Upgrade to Pro — share decks privately, control downloads, hide ads and more …

GDPR for iOS Developers

Andrey Butov
September 11, 2018

GDPR for iOS Developers

GDPR is a complex set of regulations. It can be difficult to figure out what parts apply to your iOS app, and what you should be doing to comply with GDPR. But there's actually quite a bit of regulation in GDPR that applies to iOS apps. This talk dives into 12 of the more important items you should know when getting your iOS app prepared for GDPR.

Andrey Butov

September 11, 2018
Tweet

More Decks by Andrey Butov

Other Decks in Technology

Transcript

  1. @andrey_butov
    GDPR for iOS developers
    Andrey Butov
    [email protected]

    View Slide

  2. What is GDPR?
    (General Data Protection Regulation)
    Regulation designed to give individuals
    more control over their personal data.

    View Slide

  3. To whom does GDPR
    apply?

    View Slide

  4. Where do I fit in?
    Data Controller
    Data Processor
    Data Subject
    Data Protection Officer
    Uses the data for business goals (app owner, etc).
    Processes the data on behalf of the controller (ad network, crash
    handler, Crashlytics, Urban Airship, Google, Bugsnag, etc.
    The app user.
    A person appointed to be explicitly in charge of all this stuff -
    probably does not apply to you unless you are processing a large
    amount of personal data and run a large operation.

    View Slide

  5. Things to keep in mind.
    Written by politicians.

    View Slide

  6. Things to keep in mind.
    Mainly with larger companies in mind.
    Written by politicians.

    View Slide

  7. Things to keep in mind.
    Lawyers don’t have all the answers.
    Mainly with larger companies in mind.
    Written by politicians.

    View Slide

  8. Things to keep in mind.
    Litigation sets precedent.
    Lawyers don’t have all the answers.
    Mainly with larger companies in mind.
    Written by politicians.

    View Slide

  9. Things to keep in mind.
    Best sincere effort, while keeping
    the intent of the regulation in mind.
    Litigation sets precedent.
    Lawyers don’t have all the answers.
    Mainly with larger companies in mind.
    Written by politicians.

    View Slide

  10. Personal data
    • Email address
    • IP address
    • Advertising identifier
    • GPS location
    • MAC address
    • Physical address
    • Date of birth
    • Social security number
    • Financial information

    View Slide

  11. Personal data
    • Physical characteristics like eye color, weight, etc.
    • Salary and tax information.
    • Religious and political preferences.
    • Medical information.
    Why?

    View Slide

  12. Anything that, by itself, or in combination
    with other pieces of data, can be used to
    identify an individual.
    Personal data

    View Slide

  13. Personal data
    … which means?
    Every piece of data ever?
    Anything that, by itself, or in combination
    with other pieces of data, can be used to
    identify an individual.

    View Slide

  14. If you hesitate, or feel you have to ask “is
    this personal data”, it is personal data.

    View Slide

  15. If you hesitate, or feel you have to ask “is
    this personal data”, it is personal data.
    • Because we just don’t know.

    View Slide

  16. If you hesitate, or feel you have to ask “is
    this personal data”, it is personal data.
    • Because until it’s resolved through litigation
    and has precedent (and even then), we just
    don’t know.
    • Because we just don’t know.

    View Slide

  17. If you hesitate, or feel you have to ask “is
    this personal data”, it is personal data.
    • Because it’s safer to follow the intent of the
    regulation, be conservative, and err on the side
    of caution.
    • Because until it’s resolved through litigation
    and has precedent (and even then), we just
    don’t know.
    • Because we just don’t know.

    View Slide

  18. What if you fail to comply?

    View Slide

  19. What if you fail to comply?
    €20 million or 4% of annual revenue

    View Slide

  20. What if you fail to comply?
    €20 million or 4% of annual revenue
    (whichever is higher)

    View Slide

  21. iOS app backed by a web app?
    Your web app privacy policy should reflect what
    data is being collected and for what purpose.

    View Slide

  22. Privacy by design
    You can only hold and process data that’s
    absolutely necessary for a project to be
    completed.

    View Slide

  23. Privacy by design
    You can only hold and process data that’s
    absolutely necessary for a project to be
    completed.
    Data should be deleted after it’s no longer
    needed.

    View Slide

  24. Privacy by design
    You can only hold and process data that’s
    absolutely necessary for a project to be
    completed.
    Data should be deleted after it’s no longer
    needed.
    If there’s a data breach, you must notify users
    within 72 hours.

    View Slide

  25. Data portability
    The user (data subject) has the right to
    request his/her data from you (data
    controller), at any time.

    View Slide

  26. Data portability
    You must provide for a way to transfer the
    data to another controller, if requested.
    The user (data subject) has the right to
    request his/her data from you (data
    controller), at any time.

    View Slide

  27. Data portability
    You must provide that data in a commonly-
    used, machine-readable format.
    You must provide for a way to transfer the
    data to another controller, if requested.
    The user (data subject) has the right to
    request his/her data from you (data
    controller), at any time.

    View Slide

  28. Data portability
    This must be done without hindrance or
    penalty to the user.
    You must provide that data in a commonly-
    used, machine-readable format.
    You must provide for a way to transfer the
    data to another controller, if requested.
    The user (data subject) has the right to
    request his/her data from you (data
    controller), at any time.

    View Slide

  29. Consent

    View Slide

  30. “Do I need to ask for consent if I just want to
    show ads in my app?”

    View Slide

  31. “Do I need to ask for consent if I just want to
    show ads in my app?”
    Yes

    View Slide

  32. “Do I need to ask for consent if I just want to
    show ads in my app?”
    “But I’m not collecting any personal data!”
    Yes

    View Slide

  33. “Do I need to ask for consent if I just want to
    show ads in my app?”
    “But I’m not collecting any personal data!”
    But your ad network is, and you’re
    responsible.
    Yes

    View Slide

  34. 3rd-party ad network SDKs collect the
    advertising identifier (IDFA), which is
    personally-identifiable data, and, in some
    cases, the GPS location, both of which
    require consent.

    View Slide

  35. Some ad networks (Admob), let you turn
    off personalized ads.

    View Slide

  36. Some ad networks (Admob), let you turn
    off personalized ads.
    Option 1:
    Ask for consent (properly). Receive consent.
    Allow Admob to collect the IDFA, and show
    personalized ads.

    View Slide

  37. Some ad networks (Admob), let you turn
    off personalized ads.
    Option 1:
    Ask for consent (properly). Receive consent.
    Allow Admob to collect the IDFA, and show
    personalized ads.
    Option 2:
    Don’t ask for consent (or consent is denied,
    etc). Configure Admob to show generic ads.

    View Slide

  38. What about Google’s Consent SDK?

    View Slide

  39. What about Google’s Consent SDK?
    This was rushed. Google did not
    want to do this.

    View Slide

  40. What about Google’s Consent SDK?
    This was rushed. Google did not
    want to do this.
    The phrasing is a bit … slimy.

    View Slide

  41. What about Google’s Consent SDK?
    This was rushed. Google did not
    want to do this.
    The phrasing is a bit … slimy.
    You are still responsible. Google
    does not want to be a data
    controller.

    View Slide

  42. The consent request must be prominent
    and separate from your terms and
    conditions.

    View Slide

  43. You can’t stick a “you agree that we will
    collect …” paragraph inside the EULA.
    The consent request must be prominent
    and separate from your terms and
    conditions.

    View Slide

  44. Your request for consent should not use
    any pre-ticked checkboxes, or any other
    pre-selected default values.

    View Slide

  45. Your requests must use clear, plain
    language, that is easy for the user to
    understand.

    View Slide

  46. You need to explain why you are
    collecting the data (for what purpose is it
    going to be used?)
    consentmonitor.com

    View Slide

  47. Each distinct piece of
    data you collect needs
    its own consent.
    consentmonitor.com

    View Slide

  48. Inform users about
    all third-parties that
    will be using the
    data.
    consentmonitor.com

    View Slide

  49. You need to keep a record of when and how
    you collected consent for each piece of data,
    from each of your app users.

    View Slide

  50. You need to keep a record of the exact wording
    of the request that the user gave consent to.
    consentmonitor.com

    View Slide

  51. You need to inform
    users about their
    right to withdraw
    consent at any time.
    consentmonitor.com

    View Slide

  52. You need to inform
    users about their
    right to withdraw
    consent at any time.
    consentmonitor.com
    You need to give
    users the ability to
    withdraw consent at
    any time.

    View Slide

  53. You need to give users the
    ability to submit a request-
    to-be-forgotten.
    consentmonitor.com

    View Slide

  54. consentmonitor.com

    View Slide

  55. consentmonitor.com
    Properly requests consent, as required by GDPR.
    Retains a record of consent for every piece of data, for every
    user, including meta-data on how the consent was requested.
    Allows your users to easily revoke or update consent.
    Allows your users to easily submit a request-to-be-forgotten.
    Gives you a trail of evidence that consent was given by this
    exact user, for this exact piece of collected data, for this
    exact purpose.

    View Slide

  56. @andrey_butov
    [email protected]
    Thank you!

    View Slide