The Real Impacts of General Data Protection Regulation (GDPR) to EU Companies That Operate Mobile Applications
What is GDPR?
The General Data Protection Regulation (GDPR) is a new EU regulation aimed at protecting the personal data of EU citizens. Because of the broad definition of “personal data”, GDRP impacts almost every EU company, as well as non-EU companies that exchange data with them. The regulation takes effect in May 2018, which is still a long way in the future, but the complex requirements mean that companies need to start planning and taking action now.
“Personal data” is defined by GDPR as any data record that could potentially identify an individual. It shouldn’t come as a surprise that this data includes names, phone numbers, and addresses. However, it also encompasses a whole range of other subjects, including GPS locations, behavior habits, tattoos, and more.
You’ve probably already figured out that under this definition of data records, virtually all businesses will be affected. The regulation imposes obligations on companies and defines the rights of EU citizens to access information related to stored and processed personal data.
There are many articles available on the Internet about GDPR, but they are often overly complicated or rely on the FAQs from the GDPR’s official web page. However, the intentions of GDPR are, put simply:
- Right to be forgotten
- Easier access to one's data
- Right to data portability
- Right to know when one's data has been hacked
- Security by design and by default
- Stronger enforcement of the rules
The list is not a complete representation of requirements and user rights defined by GDPR. The wordings and phrases can only be interpreted by a few specialists.
So what does GDPR regulation mean to, for example, an ordinary mobile e-business operator?
What do mobile app operators need to do?
Data protection isn’t just about keeping customers’ information safe.
Data processors must keep a complete history of changes and data access, including physical access to technical equipment. They also need to be able to identify the person who made the change, requested the data, and why.
To ensure this, data processors have to create new procedures to guarantee the confidentiality of processed data at all times. Likewise, it will be also become necessary to document systems and acquire appropriate technology and software to ensure the security of transmitted data. Data processors must deploy meaningful protection to mitigate risks. If they get data from a third party, they need to define how each party will share responsibilities regarding data protection.
Inform the users
Mobile app users will see the impact of GDPR thanks to a newly added information screen when they download an app to their mobile device. All users will have to agree to a list of personal data that the mobile app will use, the length of time the data is stored for, and the purpose of the data usage. Mobile app operators must inform users about user rights regarding GDPR in a precise and understandable way.
Fulfill user request
Users can now ask if their data will be processed. They can ask for this data to be changed, or deleted entirely. When they request deletion, there must be no way to recover that data, even from backups. Data processors cannot collect data for anything other than authorization purposes and the requirements of the app itself.
Notify users during and after a security incident
You’ve probably heard about recent leaks of sensitive data from Twitter, LinkedIn or T-Mobile appears. GDPR requires companies to inform about such security incidents. Data processors must notify the national supervisory authority about the incident within 24 hours and immediately after that inform all users who might be affected. Rapid identification of security incidents requires adequate technology and continuous surveillance of mobile applications.
If companies are found to be in violation of GDPR, or refuse to cooperate with the national supervisory authority, data processors are liable to a fine of up to 20 million EUR or up to 4% of their global annual turnover. The authority can issue the sanction repeatedly.
How do you deal with GDPR requirements?
Unlike EU directives, all EU regulations must be adopted and strictly adhered to. It is EU’s intention - and one of the reasons why GDPR exists - to unify personal data protection via a centralized regulation across the whole EU. Since the regulation is finalized, companies can now immediately start planning how they will ensure they comply with the requirements.
Data Protection Officer
To facilitate introduced changes, GDPR will mean businesses need to create a Data Protection Officer position. This person will assist data processors to fulfill, control, and communicate with national authorities.
The Data Protection Officer will need to be fully qualified, and have sufficient knowledge in the field of data protection. They will be an essential liaison between the authorities and the processor. They will also act as an overseer to check if the company has adequately fulfilled all regulatory requirements, and report any security incidents.
Small organizations may find it difficult financially to set up the Data protection officer position. Fortunately, outsourcing the position, as permitted by GDPR, can partly solve this problem.
Gap analysis
In general, coping with GDPR requirements requires analysis of current situations, and assessing any areas where these requirements have yet to be fulfilled. Risk analysis will be necessary to identify vulnerabilities that require protective measures from mobile applications.
Establish new processes and modifications of existing applications
The next step will be the establishment of new processes and modification of applications to ensure maximum data security during the acquisition, transfer, storage and handling processes. It will also be necessary to integrate appropriate software or hardware to support security surveillance and auditing over operations involving data of EU citizens.
GDPR regulation has already been finalized and approved, and there is no doubt about the disruption it will cause to the processes and operations of companies in Europe.
Preparation should not be underestimated.
Take this short survey https://teskalabs.com/surveys/gdpr to see if your organization will be impacted by GDPR.
Alternatively, contact us to know more about our application security platform and prevent major cyber threats related to the apps that can affect your organizational and user data privacy.
Resource:
http://ec.europa.eu/justice/data-protection/reform/index_en.htm
Most Recent Articles
- A beginner-friendly intro to the Correlator for effective cybersecurity detection
- Inotify in ASAB Library
- From State Machine to Stateless Microservice
- Entangled ways of product development in the area of cybersecurity #3 - LogMan.io
- Entangled ways of product development in the area of cybersecurity #2 - BitSwan
You Might Be Interested in Reading These Articles
The Two Real Challenges of the Internet of Things
Every week there is a new connected device on the market. A few days ago Tag Heuer launched its smartwatch with Google, and last week I saw a €39 sleep tracker in my supermarket plaster section. Tech conferences are buzzing about the Internet of Things (Consumer Electronics Show 2015, Pioneers Festival 2015).
Published on November 24, 2015
5 Reasons Why Security Matters When You Want to Go Mobile
Security is an essential part of today’s modern world, especially with the rise of computers and mobile devices. No one questions whether data centers, servers, and computers should be secure, so why are there so many questions about mobile security? Mobile devices face the same security threats and are, sometimes more susceptible to them. It is time to make mobile security a priority.
Published on June 23, 2015
The Golden Age of Black Hats
I experienced a precious moment, discovering the cause which contributed to today's dire state of mobile application security. App developers think that if their apps do not deal with money, they should not have to care about app security. Is it true?
Published on February 24, 2015