Thinking that GDPR may not apply to you because you’re using third-party apps? Think again. Not only are you responsible for technical protections but organizational ones as well.
GDPR requires that all systems that process personal data be private (secure) by design. This requirement applies to mobile systems, which include mobile apps installed on devices and services connected to those mobile apps. It also applies to all mobile sub-systems like enterprise mobility, analytics and more that have been added to the mobile apps and the services these sub-systems are connected to as well. As you will see, implementations matter. In fact, implementation and integration are at the heart of the privacy by design regime.
First off, there is no ownership distinction under GDPR. In other words, GDPR does not have different rules for “app owners” and “customers of ISVs.” If your organization provides a mobile system that processes personal data about end users, GDPR applies to you.
Secondly, according to Article 25 of GDPR, data “controllers” (i.e., anyone who determines the purposes, conditions and means of processing the personal data of mobile end users) are required to take steps to protect users and safeguard data captured by the app. Here are some relevant highlights from GDPR covering the need to protect the mobile apps provided to end users:
…[T]he controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures...which are designed to implement data-protection principles...and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.
In the above quote, I’ve emphasized the verbs “implement” and “integrate” to highlight the affirmative duty that GDPR places on organizations to add protections to the mobile apps provided to mobile end users. Note that there is no exception based on your organization’s access to the source code of the app.
Several customers in the Appdome community have already pointed out that the new law does not say, “Confirm with the vendor providing the app.” Instead, the new law says that the data controller must implement and integrate the necessary safeguards, etc. That means organizations have to add “technological safeguards” to protect mobile apps and user data, whether or not they built the apps.
Some organizations might wonder if it is acceptable to merely meet GDPR’s requirements on the server side and be done. In other words, some might challenge me by saying, “Processing happens in the cloud, so there is nothing we need to do with the app itself.” But there again, GDPR is quite clear. GDPR defines processing as:
...any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Apps collect, record and store data (either saving it to the local sandbox or in-memory inside an app). In addition, apps retrieve data from and transmit data to cloud or backend servers that control the service provided by the app. Apps also have stored deep inside the code of the app itself and in the app’s preferences, critical information about networks, users, profiles and services used by the app. Apps are treasure troves of personal information and pathways to personal information. Because of this, organizations must add protections to the app (i.e., at the app level), to protect the data and the code of the apps provided to end users.
GDPR offers organizations a way of balancing the need to implement technological safeguards against the cost and risk associated with doing nothing. GDPR says that organizations can take into consideration:
...the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing.
Of course, it’s not clear how an organization should calculate the “risk and severity” of a potential breach, and the cost of miscalculation is potentially very high given mandatory disclosure obligations for data breaches and stiff penalties.
At Appdome, we make mobile integration easy. We are the only vendor that lets organizations automatically “implement” and “integrate” mobile protection and other services to apps at every level, from any vendor, without code or coding, in seconds. This freedom, as well as the multitude of protection options available on Appdome, is the core of our value proposition. Appdome’s service works in seconds, regardless of how the app is built, to allow our users to deliver mobile app protections quickly and easily to every app provided to end users.
GDPR also requires mobile app providers to take “organizational measures” (on top of the technical measures) to protect apps and app data. I’m glad that Appdome has two features that address this organizational requirement as well.
On Appdome, users can create Teams to allow different members of an organization to perform discrete actions within Appdome (such as uploading an app, signing an app, etc.). Within Appdome for Teams, there is an App Approval workflow that ensures an Approval Audit Trail for all protections added to apps. Appdome also provides a full log of who did what, when, where and how to each app. That way, organizations can demonstrate that they have taken the appropriate measures to protect apps and end users.
The bottom line is that organizations providing mobile apps to end users must take steps to implement technical and organizational measures and integrate safeguards to protect an app, its data and mobile end users – no matter who built the app.
Thank you and enjoy using Appdome.