Data security and privacy in your app

In this blog post, we will teach you all you need to know about data security and privacy in your app. For that matter, we will explain all terms clearly, so that you know what to demand in your business management app.

What is a privacy notice, and how are users’ data protected?

A ‘privacy notice’ is defined as a legal document that companies storing our working with their clients’ data must contain. In it, they pledgeto keep all information safe and to use it for the purposes agreed by both parties.

This notice is mandatory for websites and apps collecting users’ personal information. In addition, they need to attach their legal notice and cookie policy.

Is it mandatory to include a privacy policy in my website?

If your website processes users’ or clients’ personal data, then, of course. As you all know well, there are many types of websites (online shops, corporate sites, social media, informational pages, etc.).

You may say that the only sites exempt of including a privacy policy are personal websites and blogs, as long as they refrain from collecting user information.

Which are personal data?

Personal data are any kind of information regarding identified or identifiable physical persons, that refer to anyone whose identity may be determined by the means of an identifier (name, ID, location details, etc.). In addition, one or more aspects pertaining to their physical, physiological, genetic, psychological, economic, cultural, or social identity may be considered for that purpose.

There are many types of data to be processed. These may be classified into identification details (name, surname, ID number), work information, financial or health details. Furthermore, we may find special data categories, which refer to ethnic or racial origin, political opinions, religious beliefs, etc.

The importance of GDPR

The new General Data Protection Regulation confers a greater control and security to citizens over their personal information in the digital world. GDPR widens your rights to decide how you want your data to be processed and company’s information to be sent to you.

However, many other companies are seeking help to make GDPR a differentiating aspect and an added value. Their new strategy lies in the idea that there is no better business virtue than knowing in depth those details provided by both their present and future clients.

What do companies need to consider within the current legal framework?

Essentially, the new data protection regulation toughens control over personal information and bestows on each individual the right to accept or reject their use by any entity, either public or private, as well as to decide the way in which they are accessed and to withdraw that permission.

Greater transparency

More transparency is granted to the people whose information is collected. From now on, thanks to the new data protection regulation, companies must disclose to users where their details are obtained and the intention for which they are collecting them, and prove that they are being used for the purposes agreed.

Good by to tacit consent

Users, for their part, will have the capacity to withdraw their consent and get their data deleted from the company’s servers. Tacit consent is over. The new General Data Protection Regulation forces to put many more controls into place to ensure that the person ceding their information does so in full knowledge. From now on, companies must review and rewrite their set of contracts and terms.

Companies are responsible for their security

Each company determines which are the risk levels deemed acceptable and the measures to be adopted so as to ensure that any person’s information is properly guarded and used. Homogeneity in data security is over.

Proactivity in security breach reporting

Acting proactively when reporting failures. When facing a data leakage, the person or entity in charge of processing them must notify any security failures within 72 hours. This expert needs an effective system to report the breach to the affected people or entities, in case their rights may be at risk.

New DPO role

GDPR fosters the creation of the Data Protection Officer (DPO) role. This is essential in the new European regulation, and their mission is to identify any potential risks and seek solutions.

Their presence is mandatory for all public Administrations and the organisations processing data on a large scale. This may be internal or external to the company.

New requirements for minors’ data

The new General Data Protection Regulation will require parental consent to process the information of children under the age of 16 in online services. Member states may pass laws for the purpose of reducing the age of consent, although no country may set that requirement below 13 years.

New certifications

The General Data Protection Regulation grants special attention to the implementation of certification plans and opens different possibilities for their management. Certifications may be awarded by data protection authorities, either individually or collectively, from the European Commission or any other entities duly accredited.

Privacy by design and by default

Technological measures for privacy by design and by default. The new General Data Protection Regulation states that all projects, either commercial, to create a website, to develop a technological environment, etc. must assess from their design’s onset and by default (Privacy by design & by default) the risks they may entail for the privacy of the personal data they will incorporate.

Furthermore, they must verify that all measures needed to eliminate or suppress these risks have been adopted and that, lastly, data processing complies with the data protection regulation in place.

User rights thanks to GDPR

The right to access is the right the party concerned has to know and obtain information about these aspects for free:

– If their personal data are being subject to processing, and, in that case, about categories and its purpose.

– The origin of that information (when they have not been provided by the party concerned) and the communication carried out or intended to be performed.

– If possible, the expected storage period of personal date; otherwise, the criteria applied to determine it.

  • The right to request the rectification, elimination, limitation, or opposition to that processing.
  • The right to file a claim.
  • The right to be informed about the appropriate guarantees, in case data are transferred to a third country.
  • The right to obtain a copy of the personal data subject to processing, without it affecting any third-party rights.

To remain up to date about the sector’s news, please check our blog.


Related news