The Real Impacts of General Data Protection Regulation (GDPR) to EU Companies That Operate Mobile Applications
What is GDPR?
The General Data Protection Regulation (GDPR) is a new EU regulation aimed at protecting the personal data of EU citizens. Because of the broad definition of “personal data”, GDRP impacts almost every EU company, as well as non-EU companies that exchange data with them. The regulation takes effect in May 2018, which is still a long way in the future, but the complex requirements mean that companies need to start planning and taking action now.
“Personal data” is defined by GDPR as any data record that could potentially identify an individual. It shouldn’t come as a surprise that this data includes names, phone numbers, and addresses. However, it also encompasses a whole range of other subjects, including GPS locations, behavior habits, tattoos, and more.
You’ve probably already figured out that under this definition of data records, virtually all businesses will be affected. The regulation imposes obligations on companies and defines the rights of EU citizens to access information related to stored and processed personal data.
There are many articles available on the Internet about GDPR, but they are often overly complicated or rely on the FAQs from the GDPR’s official web page. However, the intentions of GDPR are, put simply:
- Right to be forgotten
- Easier access to one's data
- Right to data portability
- Right to know when one's data has been hacked
- Security by design and by default
- Stronger enforcement of the rules
The list is not a complete representation of requirements and user rights defined by GDPR. The wordings and phrases can only be interpreted by a few specialists.
So what does GDPR regulation mean to, for example, an ordinary mobile e-business operator?
What do mobile app operators need to do?
Data protection isn’t just about keeping customers’ information safe.
Data processors must keep a complete history of changes and data access, including physical access to technical equipment. They also need to be able to identify the person who made the change, requested the data, and why.
To ensure this, data processors have to create new procedures to guarantee the confidentiality of processed data at all times. Likewise, it will be also become necessary to document systems and acquire appropriate technology and software to ensure the security of transmitted data. Data processors must deploy meaningful protection to mitigate risks. If they get data from a third party, they need to define how each party will share responsibilities regarding data protection.
Inform the users
Mobile app users will see the impact of GDPR thanks to a newly added information screen when they download an app to their mobile device. All users will have to agree to a list of personal data that the mobile app will use, the length of time the data is stored for, and the purpose of the data usage. Mobile app operators must inform users about user rights regarding GDPR in a precise and understandable way.
Fulfill user request
Users can now ask if their data will be processed. They can ask for this data to be changed, or deleted entirely. When they request deletion, there must be no way to recover that data, even from backups. Data processors cannot collect data for anything other than authorization purposes and the requirements of the app itself.
Notify users during and after a security incident
You’ve probably heard about recent leaks of sensitive data from Twitter, LinkedIn or T-Mobile appears. GDPR requires companies to inform about such security incidents. Data processors must notify the national supervisory authority about the incident within 24 hours and immediately after that inform all users who might be affected. Rapid identification of security incidents requires adequate technology and continuous surveillance of mobile applications.
If companies are found to be in violation of GDPR, or refuse to cooperate with the national supervisory authority, data processors are liable to a fine of up to 20 million EUR or up to 4% of their global annual turnover. The authority can issue the sanction repeatedly.
How do you deal with GDPR requirements?
Unlike EU directives, all EU regulations must be adopted and strictly adhered to. It is EU’s intention - and one of the reasons why GDPR exists - to unify personal data protection via a centralized regulation across the whole EU. Since the regulation is finalized, companies can now immediately start planning how they will ensure they comply with the requirements.
Data Protection Officer
To facilitate introduced changes, GDPR will mean businesses need to create a Data Protection Officer position. This person will assist data processors to fulfill, control, and communicate with national authorities.
The Data Protection Officer will need to be fully qualified, and have sufficient knowledge in the field of data protection. They will be an essential liaison between the authorities and the processor. They will also act as an overseer to check if the company has adequately fulfilled all regulatory requirements, and report any security incidents.
Small organizations may find it difficult financially to set up the Data protection officer position. Fortunately, outsourcing the position, as permitted by GDPR, can partly solve this problem.
In general, coping with GDPR requirements requires analysis of current situations, and assessing any areas where these requirements have yet to be fulfilled. Risk analysis will be necessary to identify vulnerabilities that require protective measures from mobile applications.
Establish new processes and modifications of existing applications
The next step will be the establishment of new processes and modification of applications to ensure maximum data security during the acquisition, transfer, storage and handling processes. It will also be necessary to integrate appropriate software or hardware to support security surveillance and auditing over operations involving data of EU citizens.
GDPR regulation has already been finalized and approved, and there is no doubt about the disruption it will cause to the processes and operations of companies in Europe.
Preparation should not be underestimated.
Take this short survey https://teskalabs.com/surveys/gdpr to see if your organization will be impacted by GDPR.
Alternatively, contact us to know more about our application security platform and prevent major cyber threats related to the apps that can affect your organizational and user data privacy.
Most Recent Articles
- TeskaLabs helps LINET with cyber security compliance for medical devices
- TeskaLabs and University hospital in Pilsen launches a pilot of zScanner - open source mobile app for medical photo documentation
- EV Charging Station security demonstrator
- Five Ways AI And Machine Learning Can Enhance Cybersecurity Strategy
- C-ITS ITS-S Security microservice
You Might Be Interested in Reading These Articles
A zero-day, also called zero-hour, vulnerability is a security flaw in the code that cyber criminal can use to access your network. Zero-day attacks call for new technologies built from the ground up for today’s advanced threat landscape. There is no known fix, and by the time hackers attack, the damage is already done
Published on May 12, 2015
The Top 5 Mobile Application Security Issues You Need to Address When Developing Mobile Applications
Most recently, a lot of established companies like Snapchat, Starbucks, Target, Home Depot, etc. have been through a PR disaster. Do you know why? Simply because some attackers out there found flaws in their mobile apps and could exploit them. In fact, by the end of this year, 75% of mobile apps will fail basic security tests.
Published on November 03, 2015
TalkTalk, one of the largest providers of broadband and phone service in the UK, has recently admitted to being the victim of a large cyberattack. For those in the United States or in another country where TalkTalk’s influence isn’t as widespread, it could be considered on the same level as a Verizon or an AT&T data breach.
Published on November 10, 2015