GDPR: The Challenges for India's App DevelopersIdentifying and Protecting PII Are Significant Tasks
With enforcement of the European Union's General Data Protection Regulation starting on Friday, app developers across the world are gearing up for the compliance challenge.
"For app developers, the most important element of the GDPR regulation is to understand personal data better while using it more effectively to improve the customer offerings and ensuring user protection", says Surendra Singh, country director with Forcepoint India.
The biggest challenge for app developers is to know where personally identifiable information resides. "The data could be in multiple locations - stored in the corporate data center, stored on the edge in branch offices as well as in the public cloud," Singh says (see: Mitigating Mobile Security Risks).
GDPR, which pertains only to the data of EU residents, includes tough requirements, including granting individuals, upon request, "the right to be forgotten" by having their data deleted. So companies need to know the exact location of the data in order to comply.
At a recent Annual Technology Conference hosted by the U.S. India Chamber of Commerce, Ajay Gupta, global information security officer for Pizza Hut Global, acknowledged that GDPR compliance poses a big challenge for his company.
"EU citizens can request that their personal information be deleted, which changes how Pizza Hut's apps and website work," Gupta said. "Our biggest challenge right now is GDPR because the penalties [for noncompliance] are 4 percent of global revenue. Our security is as strong as the weakest link."
Current State of Mobile Apps
India faces more GDPR privacy compliance challenges than other nations. For example, Indian apps ask for 3.5 times more permissions than their U.S. counterparts, according to a report by Arrka Consulting, a data advisory and consulting firm.
"Mobile apps often ask for access to your phone camera, microphone, location and call logs. In fact, 77 percent of apps [developers] were noncommittal when asked what happens to a user's personal data once the apps are deleted," says Sandeep Rao, principal of the strategy team at Arrka Consulting, which surveyed 100 app developers. "As many as 68 percent of Indian apps do not let users have a choice to opt out from giving personal information." (See: Protecting PII in Mobile Apps)
Indian apps have an average of five third-party software development kits embedded within them, Rao says. SDKs are an indication of how many external parties - other than your app provider - are sitting inside an app with access to your data.
GDPR requires a change in the way app developers function because, for example, they need to identify who has access to PII to ensure privacy is protected.
"The biggest challenge ... most companies would face in regards to data protection is to find what data is being shared with whom," says Prateek Tiwari, security lead at Zomato, a restaurant search and discovery company. "The challenge is nowadays, most of the companies use third-party services for analytics and unknowingly the data is being transmitted to advertisers without the owner's consent," he says.
Tiwari hopes GDPR becomes easier to understand over time. "It will take some time for all the companies to be fully compliant with GDPR," he says. "There are some daunting tasks that all companies need to take. But at the same time, it is OK to have made a start on getting ready - provided you have a timetable to deal with any outstanding line items."
Rao says banking app developers are among those struggling to figure out ways to be GDPR compliant.
"Nowadays, banks are using a person's social media profile and other data available online to decide on a person's credit eligibility," he says. "If today a user asks not to use data available online, it will be tough for a bank to follow a different procedure for a single person. It's all very complicated."
What Needs to Change
For app developers, an important first step is to identify all data created and owned by the business, wherever it resides.
"An important step is to highlight user-identifiable data - the information that is generated by the user, such as that created through interaction on apps or websites," Singh says. "Also, there is data that gets generated on behalf of the user, i.e. data entered into systems by a third party. This basically means there are many systems that could be used to collect personal data. Each needs to be clearly identified and classified accordingly."
"We have seen recent incidents where apps have exposed personal identifiable information on millions. This happens due to app developers failing to protect ad-targeting data transmitted to third-party advertisers," Tiwari says. "So as an app developer, it's pretty important to identify PII data sets and protect them from getting exposed to third-party advertisers."
Another challenge is developing easy-to-understand privacy guidelines for users.
"We are currently helping many companies to write a privacy guideline which can be comprehended by users," Rao says. "The challenge is there are multiple points to write, but we also need to be concise."
GDPR Compliance: Plan of Action
Among the steps security experts recommend that app developers take to help them comply with GDPR are:
- Encrypt important personal data sets as well as portable storage devices, such as flash drives, if they contain personal data;
- Implement a Security Information and Event Management, or SIEM, tool with log management capabilities to help monitor all user and system activity to identify suspicious or malicious behavior;
- Make employee compliance training a top priority.
Singh says data loss prevention software and cloud access security brokers can play important roles in the identification and protection of data.
"DLP can be used to go through an internal network to discover all the PII information, so that CISOs have inventory of all the personal data information," he says. "And at the same time, CASB can be implemented to look beyond the company perimeter. DLP can also be integrated with other third-party data protection technical measures to enable organizations to maintain visibility and control over critical business data, and extend data labeling and protection policies."