The Real Impacts of General Data Protection Regulation (GDPR) to EU Companies That Operate Mobile Applications

What is GDPR?

The General Data Protection Regulation (GDPR) is a new EU regulation aimed at protecting the personal data of EU citizens. Because of the broad definition of “personal data”, GDRP impacts almost every EU company, as well as non-EU companies that exchange data with them. The regulation takes effect in May 2018, which is still a long way in the future, but the complex requirements mean that companies need to start planning and taking action now.

“Personal data” is defined by GDPR as any data record that could potentially identify an individual. It shouldn’t come as a surprise that this data includes names, phone numbers, and addresses. However, it also encompasses a whole range of other subjects, including GPS locations, behavior habits, tattoos, and more.

You’ve probably already figured out that under this definition of data records, virtually all businesses will be affected. The regulation imposes obligations on companies and defines the rights of EU citizens to access information related to stored and processed personal data.

There are many articles available on the Internet about GDPR, but they are often overly complicated or rely on the FAQs from the GDPR’s official web page. However, the intentions of GDPR are, put simply:

  • Right to be forgotten
  • Easier access to one's data
  • Right to data portability
  • Right to know when one's data has been hacked
  • Security by design and by default
  • Stronger enforcement of the rules

The list is not a complete representation of requirements and user rights defined by GDPR. The wordings and phrases can only be interpreted by a few specialists.

So what does GDPR regulation mean to, for example, an ordinary mobile e-business operator?

What do mobile app operators need to do?

Data protection isn’t just about keeping customers’ information safe.

Data processors must keep a complete history of changes and data access, including physical access to technical equipment. They also need to be able to identify the person who made the change, requested the data, and why.

To ensure this, data processors have to create new procedures to guarantee the confidentiality of processed data at all times. Likewise, it will be also become necessary to document systems and acquire appropriate technology and software to ensure the security of transmitted data. Data processors must deploy meaningful protection to mitigate risks. If they get data from a third party, they need to define how each party will share responsibilities regarding data protection.

Inform the users

Mobile app users will see the impact of GDPR thanks to a newly added information screen when they download an app to their mobile device. All users will have to agree to a list of personal data that the mobile app will use, the length of time the data is stored for, and the purpose of the data usage. Mobile app operators must inform users about user rights regarding GDPR in a precise and understandable way.

Fulfill user request

Users can now ask if their data will be processed. They can ask for this data to be changed, or deleted entirely. When they request deletion, there must be no way to recover that data, even from backups. Data processors cannot collect data for anything other than authorization purposes and the requirements of the app itself.

Notify users during and after a security incident

You’ve probably heard about recent leaks of sensitive data from Twitter, LinkedIn or T-Mobile appears. GDPR requires companies to inform about such security incidents. Data processors must notify the national supervisory authority about the incident within 24 hours and immediately after that inform all users who might be affected. Rapid identification of security incidents requires adequate technology and continuous surveillance of mobile applications.

If companies are found to be in violation of GDPR, or refuse to cooperate with the national supervisory authority, data processors are liable to a fine of up to 20 million EUR or up to 4% of their global annual turnover. The authority can issue the sanction repeatedly.

How do you deal with GDPR requirements?

Unlike EU directives, all EU regulations must be adopted and strictly adhered to. It is EU’s intention - and one of the reasons why GDPR exists - to unify personal data protection via a centralized regulation across the whole EU. Since the regulation is finalized, companies can now immediately start planning how they will ensure they comply with the requirements.

Data Protection Officer

To facilitate introduced changes, GDPR will mean businesses need to create a Data Protection Officer position. This person will assist data processors to fulfill, control, and communicate with national authorities.

The Data Protection Officer will need to be fully qualified, and have sufficient knowledge in the field of data protection. They will be an essential liaison between the authorities and the processor. They will also act as an overseer to check if the company has adequately fulfilled all regulatory requirements, and report any security incidents.

Small organizations may find it difficult financially to set up the Data protection officer position. Fortunately, outsourcing the position, as permitted by GDPR, can partly solve this problem.

Gap analysis

In general, coping with GDPR requirements requires analysis of current situations, and assessing any areas where these requirements have yet to be fulfilled. Risk analysis will be necessary to identify vulnerabilities that require protective measures from mobile applications.

Establish new processes and modifications of existing applications

The next step will be the establishment of new processes and modification of applications to ensure maximum data security during the acquisition, transfer, storage and handling processes. It will also be necessary to integrate appropriate software or hardware to support security surveillance and auditing over operations involving data of EU citizens.

GDPR regulation has already been finalized and approved, and there is no doubt about the disruption it will cause to the processes and operations of companies in Europe.

Preparation should not be underestimated.

Take this short survey https://teskalabs.com/surveys/gdpr to see if your organization will be impacted by GDPR.

Alternatively, contact us to know more about our application security platform and prevent major cyber threats related to the apps that can affect your organizational and user data privacy.

Resource:

http://ec.europa.eu/justice/data-protection/reform/index_en.htm

About the Author

Jiri Kohout

TeskaLabs’ VP of Application Security, Jiri Kohout, brings years of experience in ICT security, having served as the Chief Information Security Officer for the Ministry of Justice and Chief Information Officer for Prague Municipal Court. He cooperated with the Czech National Security Agency to prepare the Czech Republic cyber security law.


CatVision.io

Screen sharing for mobile apps

Try for FREE


You Might Be Interested in Reading These Articles

Distributed-Denial-of-Service (DDoS) Disrupted Gaming Industry During the Holiday - What You Need to Know

During the Christmas holiday, the Xbox and PlayStation networks at Sony and Microsoft game websites were taken down by a group of hackers called Lizard squad. This attack put thousands of users out of game playing. What a bummer huh? Originally, the FBI blamed the North Koreans for taking down the network--that is another story, but had since revised their assessment when the Lizard squad claimed responsibility for the attack.

Continue reading ...

security

Published on January 27, 2015

Situations Where Mobile App Security Best Practices is Necessary

The use of mobile app security best practices has become a necessity as app development and mobile usage continue to grow. These practices are needed to improve consumer protection, trust, and regulatory compliance.

Continue reading ...

security development

Published on March 24, 2015

Is There A Network Protocol for Your Mobile Apps That Offers A Higher Security Level While Consuming Less Bandwidth Than HTTPS? Yes, There Is

For mobile apps or websites that don’t have logins, forms or features to extract data, you don’t need secure access. For banking websites, mobile apps and mobile banking services, without a doubt, secure communication is a must. But nothing is ever black and white.

Continue reading ...

tech security

Published on September 13, 2016