GDPR and Mobile Apps


Mere weeks remain before the full implementation of the General Data Protection Regulation (GDPR). While it was officially created on the 27th April 2016, companies have been given a two year grace period before it becomes enforceable on the 25th May 2018. The regulation will apply to all 28 member states of the EU, in addition to any companies that have users in the EU. But what does this mean, and why should you care?

In essence, GDPR is regulation that has been put into place to protect EU citizens’ personal data. The types of privacy data that are protected include, but are not limited to:

  • Name, address and location
  • ID numbers
  • Sexual orientation
  • Racial or ethnic data
  • Political opinions
  • Biometric data
  • IP address
  • Cookie data
  • RFID tags

Strict rules are being enforced that mean companies must ensure they are correctly protecting the data of their users. Companies must not store data that a user has not consented to, must inform users within 72 hours of any data breaches, and must collect only the minimum amount of data required. The consequences of non-compliance? Written warnings, audits and hefty fines (to the tune of up to €20,000,000 or 4% of worldwide annual turnover).

How does this affect your app?

You need to consider what information your app requires, and who can access this information. When a user registers, carefully weigh up which fields to include. An email for logging in might be necessary, but do you really need to know a user’s location, for example? You need to refrain from asking for unnecessary data, and you need to protect the data you do collect.

Under GDPR, users will have a right to:

Access – users will be able to access the data that has been collected about them. They will also be able to know when, where and how data is being collected, and for what purpose.
Erasure – users can force data controllers to delete or otherwise destroy all data that has been collected about them.

To support the right to access, you will need to be clear with how information is collected – adding FAQs is one such way of ensuring clarity, as is utilising informational modals. With regard to supporting the right to erasure, a ‘Delete Account’ option in a profile screen is a straightforward solution.


Keeping the data that you collect from your app safe should be part and parcel of data management anyway, regardless of the introduction of GDPR. Consider who can access the data, and ask yourself whether they need to – keeping exposure to a minimum will only increase security. Implementing role-based permissions is one good way of only allowing the exposure of data on a need-to-know basis. It’s also important to encrypt wherever possible.

Are you ready for the arrival of GDPR? Have you considered any other handy ways to comply with the regulation? Let us know by emailing