Protect your app: A business guide to data privacy

2. Data Protection Act 2018 – The Data Protection Act 2018 sits alongside the UK-GDPR and was implemented to complement the original GDPR framework. When the EU introduced GDPR, there was some scope for regional variation. For instance, countries could define their own age ranges for children and adults. The Data Protection Act 2018 enshrined GDPR in UK law but also detailed the UK-specific rules.

App developers and businesses need to understand how their apps and supporting systems collect and process data if they’re to comply with legislation and protect their users.

This means mapping data infrastructure and working out how that data is communicated, where it’s stored and who has access. Likewise, businesses must establish which individual is responsible for the data through the entire lifecycle. They are your data controller.

One of the tenets of the UK-GDPR framework is data minimisation. Data minimisation is the idea that apps and businesses should only collect as much data as they need. They should not harvest personal data irrelevant to the service they offer or the core functionality of their app. Consequently, it’s good practice for businesses and app developers to only collect personal data they deem absolutely essential.

If data is being communicated or stored for use at a later time, encryption is a sensible security precaution. When data is in transit, SSL/TLS encryption ensures secure communication and is particularly important when communicating sensitive data, such as usernames, passwords and unique IDs. Storage encryption is also essential and should be tailored to match the degree of sensitivity. The more sensitive the data is, the more complex your security should be and the more you should invest in protecting it.

Developers and businesses must also consider how they inform users of their data collection processes and request their consent.

While users are accustomed to clicking through large, complex privacy policies on their desktops, the small screens on most mobile devices ensure these types of documents aren’t suited to apps.

Instead, developers should think about intuitive ways to present the information that also reflect the limitations of mobile devices.

This may mean putting privacy information in the app store or using a layered approach that summarises the key points and allows the user to expand each if they want or require greater detail.

Additionally, make sure you’re fully transparent about what information you’re collecting and be specific on why you need it.

As the current situation with TikTok illustrates, app security is at the forefront of tech experts, business owners and politicians’ minds. Which means it’s a big concern for developers, too. While there are plenty of small things you can do to improve app security and data protection, the biggest impact comes from a fundamental change in mentality and approach.

By this, we mean apps need to be built securely from the ground up, with data protection practices engrained at every level. Digital security can’t be an afterthought or something that’s tagged on at the end. For a truly secure and safe app, security concerns and practices must permeate every aspect of design, implementation and long-term use.