As a developer, you want to create the best possible appAn application, downloaded by a user to a mobile or other device. or game, for users. While the functionality and user XP might be second to none, you still need to win users’ trust: and the best way to do that is to reassure them that their user data is protected.
Here are the main points to consider and include in your development plans.
The GDPR, just like previous data protection legislation, covers personal dataInformation which relates to an identified or identifiable natural person. – names, dates of birth, phone numbers, etc. But it also covers a wide range of digital information – things like GPS location, IP addresses, usernames, biometrics and online behaviours.
So now, app and game developers must not only consider audience targeting, technology platforms, optimising performance requirements, UX Design and so on, but also EU residents’ personal data.
Even if they don’t require users to provide personal details on sign-up, developers must still:
And, of course developers should make sure information required to be published under the GDPR is presented in a clear and accessible way.
Users must now give their consentAn unambiguous, informed and freely given indication by an individual agreeing to their personal data being processed. to allow an app or game to processA series of actions or steps taken in order to achieve a particular end. their personal data. Exceptions are made if there’s an alternative legal basis for processing, but particularly for gaming, this is unlikely. Consent should be granular, with users consenting to the use of a minimum level of data for the app’s basic functionality, but with additional levels of consent being sought to extend this.
Under the GDPR users must make an affirmative action to provide their consent. The days of the ‘opt-out’ – where it could be assumed that personal data could be processed just because users haven’t said ‘you can’t’ are long gone.
Developers should remember it’s vital to keep a record of when and how consent was received.
CookiesData which tracks a visitor’s movement on a website and remembers their behaviour and preferences. can be widely used in game and app design to remember user preferences, previous scores, log in details and so on. Cookies that enable an individual to be identified are considered personal data and the way they’re used in the app must therefore be GDPR compliant.
Like consent, users should be able to choose whether they wish to accept cookies or not, especially where the cookies are not essential to the functionality or where accepting cookies means users’ data will be shared with 3rd parties. Accepting non-essential cookiesCookies created by third parties and dropped on website users, for the purposes of analytics or advertisement tracking. must be done through affirmative action and be easy to subsequently withdraw. Users should still be able to use the app even if they choose not to accept cookies.
The GDPR promotes the concept of ‘Privacy by Design’. When developing new apps, project teams should consider privacy and personal data protection from the outset.
Privacy Impact Assessments should be considered for each new system that processes personal data. It’s then advisable to follow up with regular risk assessments to ensure ongoing integrity of the end-product. These assessments should consider:
Apps and games should be designed so they can be interrogated quickly and simply to provide all the information for a Subject Access Request (SAR).
Ideally a secure account area would allow users to exercise their rights under the GDPR in one place so they can:
The GDPR is very specific about the transferThe movement of data from one place to another. This could be, for example, from one data controller to another, or from one jurisdiction to another. of EU residents’ personal data outside of the EU, even if the data is kept under the control of the same organisation.
Developers should make it clear within their Privacy Policy when personal data will be transferred outside of the EU. Any organisation that controls or processes the data outside the EU will also need to be compliant with the GDPR. Data controllers should ensure they have suitable Data Processing Agreements in place with these third parties.
Even with end-to-end security measures in place, a data breach may still occur. It’s important to identify and provide notification of any breach incident as early as possible. Systems should be in place to identify breaches and report those that are sufficiently serious to the supervisory authorityAn authority established by its member state to supervise the compliance of data protection regulation. (such as the ICOThe United Kingdom’s independent supervisory authority for ensuring compliance with the UK GDPR, Data Protection Act 2018, the Privacy and Electronic Communications Regulations etc. in the UK) and to inform data subjects where appropriate.
Always remember that a data breach / incident register should be maintained.
Lastly, legislation now requires that personal data should be portable. So, during the planning phase, engineers must consider the format of the data collected and the ease by which it can be converted into a commonly used machine-readable format (i.e. CSV) that can be provided upon request.
All this new legislation may appear quite daunting. However, with good planning, an understanding of the new requirements and a systematic approach to managing personal data; developers can build apps and games that will gain greater trust from users and lead to improved engagement and ultimately greater revenues.
To find out more about how The DPO Centre can help you, please contact us today