This article is written in collaboration with the app development agency Nodes.

The General Data Protection Regulation is fast approaching and requires businesses to protect the personal data and privacy of European citizens. Companies should already be working to ensure that new and existing app projects all comply with the regulation. 

Citizens of the modern world will regain control of their data. They must be aware of when they provide data to a company and use their right to regain their data or to be forgotten. That is the overarching goal of the new European general data protection regulation that will be in effect across Europe come the 25th of May.

Yesterday’s mantra ‘The more data, the better’ is seriously challenged with the new regulation as companies must be able to document: what data they collect, how they store and share the data – and prove that the consumer gave permission to gather specific data in the first place. The same goes for companies’ apps. Not just consumer or citizen-oriented apps, but also apps for employees. In general, it goes for all digital platforms that collect personally identifiable data.

Should one violate the regulations, the consequences are dire. The fine for a severe data breach could be a costly affair up to 20 million € or four percent of global revenues. Furthermore, a company’s image is on the line with the risk of losing customers and an impaired ability to conduct business.

Those that begin to comply now will be on the leading edge of regulations and could very likely benefit from a competitive advantage in this.

Companies should map their data and gain awareness of what data they collect and how they monitor it. It is not only an assignment for the IT department but also a matter for the management to engage to prioritise what data points are crucial to create the relevant and personal customer experience.

We have developed a five-step-method to help companies get their apps compliant.

Step 1: User Interface Privacy review

With the GDPR, companies can no longer hide behind a never-ending Terms & Conditions sheet. Instead, they have to make it clear and transparent how and why they collect the data.

All the layers in an app should be assessed to define where a user needs to give consent and how that interacts with overall conditions. Let’s take on an example of a fitness app. If you ask a user to provide his or her data on weight, height and age, you must communicate for what purpose you collect that type of data.

This methodology is called “Privacy by design”. It is a mindset that puts the user’s data security first and therefore it needs to integrate with the UI so explanations will be made continuously without decreasing the user experience. It could also improve the user experience if the app communicates the value for the user.

Step 2: Data- and system mapping

As a standardised manner data is stored in a database. But it is rarely the only place the data ends up. Maybe Facebook also can access the data, or it could land up in the hands of a push-provider or another ERP-system that enriches the information collected by the company. In the second step all the different subsystems and integrations, which are built upon the layer where the data is stored and processed, is mapped. That way a company can document all the touchpoints involved in the data journey.

The mapping allows for the company to react swiftly if a user wants to retrieve their data or if a data breach occurs. At the same time it allows for more insights on data use: are you gathering and storing data, which is not used anywhere, you need to decide on removing it or utilising it.

Step 3: Security check

Security is just as important as ever. Some are already working on security continuously through app maintenance while others got a larger legal incitement to make sure that security is on point. Majority of companies working professionally with apps hold a service deal with a provider that conducts continuous maintenance.

In the third step the security of the systems is analysed. Hackers are constantly improving their ability to find loopholes in the common frameworks. And since some of the apps are a couple of years old, we test for weaknesses in stack security to make sure they are not outdated. We make sure that all frameworks and systems are up-to-date and.

We score the security across a set of variables on a scale from one to five. You could build a digital data defence, but the strength of the barriers must meet the investment and mostly it is very expensive to cover the last five percent of the risk.

Step 4: Contracts and accounts

An important part of one’s data duties is to keep control over contracts and accounts with all suppliers and subcontractors.

It is important that a company’s data is not kept with another company’s so that one login could incur multiple data breaches. If this is secured, the company will have the key for its own data which is also an advantage if you want to move your services in-house or to another supplier.  

Step 5: Process recommendation

Based on the four prior steps, we conduct a report that will assess a company’s compliance across different touch points. Also, the report gives insights on how users can get their data back, erased or edited as well as a procedure for data breaches.