My MSc thesis in Computer Science, supervised by Max van Kleek (University of Oxford), analysed a large range of documents, that an app developer must consider for data protection under GDPR. This analysis resulted in a set of developer guidelines.
These guidelines are shared, in the hope that some app developers might find them useful. Instead of providing a lengthly legal document, these guidelines represent the personal view of an app developer. They are by no means exhaustive, complete, nor proven in court. Please don't sue me.
Download the guidelines as pdf or visit the website.
The guidelines comprise 2 pages, and an appendix on third-party services.
To signify compliance with these guidelines, an app developer may use the provided logo.
The developer guidelines shall cover the fundamentals of GDPR. These are 1) the key concepts, 2) user rights, and 3) principles and obligations.
In addition, the specific data protection requirements of the most popular third-party services shall be included.
Legal terminology shall be avoided, to make the guidelines understandable without expert knowledge.
The app developer shall be made aware of what GDPR protects, that is, personal data. Personal data is relevant for the developer, being responsible for its protection as the data controller.
There has been much public attention on the high penalties, introduced by GDPR. The risk of such penalties is low, if the developer follows a risk-based approach to data protection, as advocated by GDPR.
Not all developers will be aware of the profound rights, that GDPR grants to users. These shall be mentioned.
The rest of the document shall cover the seven principles of GDPR, that the developer must follow as data controller:
- Lawfulness, fairness and transparency,
- Purpose limitation,
- Data minimisation,
- Accuracy,
- Storage limitation,
- Security, and
- Accountability.
To cover the first principle, “lawfulness, fairness and transparency”, the most important step is the provision of an adequate privacy policy. There exist rich online resources, which shall be mentioned.
For simplicity, the principles “purpose limitation”, “data minimisation”, “accuracy”, and “storage limitation” shall be summarised as reasonable data collection. The term “reasonable” is similarly used in the GDPR and occurs widely across the GDPR document, 52 times.
Regarding data collection, the further provisions of the platform providers, Apple and Google, shall be added.
The remaining principles of “security” and “accountability” shall be mentioned. Regarding security, Apple and Google provide support documents, that shall be linked.
- European Parliament and Council: "Regulation 2016/679 (General Data Protection Regulation)"
- European Parliament and Council: "Directive 2002/58/EC (Directive on privacy and electronic communications)"
- Article 29 Data Protection Working Party: "Opinion 02/2013 on apps on smart devices"
- Google LLC: "Google Play Developer Distribution Agreement" (version 15 April 2019)
- Google LLC: "Google Play Developer Program Policies" (accessed 20 June 2019)
- Apple Inc: "Apple Developer Program License Agreement" (accessed 20 June 2019)
- Apple Inc: "App Store Review Guidelines" (version 3 June 2019)
- The documentation of the top 18 third-party services in apps, from 10 different companies.
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.