Get your app ready and compliant for the new General Data Protection Regulation
On May 25th 2018, the General Data Protection Regulation (GDPR) will be in force. GDPR seeks to create a harmonised data protection law framework across the EU and aims to give citizens back the control of their personal data, whilst imposing guidelines and rules on those hosting and ‘processing’ this data.
The fines for not complying have increased and are now up to EUR 20.000.000 or 4% of the annual global turnover.
GDPR will potentially affect entire systems and processes in the digital ecosystem, and you as the Data Controller are responsible for being compliant.
Contact us today, and start the process towards being ready for when the GDPR hits.
Become Compliant Today
Request a free call with our industry experts
GDPR defines “personal data” as any data record that could identify an individual, such as names, phone numbers and addresses, and now also encompass digital information, such as GPS locations, behaviour, usernames and much more.
Therefore you must have updated your content and UX in accordance with the new GDPR guidelines, including: mapped dataflow, documented procedures and a signed GDPR supplier agreement with your suppliers.
Let’s explore an example:
The Data Processors, e.g. Nodes, with the GDPR law can now be held responsible. Due to this update all apps developed, hosted or maintained by Nodes will need to be GDPR compliant by 25th of May 2018.
Why is GDPR important for apps?
Privacy by design
GDPR refers to a new approach businesses should take to promote privacy and data protection.
You should know what data you have, the legal basis for each type of data processing activity, how it is structured and how to improve security.
You will be required to ask for consent from the user up front and in clear and simple language (No technical jargon!).
Right to be forgotten
Meaning that users can not only request changes to their data, but they can request to have all their data deleted. You will need to have a system or process in place to locate the specific data and delete all records permanently.
Companies must notify the national supervisory authorities and users within 72 hours of a breach. You may need to invest in better technology to ensure continuous data surveillance and prepare a disaster recovery procedure.
Processing agreement (DPA)
Nodes have a standard DPA agreement that covers all areas of GDPR. If you have your own customized GDPR agreement you wish to use, Nodes will draw on our legal advisors to ensure everything is compliant with GDPR.
Our 5 step process to become compliant
Here are 5 simple steps that will provide you with an overview of what you should be aware of, and how to become GDPR compliant.
Nodes proposes a 5 step process resulting in a report that will lead you to the basics of a strong data governance program, which is critical for GDPR compliance. From there you can define which actions are needed.
The recommendation report is intend to cover and outline the full project scope from frontend to backend, all relevant service / support systems entangled and GDPR sensitive data in the given project.
1. User Interface Privacy review
Investigate and identify crucial frontend related touch points for the user where the product might not be following GDPR.
• Ensure explicit user consent in the app
• Ensure GDPR compliance in regards to
terms and conditions
• Evaluate users option in regards to right to be forgotten
• Approval for marketing conditions
2. Data- and systems-mapping
Document and create visibility of where and how personal data is handled and processed to make sure the data infrastructure is GDPR compliant.
• Describe data inventory
• Outline consumption of user data
• Create Source and target exchange flow
3. Security check
Investigate the system, stack and how personal data is consumed by analysing potential security vulnerabilities.
• Stack security vulnerabilities
• API sample security check
4. Contracts and accounts
Outline third party services integrated within the project, that means they must also be compliant.
• Evaluation of Data storage and hosting accounts
• Evaluation of Service accounts
• Outline overall ownership assessment of utilised services
5. Process recommendation
Aggregate data from the four previous steps in the process to create the recommendation for a GDPR compliance process.
• Process proposal for handling data breach
• Process proposal for handling user requests
• Proposal of a data processing agreement (DPA)