still be there with data processors unless they are also deleted.

Nonetheless, moving forward, user segmentation, targeted push notifications and marketing communications based on user demographics may become things of the past as businesses will not be able to segment users. App owners and marketers will need to find other ways of segmenting their users. For e.g. Interest areas.

Further, while using any Google products such as Google Analytics, Tag Manager Adwords to personalize the ads served to customers and track their on-site actions adhering to GDPR guidelines and getting user consent is a must.

According to Google:

“Advertisers using AdWords will be required to obtain consent for the use of cookies where legally required, and for the collection, sharing, and use of personal data for personalized ads for users in the EEA. This includes the use of remarketing tags and conversion tags. Where legally required, advertisers must also clearly identify each party that may collect, receive, or use end-users’ personal data.”

GDPR might also imply that in the coming days, marketers will no longer be able to share additional content assets with users, other than what they have opted for; for e.g. while doing a lead-generation campaign if the user downloads an ebook, marketers will not be able to send additional emails, newsletters etc. to them, unless these users opt-in for additional resources from these brands. Hence, marketers will have to devise newer ways to engage with their target audience.

In conclusion:

GDPR by far is known to be one of the most ambitious consumer data protection regulations that have been devised globally. While GDPR right now is limited to the EU, it will pave the way for more secure and stringent data protection laws for consumers globally.

Though initially the implementation and compliance with this regulation might cause some difficulty for businesses, it’s important to remember that this legislation is being introduced to protect users’ rights. And while it isn’t required for businesses to follow such regulations elsewhere, it will help businesses in a long-run to alleviate the privacy-related concerns the users have from apps and other such digital platforms.

Note: This is an opinion piece and enterprises must seek legal advice to ensure full compliance with GDPR regulations.