On May 25th, 2018, a huge change in personal data protection will take place: the European Union’s General Data Protection Regulation (GDPR) will go into effect. This new set of rules is applicable to the personal data of all the citizens of the European Union, Switzerland, Norway, Liechtenstein, and Iceland, and aims to give them better control over the way companies collect and use their personal data.

What is New in the GDPR?

Your company certainly has in force a data protection policy, but the GDPR creates new obligations and applies hefty fines for failure to comply. To get the ugly truth out first and foremost, the penalties applied for failure to meet all the rules imposed by GDPR are €20 million or 4% of the company’s annual turnover, whichever is higher.

This is a crippling fine even for large companies, so it is important to know how to comply with GDPR and make sure you take all measures to prove this compliance. These are the key changes made by the GDPR:

1. The Right to be Forgotten

EU citizens and citizens of Switzerland, Liechtenstein, Norway and Iceland have the right to request to have their personal data permanently erased by data controllers (any company collecting and using personal data). A first step has already been taken by Google, which allows EU citizens to fill out a Personal Information Removal form and request their information to be omitted from Google search results.

Under the GDPR, EU citizens can request any company that collected their personal data (including mobile app owners) to permanently erase their data and ensure that it is no longer available for use and processing by third parties, as well.

2. Explicit Consent

Companies need to obtain a clear and explicit consent from EU individuals when they collect, use and transfer their personal data. This request for consent must be made in simple and easy to understand terms, and must involve a certain action from the persons in order to confirm that they give their consent. For example, the standard text “by continuing to use this website/app you agree to our cookie policy” is not an acceptable form of consent under GDPR.

At the same time, citizens must have an equally simple and easy to use method for withdrawing their consent at any moment.

3. Mandatory Notification of Breaches

In the situation when a company suffers a cyber attack that compromises their database, the company is obliged to notify all its users whose personal data it uses, as well as the authorities, of the breach within 72 hours.

4. Privacy by Design

Although it is a best practice already, GDPR will make it a legal requirement: all websites, and web and mobile apps, must include privacy protection provisions in their design structure. Thus, the selection and application of security measures in apps and websites becomes a critical aspect to be discussed from the early stages of planning such a project.

How does GDPR Impact Mobile Apps Outside the European Union?
The location of the app owner is irrelevant according to GDPR. As long as the app is used by EU citizens and collects their personal data, the app must be GDPR compliant. Otherwise, the company is liable to pay the above mentioned hefty fines.

It is worth noting, at the same time, that GDPR expands the concept of personal data to any kind of data which leads to a person being identified. This includes:

  • Names
  • Phone numbers
  • Images (photos, videos)
  • Email addresses
  • Geolocation data
  • Aliases (usernames, nicknames)
  • IP addresses

What should App Owners Do Next?

This article is only intended to provide general information and guidelines. In order to ensure that a mobile app is GDPR compliant, the app owners should seek specialized legal and consultancy services to identify all the aspects that need to be fixed and apply these fixes before May 25th.

The key takeaway from this post is that any mobile app accessible to people living in the European Union, Switzerland, Liechtenstein, Norway and Iceland is subject to GDPR rules, and its owners may face legal and financial consequences for failure to comply.