The Real Impacts of General Data Protection Regulation (GDPR) to EU Companies That Operate Mobile Applications

What is GDPR?

The General Data Protection Regulation (GDPR) is a new EU regulation aimed at protecting the personal data of EU citizens. Because of the broad definition of “personal data”, GDRP impacts almost every EU company, as well as non-EU companies that exchange data with them. The regulation takes effect in May 2018, which is still a long way in the future, but the complex requirements mean that companies need to start planning and taking action now.

“Personal data” is defined by GDPR as any data record that could potentially identify an individual. It shouldn’t come as a surprise that this data includes names, phone numbers, and addresses. However, it also encompasses a whole range of other subjects, including GPS locations, behavior habits, tattoos, and more.

You’ve probably already figured out that under this definition of data records, virtually all businesses will be affected. The regulation imposes obligations on companies and defines the rights of EU citizens to access information related to stored and processed personal data.

There are many articles available on the Internet about GDPR, but they are often overly complicated or rely on the FAQs from the GDPR’s official web page. However, the intentions of GDPR are, put simply:

• Right to be forgotten
• Easier access to one's data
• Right to data portability
• Right to know when one's data has been hacked
• Security by design and by default
• Stronger enforcement of the rules

The list is not a complete representation of requirements and user rights defined by GDPR. The wordings and phrases can only be interpreted by a few specialists.

So what does GDPR regulation mean to, for example, an ordinary mobile e-business operator?

What do mobile app operators need to do?

Data protection isn’t just about keeping customers’ information safe.

Data processors must keep a complete history of changes and data access, including physical access to technical equipment. They also need to be able to identify the person who made the change, requested the data, and why.

To ensure this, data processors have to create new procedures to guarantee the confidentiality of processed data at all times. Likewise, it will be also become necessary to document systems and acquire appropriate technology and software to ensure the security of transmitted data. Data processors must deploy meaningful protection to mitigate risks. If they get data from a third party, they need to define how each party will share responsibilities regarding data protection.

Inform the users

Mobile app users will see the impact of GDPR thanks to a newly added information screen when they download an app to their mobile device. All users will have to agree to a list of personal data that the mobile app will use, the length of time the data is stored for, and the purpose of the data usage. Mobile app operators must inform users about user rights regarding GDPR in a precise and understandable way.

Fulfill user request

Users can now ask if their data will be processed. They can ask for this data to be changed, or deleted entirely. When they request deletion, there must be no way to recover that data, even from backups. Data processors cannot collect data for anything other than authorization purposes and the requirements of the app itself.

Notify users during and after a security incident

You’ve probably heard about recent leaks of sensitive data from Twitter, LinkedIn or T-Mobile appears. GDPR requires companies to inform about such security incidents. Data processors must notify the national supervisory authority about the incident within 24 hours and immediately after that inform all users who might be affected. Rapid identification of security incidents requires adequate technology and continuous surveillance of mobile applications.

If companies are found to be in violation of GDPR, or refuse to cooperate with the national supervisory authority, data processors are liable to a fine of up to 20 million EUR or up to 4% of their global annual turnover. The authority can issue the sanction repeatedly.

How do you deal with GDPR requirements?

Unlike EU directives, all EU regulations must be adopted and strictly adhered to. It is EU’s intention - and one of the reasons why GDPR exists - to unify personal data protection via a centralized regulation across the whole EU. Since the regulation is finalized, companies can now immediately start planning how they will ensure they comply with the requirements.

Data Protection Officer

To facilitate introduced changes, GDPR will mean businesses need to create a Data Protection Officer position. This person will assist data processors to fulfill, control, and communicate with national authorities.

The Data Protection Officer will need to be fully qualified, and have sufficient knowledge in the field of data protection. They will be an essential liaison between the authorities and the processor. They will also act as an overseer to check if the company has adequately fulfilled all regulatory requirements, and report any security incidents.

Small organizations may find it difficult financially to set up the Data protection officer position. Fortunately, outsourcing the position, as permitted by GDPR, can partly solve this problem.

Gap analysis

In general, coping with GDPR requirements requires analysis of current situations, and assessing any areas where these requirements have yet to be fulfilled. Risk analysis will be necessary to identify vulnerabilities that require protective measures from mobile applications.

Establish new processes and modifications of existing applications

The next step will be the establishment of new processes and modification of applications to ensure maximum data security during the acquisition, transfer, storage and handling processes. It will also be necessary to integrate appropriate software or hardware to support security surveillance and auditing over operations involving data of EU citizens.

GDPR regulation has already been finalized and approved, and there is no doubt about the disruption it will cause to the processes and operations of companies in Europe.

Preparation should not be underestimated.

Take this short survey https://teskalabs.com/surveys/gdpr to see if your organization will be impacted by GDPR.

Alternatively, contact us to know more about our application security platform and prevent major cyber threats related to the apps that can affect your organizational and user data privacy.

Resource:

http://ec.europa.eu/justice/data-protection/reform/index_en.htm

About the Author

Jiri Kohout

TeskaLabs’ VP of Application Security, Jiri Kohout, brings years of experience in ICT security, having served as the Chief Information Security Officer for the Ministry of Justice and Chief Information Officer for Prague Municipal Court. He cooperated with the Czech National Security Agency to prepare the Czech Republic cyber security law.