The General Data Protection Regulation (GDPR) applies to mobile apps that collect and process personal data of European Union (EU) citizens. It is designed to protect user data storage and usage to ensure that the user is in control of their data. It applies to all businesses that have customers in the EU region, regardless of the origin of the business.

Main requirements for GDPR compliance

There are some major requirements to comply with GDPR in a mobile app. These requirements are going to help you decide whether you need to develop a GDPR-compliant app from scratch, or, if you have an app already, how you can make it GDPR compliant. These factors can also help you determine whether your app needs to be GDPR compliant or not.

A user's right to erase data

Under GDPR, a user using your app has the right to ask you to erase their data upon request. You have to abide by this if you consider your app to be GDPR compliant. A user can prevent further publication of their data and forbid its processing by any third-party library.

Thus, the architecture of the app should be planned in such a way that if a request comes, you can perform their request. In earlier days, some apps considered deactivating the user's account to be equivalent to deleting a user's data. That is not the case anymore. It must be erased.

There are some things that you have to keep in mind as an app developer when asking for a user's consent to collect their data. Primarily, you should obtain consent for advertising and for interacting with parts of the user's device. Permissions are one way to request consent from a user, and you have to include them while defining the architecture of your mobile app.

If the app is making use of the device's camera, microphone, storage, or sending special offers via an SMS service, or sending push notifications, then you need to ask for the user's permission. This also gives the user a sense of control as now they can clarify what type of their personal information is shared within the app.

A good practice to follow is to plan ahead what type of information you want to collect. For example, a common social network app may collect a user's email and request access to install analytics metrics, potentially through the use of a third-party app such as Google Analytics.

Defining privacy policies leads to transparency

You should not collect any type of information from the user that the app doesn't require. The app should document the necessary information related to a user's data protection and privacy.

A common practice in mobile apps is to have published a screen that is often called "Privacy Policy". It could contain all the information on what practices you have taken as the developer of the app to protect a user's data. This particular screen is commonly made available either under the app's "Settings" or "About" menu. Providing a privacy policy helps with transparency and lets the user examine the policy whenever they want to.

Data protection

If you are a large-scale company that tracks user activity online or gathers a wide range of different information on each user, then you need to appoint a Data Protection Officer (DPO) to make your app and business GDPR compliant. The objective of a DPO is to inform and advise the business on its data storage and protection. Another way to protect data is to encrypt the data stored and follow encryption protocols.

Other protocols like using two-factor authentication can ensure the safety of a user's data by ensuring that the person who logs in to the account on the app is the actual account holder.

Two-factor authentication means a combination of a possession factor (can be in form of a token), knowledge factor (can be either the login ID or password or both), and inherent factor (fingerprint or facial recognition, which is becoming more common with large-scale apps nowadays). This allows you to verify a person more precisely and thus, provides data protection.

Implementing permissions to comply with GDPR using the Crowdbotics App Builder

The purpose of permissions is to protect the privacy of an app user. A central design point of iOS and Android security architectures is that no app, by default, has permission to perform any operations that would adversely impact other apps, the operating system, or the user. This includes reading or writing the user's private data (such as contacts or emails or media gallery), reading or writing another app's files, performing network access, keeping the device awake, and so on.

Most permissions are prompted for a user's consent when at runtime. These are also known as runtime requests. When the app asks for a user's permission, a dialog box appears that has two options for the user to proceed. The first option is Allow and the second is Deny. This does not mean that the decision made by the user at the runtime cannot be changed. For any type of permission, a user may enable or disable permission in a device's system settings.

The most essential step you need to take care of when building a mobile app and before publishing it to an app store is to implement user permissions in the app. In this section, we are going to cover an example when adding a particular module in your app with the Crowdbotics App Builder.

The first module we are going to cover is the Camera. The Crowdbotics App Builder provides a built-in Camera module that you can drag-and-drop directly into your app to add Camera functionality. Let's start by creating a demo app with App Builder first. Login to your account at app.crowdbotics.com. You are going to be welcomed by the dashboard screen as shown below:

Click on the button Create App. You are going to be redirected on the create app page. Enter the name of the app, select the app type to Mobile App, and then press the button Create App.

You are going to be redirected on the Storyboard, which is primarily used for building custom screens or adding the ones we have already created for you to save some amount of time during development.

At the Storyboard screen, from the right panel, select Modules and then add the Camera module by drag-and-drop on the Storyboard. Click the save button.

The screen module is now added to your RAD stack app.

To add the necessary permission to access the Camera on a user's device, you have to take care of both iOS and Android platforms. This requires some manual coding, so click over to your source code from within the Settings page.

For Android, to prompt any type of permission, such as asking to use the device's camera, open the file [Your Project Name]/android/app/src/main/AndroidManifest.xml. On Android, it is done by including the <uses-permission> tag in the manifest file. Add the following permission approval:

<uses-permission android:name="android.permission.CAMERA" />

If the app requires using external features from the user's device, such as accessing their camera roll or media gallery or using the microphone for video recording, you have to add the add-on permissions in the manifest file as shown below.

<!-- required -->
<uses-permission android:name="android.permission.CAMERA" />

<!-- optional, additional permissions -->
<!-- Include this only if you are planning to use the camera roll -->
<uses-permission android:name="android.permission.READ_EXTERNAL_STORAGE" />
<uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE" />

<!-- Include this only if you are planning to use the microphone for video recording -->
<uses-permission android:name="android.permission.RECORD_AUDIO"/>

On an Android device, this is how permission is prompted to the user. They have the option to either grant or deny the permission.

To access the similar features on an iOS device, you have to add the following permissions in the file: ios/[Your Project Name]/Info.plist.

<!-- Required with iOS 10 and higher -->
<key>NSCameraUsageDescription</key>
<string>Your message to user when the camera is accessed for the first time</string>

<!-- Required with iOS 11 and higher: include this only if you are planning to use the camera roll -->
<key>NSPhotoLibraryAddUsageDescription</key>
<string>Your message to user when the photo library is accessed for the first time</string>

<!-- Include this only if you are planning to use the camera roll -->
<key>NSPhotoLibraryUsageDescription</key>
<string>Your message to user when the photo library is accessed for the first time</string>

<!-- Include this only if you are planning to use the microphone for video recording -->
<key>NSMicrophoneUsageDescription</key>
<string>Your message to user when the microphone is accessed for the first time</string>

Running the app on an iOS device, the prompt for permission is shown below. First, it asks the user for permission to use their device's camera.

Next, it prompts to use the device's microphone.

This set of permissions provides compliance with GDPR regulations. Other GDPR considerations, such as the right to erase data, the inclusion of a Privacy Policy, or the appointment of a DPO, are organizational and technical priorities that fall outside the scope of the Crowdbotics App Builder.

Conclusion

In this post, we discussed the necessary requirements to make a mobile app GDPR compliant. It is a mandatory requirement that you need to meet as an app owner if you are dealing with customers based in the EU region.

An app generated with the Crowdbotics App Builder tool comes with default permissions, specifically the ones we have discussed in the previous section. To build an app, Crowdbotics offers both the low-code Crowdbotics App Builder and managed app development by expert PMs and engineers.

For further reading on GDPR, check out these resources: