The Real Impacts of General Data Protection Regulation (GDPR) to EU Companies That Operate Mobile Applications

What is GDPR?

The General Data Protection Regulation (GDPR) is a new EU regulation aimed at protecting the personal data of EU citizens. Because of the broad definition of “personal data”, GDRP impacts almost every EU company, as well as non-EU companies that exchange data with them. The regulation takes effect in May 2018, which is still a long way in the future, but the complex requirements mean that companies need to start planning and taking action now.

“Personal data” is defined by GDPR as any data record that could potentially identify an individual. It shouldn’t come as a surprise that this data includes names, phone numbers, and addresses. However, it also encompasses a whole range of other subjects, including GPS locations, behavior habits, tattoos, and more.

You’ve probably already figured out that under this definition of data records, virtually all businesses will be affected. The regulation imposes obligations on companies and defines the rights of EU citizens to access information related to stored and processed personal data.

There are many articles available on the Internet about GDPR, but they are often overly complicated or rely on the FAQs from the GDPR’s official web page. However, the intentions of GDPR are, put simply:

  • Right to be forgotten
  • Easier access to one's data
  • Right to data portability
  • Right to know when one's data has been hacked
  • Security by design and by default
  • Stronger enforcement of the rules

The list is not a complete representation of requirements and user rights defined by GDPR. The wordings and phrases can only be interpreted by a few specialists.

So what does GDPR regulation mean to, for example, an ordinary mobile e-business operator?

What do mobile app operators need to do?

Data protection isn’t just about keeping customers’ information safe.

Data processors must keep a complete history of changes and data access, including physical access to technical equipment. They also need to be able to identify the person who made the change, requested the data, and why.

To ensure this, data processors have to create new procedures to guarantee the confidentiality of processed data at all times. Likewise, it will be also become necessary to document systems and acquire appropriate technology and software to ensure the security of transmitted data. Data processors must deploy meaningful protection to mitigate risks. If they get data from a third party, they need to define how each party will share responsibilities regarding data protection.

Inform the users

Mobile app users will see the impact of GDPR thanks to a newly added information screen when they download an app to their mobile device. All users will have to agree to a list of personal data that the mobile app will use, the length of time the data is stored for, and the purpose of the data usage. Mobile app operators must inform users about user rights regarding GDPR in a precise and understandable way.

Fulfill user request

Users can now ask if their data will be processed. They can ask for this data to be changed, or deleted entirely. When they request deletion, there must be no way to recover that data, even from backups. Data processors cannot collect data for anything other than authorization purposes and the requirements of the app itself.

Notify users during and after a security incident

You’ve probably heard about recent leaks of sensitive data from Twitter, LinkedIn or T-Mobile appears. GDPR requires companies to inform about such security incidents. Data processors must notify the national supervisory authority about the incident within 24 hours and immediately after that inform all users who might be affected. Rapid identification of security incidents requires adequate technology and continuous surveillance of mobile applications.

If companies are found to be in violation of GDPR, or refuse to cooperate with the national supervisory authority, data processors are liable to a fine of up to 20 million EUR or up to 4% of their global annual turnover. The authority can issue the sanction repeatedly.

How do you deal with GDPR requirements?

Unlike EU directives, all EU regulations must be adopted and strictly adhered to. It is EU’s intention - and one of the reasons why GDPR exists - to unify personal data protection via a centralized regulation across the whole EU. Since the regulation is finalized, companies can now immediately start planning how they will ensure they comply with the requirements.

Data Protection Officer

To facilitate introduced changes, GDPR will mean businesses need to create a Data Protection Officer position. This person will assist data processors to fulfill, control, and communicate with national authorities.

The Data Protection Officer will need to be fully qualified, and have sufficient knowledge in the field of data protection. They will be an essential liaison between the authorities and the processor. They will also act as an overseer to check if the company has adequately fulfilled all regulatory requirements, and report any security incidents.

Small organizations may find it difficult financially to set up the Data protection officer position. Fortunately, outsourcing the position, as permitted by GDPR, can partly solve this problem.

Gap analysis

In general, coping with GDPR requirements requires analysis of current situations, and assessing any areas where these requirements have yet to be fulfilled. Risk analysis will be necessary to identify vulnerabilities that require protective measures from mobile applications.

Establish new processes and modifications of existing applications

The next step will be the establishment of new processes and modification of applications to ensure maximum data security during the acquisition, transfer, storage and handling processes. It will also be necessary to integrate appropriate software or hardware to support security surveillance and auditing over operations involving data of EU citizens.

GDPR regulation has already been finalized and approved, and there is no doubt about the disruption it will cause to the processes and operations of companies in Europe.

Preparation should not be underestimated.

Take this short survey https://teskalabs.com/surveys/gdpr to see if your organization will be impacted by GDPR.

Alternatively, contact us to know more about our application security platform and prevent major cyber threats related to the apps that can affect your organizational and user data privacy.

Resource:

http://ec.europa.eu/justice/data-protection/reform/index_en.htm

About the Author

Jiri Kohout

TeskaLabs’ VP of Application Security, Jiri Kohout, brings years of experience in ICT security, having served as the Chief Information Security Officer for the Ministry of Justice and Chief Information Officer for Prague Municipal Court. He cooperated with the Czech National Security Agency to prepare the Czech Republic cyber security law.

SeaCat Application Gateway Whitepaper

Manage connected products with confidence!

Download


You Might Be Interested in Reading These Articles

OpenSSL DROWN Vulnerability Affects Millions of HTTPS Websites and Software Supporting SSLv2 (CVE-2016-0800)

DROWN is caused by legacy OpenSSL SSLv2 protocol, known to have many deficiencies. Security experts have recommended to turn it off, but apparently many servers still support it because disabling SSLv2 requires non-default reconfiguration of the SSL cryptographic settings which is not easy for common IT people who have limited security knowledge and don’t know the location to disable this protocol and the way to disable it.

Continue reading ...

security bulletin blog

Published on April 12, 2016

Android Nougat: Google OS' Tightest Security Yet

Officially released a month ago, the latest Google mobile OS version has made a few major adjustments, particularly in its security features. The search giant has improved the security in the Android Nougat (or also known as Android N) from strengthening the Android itself to some tools that helps developers to keep things as it is while users install apps.

Continue reading ...

security android

Published on November 15, 2016

Online Fraud Is Increasing - Is Business Intelligence the Answer?

With the year on year rise in ecommerce, there is a corresponding rise in online fraud - in fact, according to Financial Fraud Action UK, this type of activity had increased by a quarter to £399.5 million in the first half of 2016. The most recent manifestation of this is the concept of “testing” - this is where the criminals try small purchases to check the validity of card details, before moving in for the kill.

Continue reading ...

security

Published on July 04, 2017