App GDPR-Compliance: Checklist for Business Owners

As May 25, 2018 draws nearer, many software development companies are becoming concerned whether their product complies with the GDPR. As an app development company, we also need to update our practices to ensure our app's GDPR compliance. We have researched the subject and put together a kind of GDPR compliance checklist that we would like to share. We hope that when the day comes you will be prepared.

What is GDPR?

How can it affect app development businesses?

GDPR stands for General Data Protection Regulation and it is a set of rules that the European Union is going to enforce to protect customer data. Of course, application developers were expected to protect their users' data before; however, the introduction of GDPR means very heavy sanctions for companies that fail to comply, so it is better to be prepared.

The EU General Data Protection Regulation now requires all companies to protect the personal data of their customers who are citizens of the EU in any transactions that are executed within the EU. Now, let's interpret this legalese into simpler terms and see what a company can do to develop EU privacy-compliant apps.

The GDPR replaces the previous directive that was adopted in 1995. Since the 1995 document did not cover all Internet-related issues, an update was very much needed.


In short, the GDPR gives the users much more control over the ways their personal data is used by applications. Before we proceed, let's look briefly at what is considered personal data under the GDPR:

  • Identity data, such as user name, phone number or address
  • Web-related data, such as IP addresses, locations, cookies
  • Health-related and biometric data
  • Any data related to the user's political preferences, ethnic or racial identity, or sexual orientation

Which software development companies are subject to the GDPR? Since the new regulations are adopted in the European Union, this factor determines the applicability of the GDPR. The GDPR applies to companies:

  • That are present in the European Union
  • That process data of the users who are residents of the European Union

However, not all application development companies in the EU or serving EU residents must comply with the requirements of the GDPR. How would you know whether you should comply? It is very likely that the GDPR rules are applicable to your product if:

  • It involves any kind of subscription, whether for use or to receive any news or updates
  • You support logging in through other services
  • You have a comments feature

If your product has at least one of the features that we've listed, it means that you collect personal data from your users and, therefore, must comply with the GDPR.

Making your app GDPR compliant

OK, you may ask, we are in the EU and we seem to be collecting user data. What can we do to remain compliant with the new rules and not face sanctions? (By the way, the sanctions are rather tough – up to 4% of your total global turnover or â‚¬20 million, whichever is higher.)

If you want to protect your company and, at the same time, ensure better protection of your customers' data, we suggest you follow some basic rules for becoming GDPR compliant on mobile apps.

1. Explicitly ask permission to use customer data

When you ask your users to provide their data during registration and login, also ask for their consent to use this data. There are many ways you can use the registration data:

  • Personal details – to populate the form fields (for example, filling the name and address fields in the order and delivery form)
  • Email address – to send offers and promotions
  • Phone number – to send reminders
  • Other personal data – to target offers according to the users' preferences

The key is making the user understand that their data is going to be used in this way and to get their consent. You can either include an “I agree” checkbox in the registration form together with a general explanation, or ask each time you are going to use any personal information.


2. Collect only as much data as you need

In other words, don't ask for too much. The user should see the relationship between your product goals and the data you are requesting them to provide. If you develop an airline ticket booking platform, you probably do not need the user's home address. And for a taxi application, the user's gender makes no sense.

Besides, such an approach can help you should you ever be questioned or investigated under the GDPR. If you can justify each detail you request from users, your position will be much stronger. Do not collect any data “just in case” — that “case” can very well turn into a “court case”.

3. Try not to collect confidential data at all

Confidential or sensitive data is something that you should try to avoid unless you absolutely need it. The scope of such data is rather broad – health details, political considerations, ethnic origins, sexual preferences.

Of course, if you are working on a healthcare application, you are bound to ask for health-related details. If you are hosting a political discussion board, the political preferences can't be ignored. However, if you do collect such sensitive data, make sure you encrypt it properly and implement the most advanced security measures, since there is probably nothing worse than leaked confidential data of your users.

4. Delete unnecessary data

This recommendation is in tune with the recommendation to collect only the data you need. Delete or archive everything you no longer need. If you have asked for a phone number to confirm the delivery, delete it as soon as you have delivered the order and closed it. Next time, when the same user makes a new order, they will provide the phone number again.

This approach is much more secure than having the user's phone number stored in your application for no immediate purpose.

Alternatively, do not store users' data at all – request it only for the current order and then delete everything. Although, if you maintain a loyalty program with accumulated bonuses, this may not always work. In this case, store only the basic data and delete everything else.

5. Encrypt everything

Apart from the fact that encryption is what the GDPR explicitly requires, encryption is a recommended method of protecting any data. Today, the cyber-criminal is sometimes much better equipped than honest businesses with respect to technology and hardware. As a result, use all available means to secure the data. Remember that, in the event of a breach, users tend to place the blame on the company rather than on the criminals, because they think that the company should have been more careful with the data it was trusted with.

Thus, encrypt. Use encryption mechanisms that protect the data both in storage and during transmissions. With encryption, the data will be open only to the user having a valid key.


6. Use secure communication protocols

HTTPS is the magic word. This secure protocol encrypts the data sent between the server and the client. Make sure you obtain an SSL certificate for your application and update it regularly.

When you use HTTPS, your app will send the SSL certificate to each user requesting access. This certificate will establish a secure connection between the client and the server.

7. Review and update your policies

Review the data collection processes that you apply in your product on a regular basis. See whether you really need all the data you request, whether there is something that you almost never use and can exclude from the registration form.

At the same time, if you see that you need to collect more details, make sure you explicitly ask for the users' permission again. The same refers to any changes to data collection policies. It is always better to ask the user to check that “I agree” box under the new policy to avoid claims.

8. Be clear about third parties

If you cooperate with third parties and pass your users' data to them for research or analytical purposes, inform your customers about it in clear terms. Name each of your partners and obtain the user's consent to pass the data. Arrange your registration form so that the user will need to agree to each of the third parties to use their data.

At the same time, when making agreements with third parties, check that they are also GDPR-compliant. If somebody misuses your customers' data that you provided, you will be to blame.

9. Make “no” the default option

The user should actively express their permission for you to use their data. This means that you should never pre-check the consent boxes and allow the users to restrict the permissions. This way, you will ensure the “freely given, specific, informed, and unambiguous user consent” that is required under the General Data Protection Regulation.


10. Arrange your Terms and Conditions clearly and visibly

Under the GDPR, the user should read and acknowledge the Terms and Conditions before getting access to the application. The Terms and Conditions now must be placed so that users do not need to hunt for them. Also, you should not make acknowledging the Terms and Conditions optional, they should always be a mandatory item.

11. Remove data of unsubscribed users

The GDPR demands that users always have the opion to unsubscribe from your application and delete their accounts. In this case, you should always delete all data of the user. Turning a deleted account into an inactive one without deleting the data will be a breach of the regulation and subject to sanctions.

Make sure you clearly inform the user that their data is going to be deleted.

12. Avoid asking for personal data in the security questions

Everyone has probably been forced to answer a security question at least once. If you had to verify your identity, for example, when you called the bank to cancel a card you lost, you were asked for your mother's maiden name or the city your father was born in.

Well, no more. These kinds of security questions are not allowed under the GDPR, since they contain personal data, especially the data of other people.

Try to avoid the security question approach at all. Many applications now use the multi-factor authentication, where the user's identity is verified by a unique one-time code sent to their mobile device. This method is considered highly secure and involves no personal data.

If you still need to use security questions, let the users make them up. Of course, you will need to warn them against using personal data in the questions and answers.


We hope that our summary of the GDPR for app developers and business owners will help you stay both effective and compliant. While it might seem like too much trouble, in fact, such enhanced measures for the implementation of GDPR compliance of mobile apps will bring benefits for both users and app developers. These regulations will create a more secure common environment by encouraging the implementation of protective mechanisms and squeezing out the companies that are lax on their data security.

If you need an advice on GDPR app development or data protection, you can contact us, and we will gladly share our insights and practical recommendations. Of course, the applications we develop will be GDPR-compliant, thus, if you work with us on building an app for your business, rest assured that your user data will be properly protected.
↑ Go up

Similar post