10 Myths About GDPR in Mobile Apps
GDPR came into force on May 25th, 2018. At that time, we observed a lot of news and articles introducing various myths and misconceptions. As of writing, nearly 4 years later, some of these myths are still alive. Let’s defeat them!
Table of contents
User consent is always needed for processing personal data
You have probably seen ubiquitous consents required before an app can access personal data. You may think such consents are enforced by GDPR. However, it is not always true! There are various legal basis that can be (and in some cases, should be) used instead of the consent. Consent, in fact, as a legal ground for processing, should be required only if other basis such as the legitimate interest of data, for instance, cannot be used.
Separate consent is not required when personal data is needed to fulfill an agreement. For example, the user name and address are usually needed to deliver the physical products bought in the app. If such data is used only for that purpose and not for other purposes, such as marketing, then user consent related to GDPR is not needed and, in some cases, may in fact be considered invalid.
My company is based outside the EU, so GDPR does not apply to my application
It does not matter where the organization’s HQ is located. In general, if your app interacts with EU citizens or residents then it must be GDPR compliant. Such interactions may consist of selling goods or services, regardless of whether they’re physical or virtual. However, GDPR also applies when your app uses personal data for marketing purposes, such as tracking analytics events.
GDPR is identical across all EU countries
General rules are the same in all EU member states. However, details may vary between particular countries. For example, GDPR does not specify the exact age of children for whom the processing of personal data should be lawful. According to Art 8. only the maximum is of least 16 years old is defined, but each member state can lower it down to 13 years old. In France, for example it is 15 years.
Pseudonymized personal data is the same as anonymized and thus it does not fall under GDPR
GDPR does not apply to properly anonymized personal data. However, it is not true in the case of pseudonymization. The key difference between those 2 techniques is that pseudonymization is a reversible process. That being said, pseudonymized personal data still needs to be protected. Read more about those processes in the official work group opinion.
GDPR forbids storing personal data in the cloud
GDPR itself does not touch the technical details like whether personal data is stored in the cloud or not. No matter where data is stored, that place needs to be GDPR compliant.
Finally, you have to sign the Data Processing Agreement with the data storage provider. Most of the well-known cloud providers, such as Google Cloud or AWS, use GDPR compliant agreements based on standardized templates which you cannot negotiate with. However, signed terms of service, especially regarding free of charge solutions, may not be treated as formal DPAs. Note that it matters whether data centers are located in the EU or not. Exporting personal data outside the EU is governed by additional regulations.
Every app needs a Data Protection Officer (DPO)
According to GDPR, the DPO is only needed if the main activity of your organization consists of processing sensitive data or regular person monitoring at a large scale.
Otherwise, the company does not need to have a DPO. Note that HR/head-hunting usually involves sensitive data processing. GDPR itself does not exactly specify what “large scale” is. According to some interpretations, the processing of data by more than 20 employees is enough.
If a company is based in the UK, it does not need to comply with GDPR after Brexit
The British Data Protection Act, effective from 2018, incorporates GDPR. It hasn’t changed after Brexit.
People can always request to completely erase their personal data according to the “right to be forgotten”
Individuals can request to remove their personal data. However, the right to be forgotten is neither absolute nor unconditional. Data won’t be removed immediately if it is still needed for other legal purposes. For example, the personal data of customers who bought the physical products usually have to be retained for the time they can fill complaints.
All personal data breaches need to be reported to authorities and affected users
In general, data breaches have to be reported to supervisory authorities. However, reporting is not mandatory if a breach is unlikely to result in the violation of rights and/or freedom. For example, consider the case where the laptop with personal data was stolen or lost but it was locked and its hard drive was properly encrypted. There is an extremely low probability that such personal data will be accessible to unauthorized people.
In some circumstances, the subject (the person whose data was disclosed) has to be informed about the breach. That happens if there is a high risk to the rights and freedoms of the subject (eg. the possibility of financial loss or identity theft). Note that the respective authority may also require that you inform affected users.
There are a lot of myths and misinterpretations related to GDPR floating around the internet. These 10 mentioned in the article are only a drop in the ocean. Keep in mind that the intent of GDPR is to simplify and unify personal data processing across all the EU countries.