The introduction of European legislation on online data privacy will have important consequences in the way in which organizations treat the personal data of their users in terms of websites and applications, whether Android or IOS. This new law raises questions for organizations that regularly handle personal data of European residents.
What impact does legislation have on online web applications and operations?
In general terms, this law ensures that an individual has control over their data. This means that when an organization requests personal information online, it must tell the customer what happens to their data.
The main aspects of this new legislation are the following:
- Easier access to your own data. The user has more information about how their data is used. This information must be made available in a clear manner.
- Ability to move data. It should be easier to transfer your personal data to another service provider.
- Option to delete your data. If you no longer want your data to be used and there is a valid reason for it, you must delete your personal data.
- Know when your data has been hacked. The moment an organization has been hacked, you must inform the appropriate authority of this event as soon as possible. In this way, users can take the measurements.
So how do you implement a compliant application? GDPR and gives the user control over their personal data? Here are several tips to apply it.
Tips for developing GDPR-compliant apps
Determine if the app needs all the personal data it requests
The ideal privacy implementation for comply with GDPR is to collect as little personal data as possible. With personal data you can think of: name, date of birth, place of residence, etc. This, of course, is not possible in all situations, as this information is sometimes necessary. It is important in any situation that management and developers determine what is the most necessary information to collect.
Encrypt all personal information
If an application needs to store sensitive personal information, it is important to properly encrypt this data using strong encryption algorithms, including hashing. In the case of the Ashley Madison data breach, all information was available in plain text.
This has had important consequences for its users. It must be explicitly stated that all personal data is encrypted, so this data cannot be used in case the web application is hacked. This also includes information on: address, telephone numbers and place of residence.
Think OAUTH to transfer data
With OAuth, users can create an account simply by using a different account. These protocols provide a single sign-on and do not help collect more information than necessary.
Use secure communication over HTTPS
Many organizations do not use HTTPS for their websites because it is believed that it is not necessary. For example, if an application doesn't require any type of authentication, HTTPS might not seem necessary. However, it is easy to miss something. Some applications collect personal information through the "Contact Us" form.
If this information is sent in clear text, it will be visible on the Internet. Also, you should make sure that SSL certificates are applied correctly and are not susceptible to dangers related to SSL protocols.
Let users know how you handle “contact us” information
Apps don't just collect information through authentication or subscriptions. Data is also collected via contact forms. This is usually personal information such as: telephone number, place of residence and email address. It informs users for how long and how this data is stored. It is strongly recommended to use good security to store this information.
Make sure sessions and cookies expire
At comply with GDPR, users must be aware of how the application uses cookies. The user should be informed that the application uses cookies and offered the option to reject cookies. Make sure cookies are properly removed if someone logs out or is no longer active.
Do not track users for business intelligence
Many eCommerce apps track users to see what they're looking for using search results and the products they buy. Companies like Netflix and Amazon often use this information to display suggested products. Since this information is stored for commercial purposes, the user must have the option to accept it or not.
If consent is subsequently given to retain this information, the user must be informed how this information is stored and for how long. Of course, all personal information must be encrypted.
Inform the user about the records
Many applications use locations or IP addresses to authorize a login. This information is stored in case someone tries to bypass this authentication. Notifies users that this information will be stored and for how long. Don't store sensitive information in logs, like the password.
Security questions
Many applications use security questions to confirm a user's identity. Try to make sure that this information does not contain any personal data, such as the name of the user's mother and not even the favorite color. Whenever possible, try to use two-factor authentication. If that is not possible, let the user ask their own questions and warn that it contains personal information. Personal information must be stored encrypted.
Make clear terms and conditions
Do not try to hide your terms and conditions. To be GDPR compliant under the new EU privacy legislation, the terms and conditions must be available on the landing page. In addition, the terms and conditions must be clear and accessible at all times when the user browses the application.
Users are required to agree to the terms and conditions before they can access the app. This applies especially when the general terms and conditions have been changed. It goes without saying that the terms and conditions are available in a language that everyone can understand.
Sharing data with other parties
If your organization shares personal data with other parties, this should be stated in the general terms and conditions. This may be through affiliates, government agencies, or third-party plugins.
Set clear guidelines if your app is hacked
One of the most important aspects of european legislation is that users should be notified if an app has been hacked. Organizations should establish clear guidelines to describe the task and the steps the organization will take. Keep in mind that the user is informed in a timely manner.
Delete data of users who stop the service
Many web applications don't clearly state what happens to personal information when an account is deleted or someone cancels. With the new legislation, companies must delete all personal information. It should be understood that someone can stop using the service and then their information will be deleted. Organizations that treat a deleted account as inactive may be against the law.
Eliminate vulnerabilities
One of the biggest privacy risks arises because the app is vulnerable. This is always a risk when a system handles sensitive user information. An application that has not been developed to detect risks in time is more likely to be hacked. Make sure your organization has a program to detect cyber risks and conduct security tests.