Could your business be subject to $23 million in fines pertaining to the new European Union (EU) GDPR regulations taking effect this month?
If you have a mobile app that is not compliant with GDPR (General Data Protection Regulation) by May 25th, 2018, you risk hefty fines for being in violation of this complex data protection and privacy law. In a nutshell, the GDPR is designed to give EU citizens more control over their personal data while also providing businesses with clear guidelines about data gathering, management, and security. However, the regulation is nuanced, and businesses can suffer financial repercussions even if they believe they are in the clear.
What is the General Data Protection Regulation?
Discussed for several years, GDPR covers much more than mobile apps, but we wanted to focus on what you should be considering for your apps. In summary, GDPR applies to companies located both inside and outside of the EU if the company is processing personal data of someone in the EU (regardless of where the company is located). Personal data is broadly defined as information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name, photo, email address, posts on social media, medical record, or a computer IP address.
You may be asking yourself: “If it’s an EU regulation, why do U.S. businesses need to worry about it?” The reality is that if your mobile app user base includes a single EU citizen, you may be subject to fines for violating any of the GDPR’s specifications on data processing, storage, and usage. These fines can amount to 4% of annual global revenue or €20 Million (about $23.9 Million USD), whichever is greater.
Unfortunately, many U.S. companies are still at risk of incurring these fines. Surveys suggest that as of late 2017, 27% of U.S. companies were “concerned” about the GDPR, but did not have a clear plan of action. In fact, 52% were completely unaware of how the GDPR could impact them. Given such overwhelming percentages, it’s safe to say that many businesses are still on the brink of losing millions.
What to Ask and Consider about the GDPR
Fortunately, there is still time to take the actions needed to get your mobile app aligned with GDPR compliance. Here are some questions you should be thinking about to determine whether or not the General Data Protection Regulation is about to hit your bottom line:
- Are your Terms & Conditions transparent? Under the GDPR, Terms & Conditions need to clearly delineate how and why they will collect data. Any ambiguous language or broad categorizations that make it difficult for users to knowledgeably give consent are in violation.
- Can you justify the data you collect on users? This is going to cause massive changes for businesses. No longer can you gather data that does not directly pertain to the user experience of your mobile app.
- Is your data mapped out? This pertains to two aspects of the GDPR. You need to be able to a.) demonstrate that you are only gathering essential data and that b.) you know where your data is stored in the event of a data breach.
- Are you testing for weaknesses in security? Even if your app was safe several years ago, hackers might have found new ways to abuse old systems.
A few other highlights pertaining to GDPR and mobile apps:
- All data moving between the app and the server must be encrypted
- Users have the right to request that their data gets erased. This is referred to as the “right to be forgotten.” So, a system needs to be in place to locate and provide a user access to their personal data or remove/destroy that user’s data.
- Before any personal data is collected, an app needs to ask for explicit user consent.
- Any data breach needs to be reported to authorities with 72 hours.
- Businesses with over 250 employees are required to have a Data Protection Officer.
If you need help getting your apps to be GDPR compliant, contact us for assistance.