GDPR: The Best Reason to Review Your Mobile SDKs

November 17, 2017 Connor Schultze

If your company interacts with citizens of the EU, then May 25, 2018 is a date you probably already have marked on your calendar.

By this date, all data collection involving users living in the EU must be compliant with GDPR, or the General Data Protection Regulation. A lack of compliance could result in a fine of €20M, or 4% of your company’s annual global revenue (whichever figure is higher). If you didn’t know that already, I’m sure I now have your undivided attention.

Much of the GDPR conversation has focused on web analytics. But what about GDPR for mobile apps? 69% of digital media time is dedicated to mobile, and 92% of that mobile time is in apps. Consequently, companies should not ignore the significance of mobile app data when it comes to GDPR. They need to stay alert of how their apps collect, transmit and store data.

To get a grip on your mobile app data, follow these three steps:

  1. Discover SDKs and reduce redundancy
  2. Know how your data is being processed
  3. Ensure GDPR compliance with your SDK vendors

First, let’s clarify some key definitions to make sense of GDPR to know what it means for mobile apps and app developers.

Data Controllers and Data Processors: Which Are You?

GDPR regulations pertain to the processing of personal data by controllers and processors. Unsure of which category you fall into? The difference is relatively simple.

If your organization collects and processes any personal information about an EU citizen, like an IP address or a user’s name, this classifies your organization as a data controller. For example, the app owner is the data controller.

A data processor processes personal data on behalf of the controller as a third party. An example of a processor is a third-party vendor who handles data from your app through a software development kit (SDK) installed on your app. Developers implement SDKs (like the Facebook SDK) for a multitude of reasons, such as payment processing (think Paypal or Venmo) and social media marketing (think Facebook or AmazonAds).

It is the duty of the controller to only use processors that are GDPR compliant. This is why it has never been a better time to know exactly which SDKs your app is using. Start off by discovering which SDKs you have in your app.

1. Discover SDKs and reduce redundancy

More than likely a third-party SDK has been implemented into your app. But do you actually know how many SDKs you have?

According to a recent report of 190,000 free Android apps, the average app has an average of 17.9 mobile SDKs. The average number of unused SDKs is 5.4 per app—that’s just about 30%.

To be compliant with GDPR as a data controller, you have to know how data is being handled for every single one of your SDKs.

As such, if you can reduce redundancy of SDKs, you can streamline mobile app governance.

Ask yourself “Do I have an SDK doing the same job as another?” Check out this awesome Table of App Data SDKs created by David Spitz, mParticle’s CMO.

This table only shows a small portion out of the thousands of different mobile SDK technologies out there, but it does help to visualize what some of the more popular categories of technologies are.

Do you have multiple SDKs that fall under the same category in this table? If so, now is the time to find out why and only use SDKs that bring value to your organization while eliminating redundant technologies.

2. Know how data is being processed and stored

According to GDPR, the data controller must clearly inform users of:

  • Their right to request erasure of personal data
  • The purposes of the processing of personal data
  • The location of where the data is being processed
  • The period of time personal data will be stored

as well as other transparency requirements that can be found Under Article 13 of the GDPR.

Under the new GDPR regulations, an EU citizen can request that all their user data be modified, erased, or retrieved no later than a month after the request is received. If you can’t make these things happen with your current SDK vendors, you may need to make some changes.

If you’re now trying to decide between a third-party SDK, ask your vendors, “Is your organization able to locate and erase all personal data of a single user?”

3. Ensure GDPR compliance with your SDK vendors

As a data controller, the responsibility falls on you to choose your data processors wisely. Set up a meeting with each SDK vendor and map out exactly what and how data is being processed.

Ask questions like “When GPS location data is collected, how long is that data being stored?” Your vendor should already be considering ways to anonymize user data in a way that still makes it useful, and yet ensures that the user’s identity is 100% protected. For example, analytics SDK vendors should offer the capabilities to slightly truncate GPS coordinate data or IP addresses.

Bonus Tip: Use Automation for GDPR Governance

ObservePoint’s AppAssurance™ allows app developers and QA engineers to walk through pages of their mobile app to know exactly:

  1. Where on a page an analytics SDK has been implemented
  2. If the implemented SDK is working correctly
  3. Exactly what data the SDK is collecting

This information is invaluable when trying to verify your mobile apps are GDPR compliant. ObservePoint’s robust rules engine enables you to create custom validation to identify if any personal data is being passed back to a third-party vendor.

Here are some sample Regex filters you could include with your ObservePoint rules to check if personal customer data is being sent through your SDK, particularly for GDPR compliance, but also for general best practices in data privacy (such as with social security numbers):

  1. Email Addresses: (?:[a-z0-9+_~-]+(?:\.[a-z0-9+_~-]+)*)@(?:[a-z0-9](?:[a-z0-9-]*[a-z0-9])?\.)+[a-z0-9](?:[a-z0-9-]*[a-z0-9])?|\[(?:(?:[0-5]|2[0-4]\d|[01]?\d\d?)\.){3}(?:[0-5]|2[0-4]\d|[01]?\d\d?|[a-z0-9-]*[a-z0-9]:+)\]
  2. Zip Codes: ^\d{5}(?:-\d{4})?$
  3. IP Address: ^(?:(?:\d|\d{2}|1\d{02}|2[0-4]\d|25[0-5])\.){03}(?:\d|[1-9]\d|1\d{02}|2[0-4]\d|25[0-5])$
  4. International Phone Numbers: ^(?:\+?1\s*(?:[.-]\s*)?(?:\(\s*([2-9]1[02-9]|[2-9][02-8]1|[2-9][02-8][02-9])\s*\)|([2-9]1[02-9]|[2-9][02-8]1|[2-9][02-8][02-9]))\s*(?:[.-]\s*)?)?([2-9]1[02-9]|[2-9][02-9]1|[2-9][02-9]{2})\s*(?:[.-]\s*)?([0-9]{4})$
  5. Social Security Numbers: ^\d{3}-\d{2}-\d{4}$

Use GDPR to Show Mobile App Users You Respect Their Privacy and Security

User privacy and security should now be of paramount importance for any international organization. Follow these three steps I’ve outlined in the article to start your GDPR compliance plan for your app:

  1. Discover SDKs and reduce redundancy
  2. Know how data is being processed and stored
  3. Ensure GDPR compliance with your SDK vendors

With GDPR less than a month away from the writing of this article, it’s critical to only have third-party SDKs that bring value to your organization by adhering to GDPR.

Hopefully this blog has introduced talking points to start having data processing conversations with your SDK vendor and within your organization. I’ve added some resources that you can use to ensure your organization’s GDPR compliance, or to gain a more in-depth look at some items that this article touched on.

Mobile App Testing Strategy: Ensure Mobile App Success in 7 Steps

Top 10 operational impacts of the GDPR: Part 7 – Vendor Management

Entire GDPR document


About the Author

Connor Schultze

Connor Schultze joined the ObservePoint Product Management team in March of 2017 as and now serves as a Product Manager. His previous experience includes working for a Mobile and Web application company in Missoula, MT as Lead Quality Assurance engineer. His experience in QA allowed him to understand the analytics space from a quality point of view, as well as equipped him with the skills to address customer’s challenges, particularly when it comes to App Development, SDKs and testing. Connor is especially passionate about optimization from a product perspective, and always focuses on delivering a product that is intuitive for each user.

LinkedIn More Content by Connor Schultze
Previous Article
Analytics Advice from 27 Industry Leaders in 2017
Analytics Advice from 27 Industry Leaders in 2017

Read the blog post to learn digital analytics best practices, trends, tips and tricks for 2018 from the bes...

Next Article
Data Governance Automation in 2018: Think Global, Act Local
Data Governance Automation in 2018: Think Global, Act Local

This article discusses how a growing technology landscape creates issues in data governance, and introduces...

Get a free 14-day trial with ObservePoint

Start Your Trial