The document discusses the General Data Protection Regulation (GDPR) which takes effect in May 2018 and imposes strict rules and heavy fines on companies regarding the collection and processing of users' personal data. It outlines several principles of GDPR including rights to access, correct and delete personal data. The document also provides strategies for app developers to comply with GDPR such as determining if all collected personal data is necessary, encrypting data, and informing users about data collection and sharing.
5. What is GDPR?
• European Union regulation on Privacy (more detail later)
• Takes effect May 25th 2018
• Penalties: The greater of €10 million or 2% of global annual revenue
8. What Data is Affected?
• Basic identity information such as name, address and ID numbers
• Web data such as location, IP address, cookie data and RFID tags
• Health and genetic data
• Biometric data
• Racial or ethnic data
• Political opinions
• Sexual orientation
https://www.csoonline.com/article/3202771/data-protection/general-data-protection-regulation-gdpr-requirements-deadlines-and-facts.html
9. GDPR Principles (1/4)
• "Easier access to your own data: individuals will have
more information on how their data is processed and
this information should be available in a clear and
understandable way."
10. GDPR Principles (2/4)
• "A right to data portability: it will be easier to transfer
your personal data between service providers."
11. GDPR Principles (3/4)
• "A clarified 'right to be forgotten': when you no longer
want your data to be processed, and provided that
there are no legitimate grounds for retaining it, the
data will be delete."
12. GDPR Principles (4/4)
• "The right to know when your data has been hacked:
For example, companies and organizations must
notify the national supervisory authority of serious
data breaches as soon as possible so that users can
take appropriate measures.”
• (“The 72-hour reporting window that the GDPR
requires makes it especially important that vendors
know how to properly report a breach.")
https://www.csoonline.com/article/3202771/data-protection/general-data-protection-regulation-gdpr-requirements-deadlines-and-facts.html
13. New Apple APIs
• Providing User Access to CloudKit Data
• https://developer.apple.com/documentation/cloudkit/
providing_user_access_to_cloudkit_data/
• Responding to Requests to Delete Data
• https://developer.apple.com/documentation/cloudkit/
responding_to_requests_to_delete_data/
15. Blue’s Suggestions
•I recommend Apple's WWDC privacy sessions for Best Practices on obvious(?) concepts
such as transparency, consent, and user control. The videos also cover ways to re-think
data collection, trading firehoses for eye-droppers (and/or muddy water). For instance ...
•"Privacy and Your Apps" (2017) https://developer.apple.com/videos/play/wwdc2017/702/
•"Engineering Privacy for Your Users" (2016) https://developer.apple.com/videos/play/
wwdc2016/709/
•The first video includes discussion (6:15) of how to back-away from raw data in order to
get just the information you need.
•The second video has a nice description (14:00) of Differential Privacy: adding noise to
collected data.
16. Strategies
• 1. Determine whether the app really needs all the requested personal data
• 2. Encrypt all personal data and inform users about it
• 3. Think OAUTH for data portability
• 4. Enforce secure communications through HTTPS
• 5. Inform users about and encrypt personal data from ‘contact us' forms
https://techbeacon.com/15-steps-developing-eu-privacy-policy-compliant-apps
17. Strategies (cont)
• 6. Make sure sessions and cookies expire and are destroyed after logout
• 7. Do not track user activity for business intelligence
• 8. Tell users about logs that save location or IP addresses
• 9. Store logs in a safe place, preferably encrypted
• 10. Security questions should not turn on users' personal data
https://techbeacon.com/15-steps-developing-eu-privacy-policy-compliant-apps
18. Strategies (cont)
• 11. Create clear terms and conditions and make sure users read them
• 12. Inform users about any data sharing with third parties
• 13. Create clear policies for data breaches
• 14. Delete data of users who cancel their service
• 15. Patch web/dependency vulnerabilities
https://techbeacon.com/15-steps-developing-eu-privacy-policy-compliant-apps
19. Get Apple’s data on you
• https://www.cnbc.com/2018/04/25/how-to-download-a-copy-of-apple-
data-about-me.html