General Data Protection Regulation (GDPR) is the new regulation to protect EU citizens’ personal data, replacing the current directive from 1995 and establishing a single set of rules across the European Union.
GDPR outlines a set of obligations for organizations when it comes to data encryption and storage, specifically around handling personal data as well as record keeping and breach notification.
Failure to meet those obligations can be costly, with fines ranging up to €20 million, or 4% of a company’s total worldwide sales, whichever is greater. Non-European companies don’t escape the reach of GDPR either. A non-EU based company is required to meet the GDPR requirements if they have even a single European customer.
The point we want to drive across is that the impact of GDPR fully extends to the security of mobile applications as well. How personal data is handled from within a mobile application - including games - is critical to ensuring compliance with the regulation.
We will dig into 2 articles that particularly relate to mobile applications.
- Article 25 - Data protection by design and by default
- Article 32 - Security of processing
Article 25 - Data protection by design and by default
Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.
Our Interpretation: Ultimately data protection cannot be an afterthought. Tools and technologies are available to protect personal data whether that is encryption for communication, anonymizing personal information or protecting data at rest on the mobile device. As it pertains to mobile applications, taking the care to design the application to be secure, minimize personal data collected and used as well as communicate to external systems in a secure fashion are all required to meet this requirement.
Article 32 - Security of Processing
1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
(a) the pseudonymisation and encryption of personal data;
(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
(c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
(d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
2. In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.
Our Interpretation: This article speaks to use of technologies to protect personal data, to an appropriate level based on the risks presented from processing that data. Mobile applications present unique risks since mobile devices are both connected and portable (can be lost or stolen). Encrypted communications as well as storage are required to meet this requirement. Beyond just encryption, taking measures to reduce vulnerabilities within your application is recommended to reduce the risk.
Encryption - your application should use SSL or HTTPS for external communications. When communicating personal information, that data must be encrypted. Areas that can easily be overlooked include using a valid certificate and ensuring your application does not accept all security certificates and is ideally pinning to a specific certificate to be sure you are communicating with the intended server.
Access to personal information on device. Personal information is not just information gathered from a user through forms, it also includes information your app may be accessing on device including Phone Number, SMS data, photo data, PIM and Health data among others. Be sure your application is limiting the access to data to the minimum set that is required to function. If information is to be transmitted off device ensure that it is clearly communicated and the user has provided consent.
Patch vulnerabilities. Many data breaches are completely avoidable by making sure your application is fully patched and not being used with known vulnerabilities that can be exploited.
What Can You Do?
Take the time now to understand how your application collects and uses personal data. Ensure you are meeting the requirements to encrypt data communications and storage of personal data and keep audit records. Lastly, regular maintenance and patching of your applications to ensure you are not exposing the users to unnecessary vulnerabilities. Use of mobile security tools such as MI3 RECON can help you understand and highlight potential risk areas.
GDPR is coming quickly and will be enforced May, 2018.
Contact us to see a demonstration of the RECON Platform
Watch an overview of the Mi3 Security Portfolio