As a developer, you want to create the best possible app or game, for users. While the functionality and user XP might be second to none, you still need to win users’ trust: and the best way to do that is to reassure them that their user data is protected.
Here are the main points to consider and include in your development plans.
The GDPR, just like previous data protection legislation, covers personal data – names, dates of birth, phone numbers, etc. But it also covers a wide range of digital information – things like GPS location, IP addresses, usernames, biometrics and online behaviours.
So now, app and game developers must not only consider audience targeting, technology platforms, optimising performance requirements, UX Design and so on, but also EU citizens’ personal data.
Even if they don’t require users to provide personal details on sign-up, developers must still:
And, of course developers should make sure information required to be published under the GDPR is presented in a clear and accessible way.
Users must now give their consent to allow an app or game to process their personal data. Exceptions are made if there’s an alternative legal basis for processing, but particularly for gaming, this is unlikely. Consent should be granular, with users consenting to the use of a minimum level of data for the app’s basic functionality, but with additional levels of consent being sought to extend this.
Under the GDPR users must make an affirmative action to provide their consent. The days of the ‘opt-out’ – where it could be assumed that personal data could be processed just because users haven’t said ‘you can’t’ are long gone.
Developers should remember it’s vital to keep a record of when and how consent was received.
Cookies can be widely used in game and app design to remember user preferences, previous scores, log in details and so on. Cookies that enable an individual to be identified are considered personal data and the way they’re used in the app must therefore be GDPR compliant.
Like consent, users should be able to choose whether they wish to accept cookies or not, especially where the cookies are not essential to the functionality or where accepting cookies means users’ data will be shared with 3rd parties. Accepting non-essential cookies must be done through affirmative action and be easy to subsequently withdraw. Users should still be able to use the app even if they choose not to accept cookies.
The GDPR promotes the concept of ‘Privacy by Design’. When developing new apps, project teams should consider privacy and personal data protection from the outset.
Privacy Impact Assessments should be considered for each new system that processes personal data. It’s then advisable to follow up with regular risk assessments to ensure ongoing integrity of the end-product. These assessments should consider:
Apps and games should be designed so they can be interrogated quickly and simply to provide all the information for a Subject Access Request (SAR).
Ideally a secure account area would allow users to exercise their rights under the GDPR in one place so they can:
The GDPR is very specific about the transfer of EU Citizens’ personal data outside of the EU, even if the data is kept under the control of the same organisation.
Even with end-to-end security measures in place, a data breach may still occur. It’s important to identify and provide notification of any breach incident as early as possible. Systems should be in place to identify breaches and report those that are sufficiently serious to the supervisory authority (such as the ICO in the UK) and to inform data subjects where appropriate.
Always remember that a data breach / incident register should be maintained.
Lastly, legislation now requires that personal data should be portable. So, during the planning phase, engineers must consider the format of the data collected and the ease by which it can be converted into a commonly used machine-readable format (i.e. CSV) that can be provided upon request.
All this new legislation may appear quite daunting. However with good planning, an understanding of the new requirements and a systematic approach to managing personal data, developers can build apps and games that will gain greater trust from users and lead to improved engagement and ultimately greater revenues.