Overview

This article provides a description of the General Data Protection Regulation (GDPR) and how Bizness Apps helps handle it.

Information

The General Data Protection Regulation (EU) 2016/679 (GDPR) is the new European privacy law that will go into effect on May 25th, 2018. The GDPR will be replacing current Directive 95/46/EC, and its goal is to protect users’ personal data. By increasing the regulatory requirements regarding data collection, processing, consent definitions, personal rights and more the GDPR is a great step forward for individuals in the EU and abroad. It brings a large impact on businesses all over the world. 

Complying with the GDPR

You are required to comply with the GDPR if your business is located in the European Union (EU). If your business is located elsewhere, you still need to comply if you are handling personal data in connection with a business establishment you have in the EU, if you offer goods or services directly to individuals in the EU or if you monitor their behavior, e.g. by tracking them on the Internet. 

If this does not apply to you, we still recommend complying with the GDPR, as it is very likely laws and policies all over the globe will begin to introduce very similar requirements.

It is recommended work with legal professionals to ensure your exact application is compliant with all of the GDPR's scope and requirements.

Bizness Apps has been working towards GDPR compliance for a long time, mostly behind the scenes. There is a list of the changes you will need to be aware of for GDPR compliance.

What Bizness Apps is doing to ensure GDPR compliance

• Research all aspects of our product and business for potential impacts from the GDPR.
• Work with outside attorneys that specialize in the GDPR for all aspects of our compliance efforts.
• Update our Privacy Policy with an optional GDPR supplement and implement data processing agreements where necessary.
• Update our Terms of Service.
• Implement a strategy for software and engineering upgrades for optimal GDPR compliance
  • Improve our Data processing, added security throughout.
  • Record keeping of app customer consent.
  • Update CMS with proper tools for our partners to complete personal data requests from users.
  • Update Mobile source code to 50.2. 
• Finalize and communicate our full compliance - TO BE ANNOUNCED

Apple released an update on the 22nd of January stating that all apps that allow for account creation must also allow users to initiate deletion of their account from within the app.

The mobile apps already have a delete function. Following is the list of all data deleted:

- Personified analytics
- Access tokens
- User comments
- User statistics
- Fan wall data
- Emails sent to the user
- User device tokens
- Device token push keys (push notification keys)
- Login metadata (such as OAuth tokens and encrypted password content)
- Loyalty points
- User reviews
- Cached user metadata
- Cached session data

We want to make complying with the GDPR as easy as possible and have been creating some new tools to help our partners and customers in this effort.

Let us take a look at a summarized list at these changes.

• Changes with the CMS GDPR update: We will be building tools for you to complete the following requests.
  • Right to be forgotten: Delete option to the Customer List that will permanently delete all of a customers data
  • Right to rectification: Already implemented with North Park. 
  • Right of access: Improved personal data export tools in the Customer list.
  • Right of portability: The previously mentioned data can be exported in a usable format.

• Changes with the North Park 50.2 GDPR Source Code
  • New customizable consent screen to display on app launch and available in the app settings page.
  • Refactored our point and geofence push notification features so all location information is handled locally on the users own device.
  • We have removed the ‘Nearby’ location portion from the Fan Wall v2 feature. 
  • Users can now delete any of their comments/posts made throughout the application.

• Other information you should know
  • Sensitive personal data, such as health information or information that reveals a person’s racial or ethnic origin, will require even greater protection. You should not store data of this nature within your Bizness Apps account or application.
  • If you chose to use your own Privacy Policy and Terms of Service, you need to be sure that you are keeping a record of any changes you make. In accordance to GDPR you need to be able to prove what information your users were provided with or, depending on the circumstances, were consenting to when you collected their information or they used your app at a specific date. That means if you make iterations over time you must keep dating records of each version.
  • If you are using third party software inside the app through integrations or web views that collects or processes personal data, you will need to add this information to your custom Privacy Policy and add proper consent. For example, if you are using an email marketing integration and receive a request to forget a users account, you will need to both delete the user in the CMS and process the deletion from the third party software such as MailChimp. 

For those who do not wish to comply with the GDPR, it is recommended to remove your application from the EU.

To learn more about the GDPR, please refer to the following sites:

• GDPR FAQs.
• GDPR (intersoft consulting).

Frequently asked questions

• What is the GDPR?

The General Data Protection Regulation (GDPR) is a significant piece of European data protection legislation for the European Union (EU) replace the 1995 Data Protection Directive. The GDPR enhances EU individuals’ privacy rights and places significantly enhanced obligations on handling data.

• When do I need to comply with the GDPR?

The GDPR goes into effect on May 25, 2018.

• What rights will data subjects have under the GDPR that apply to my Bizness Apps application?
  • Right to be informed - Entities must be transparent in how they are using personal data and must inform data subjects of this.
  • Right of access - Data subjects will have the right to know what personal data is held about them and how it is processed.
  • Right of rectification - Where reasonably possible, data subjects will be entitled to have personal data rectified/edited if they feel that it is inaccurate or incomplete.
  • Right to be forgotten - Data subjects have the right to have their personal data permanently deleted upon their request and they do not have to provide a reason for the request.
  • Right to data portability - Where reasonably possible, data subjects have the right to retain and reuse their personal data for their own purpose.
  • Right to object - In certain circumstances, data subjects are entitled to object to their personal data being used. This includes if personal data is used for the purpose of direct marketing, scientific and historical research, or for the performance of a task in the public interest.

• Who does the GDPR apply to?

As mentioned above, you are not only required to comply with the GDPR  if your business is in the EU. If your business is located elsewhere, you still need to comply if you are handling personal data in connection with a business establishment you have in the EU, if you offer goods or services directly to individuals in the EU or if you monitor their behavior, e.g. by tracking them on the Internet. 

• We are not based in the EU. Do we still need to comply?

Yes, you may still need to comply. Please see the previous question and answer.

• What happens if we do not comply with the GDPR?

If you do not comply, you run the risk of a €20 Million fine or 4% of annual global turnover, whichever is largest. 

• Do we need to appoint a Data Protection Officer?

Chances are no, but seek professional assistance for your specific use case.

• What is the difference between a Data Processor and a Data Controller?

A Data Controller represents the entity that determines the purposes, conditions, and means of the processing of personal data. The Data Processor is the entity which processes personal data on behalf of the controller. 
In your entity’s relationship with Bizness Apps, we are the Subprocessor and you are the Data Processor of your client, the Controller. The end user is the Data Subject. In order to have complete compliance, there needs to be a signed DPA between Bizness Apps and the reseller, as well as a signed DPA between the reseller and the small business client.

Disclaimer: This article is for informational purposes only, and should not be relied upon as legal advice. We encourage you to work with legal and other professional counsel to determine precisely how the GDPR might apply to your organization. The goal of this article is to explain the changes we have made, and the tools we have built for you to help you to become GDPR compliant.