The GDPR will begin to be enforced on Friday, 25 May 2018, and there are plenty of implications for businesses to be aware of. While this article will look at the related issues specifically through a MobileCaddy lens, the questions being raised regarding mobile applications are worth considering for all mobile apps for all readers.
Many organisations will be auditing their systems, and their data storage and retention policies, to ensure they comply with the GDPR enforcement, and ensuring they can also demonstrate that compliance.
What’s important for business leaders, IT departments, and legal teams is to be aware that mobile apps also need to fall within this scope. But more importantly, they will have certain special considerations, especially with apps which are specifically built to be network resilient and geared towards high performance.
With a growing demand for more sophisticated and business critical mobile apps, they’ll likely be built for offline-first requirements, so will have a minimum amount of cached data, and possibly even data locally stored on the user’s devices. This means they require special efforts to determine what data is being stored on those devices, what the retention policy is, and how to ensure compliance can be demonstrated in such cases.
For MobileCaddy clients and partners, and any other readers whose apps are built specifically for network resilience, the first steps you need to take are:
Understanding the scope of the data used by your mobile applications
Your mobile apps will be retrieving and also creating data that may fall within the GDPR’s new restrictions, such as individuals’ personal information. With MobileCaddy, all the synchronisation rules are set and stored on the platform, not within the app code, so it’s possible to view all the objects and fields, and determine if these can be created, read, and updated directly.
This means initial audits from a data scope perspective can be performed in a matter of minutes, understand whether it’s is within the scope of GDPR, and how to comply with the retention policies the business will adopt moving forward.
How data is retrieved, added, and subsequently removed
We can look all the way down to record level to see what data will need to be retrieved and removed from a user’s mobile device. For MobileCaddy, the data restriction and removal policies are set on an object-by-object level, and therefore it’s quicker and easier to understand what data will be generated by the user, what data is going to be retrieved from platform to user, and through the application operation what and when the data will be removed. These settings can then be checked against the company’s data retention policies and altered or amended accordingly.
Application-specific considerations (and potential changes)
One of the benefits of MobileCaddy from the client’s point of view is that each application is tailored specifically to its use case, and has a custom user experience dedicated to the business process it supports.
However, there some particular areas of the GDPR which will still need to be carefully considered for each and every application. Obviously, you’ll need to carry out a thorough evaluation of your applications for all possibilities, but some of the more noteworthy examples of those are as follows:
Article 6 will require any user, collecting personal details and/or adding them to the company database via a mobile app, to gain the explicit consent of the individual. There may need to be new fields added, or some interface updates which need to be made to the app, as a result to make this an easy step.
Article 17 entitles individuals to request the right to be forgotten at any point. Changes to mobile applications needed to comply with this will mirror changes mentioned in Article 6: additional fields or user interface changes might necessary to accommodate this.
Article 25 – data protection by design and default – is not something any business is legally bound to comply with, but it is advised as best practice moving forward. But some examples of complying with this might article may include implementing pin lock security within the app, or data which is only visible at the entry point, and then either masked or not shown, once added.
These application-specific requirements may present you with the need to make adjustments. Thankfully, any MobileCaddy clients or partners can use the MobileCaddy versioning engine and over-the-air upgrades to push these changes out to any and all relevant users seamlessly.
How to test, and demonstrate, GDPR compliance
MobileCaddy records the exact data on every individual’s device at the platform level, meaning for each given user (including multiple devices per user) it’s possible to have a real-time view from a system administrator perspective of the exact data, down to the record and field, that they have stored locally.
For the person implementing compliance, and for subsequent personnel who need to audit for compliance, the process is removed of all pain and frustration, but without MobileCaddy it would require location and reviewing individuals’ devices.
When needing to demonstrate compliance at the level of the user interface, MobileCaddy apps can be run up on any device, and can also run on a platform emulator when working with auditors or compliance officers
GDPR compliance is a huge issue for everyone. Mobile is just one of many areas of consideration, and we want to show that there are some special cases which require extra attention within that.
With MobileCaddy, there are several tools and options available to bring visibility to the issue, and this will allow you to comply, and demonstrate that compliance.
As is the MobileCaddy way, visibility and control throughout the entire app lifecycle are essential, not just for performance, but now also for compliance with regulations like GDPR.
If anyone has any concerns about this, feel free to get in touch with us directly and we’ll do our best to provide some further information.