Introduction
Going into effect May 25th, 2018, the General Data Protection Regulation, or GPDR, requires all companies collecting, storing or using PII data to conform to privacy by design best practices.
Within the context of GDPR, App47 acts as a data processor for PII information that you may or may not collect within the European Union (EU). Customers of App47 are in turn the data collectors. Depending on what type of customer you are for App47 may require you to perform one or more actions.
As always, feel free to email support@app47.com with any questions you have regarding this important regulation.
To best determine how best to respond to GDPR, please read below to match your use case.
Use Cases
Portal Administrators
User, application, group or overall administrators of your App Store will use their email address to log into the App47 portal. This email along with their name falls under Personally Identifiable Information (PII). Additional identifiable information is not captured nor stored.
There is nothing to be done with respect to administrators, however rest assured that App47 follows best practices and encrypts all data at rest and in transit, following least privilege access controls for support staff and employees of App47.
B2E Business to Employee
Using App47's enterprise App Store to distribute public, private and web application directly to your employees, third party consultants and in some cases to customers. In each case, private applications will be signed with an In House Certificate for iOS and private key for Android and installed directly from the App47 Enterprise App Store.
Relative to GDPR, App47 users have an existing relationship with your organization and do not directly fall in line with the "intent" of GDPR. That being said, if a user wishes to not receive emails from App47, you can edit their settings to not receive any emails from the enterprise App Store. Please see Edit User for more information. Note: this will prevent the user from receiving upgrade notices along with any additional emails you send from the account.
The use of the enterprise App Store only collects name and email address. Whilst these are certainly considered PII information, additional identifiable information is not captured nor stored.
Optionally, you may elect to install the App47 agent into your enterprise apps. This may be done for several reasons, crash log reporting, analytics, or security control.
Although data analytics is anonymized once received from the agent, crash logs are mapped to users and kept for 30 days. The mapping of users to crash logs is only possible if the app is distributed via the enterprise App47 App Store. Your existing contracts with employees and 3rd party consultants should cover data privacy and collection of personal information.
In general, care should be taken when creating log entries to not collect additional PII information relative to the user. Although the log entry will expire after 30 days, it is best practice to NOT store PII information in log data, instead using an Pseudonymization technique to map the log back to a user.
Lastly, security controls perform a mapping between a device, application and user. However, no PII information is stored as a result of this feature.
Summary - Ensure your existing contracts with employees, 3rd party consultants and if used for customer distribution, cover the collection of name, email at a minimum. If using the App47 agent (or app wrapper), include language for the collection and retention of crash log information for 30 days.
B2C Business to Consumer Analytics Only
Using App47 platform for analytics and log data limits (but not eliminates) the exposure to GDPR as the app will be distributed via a public App Store such as Google Play or Apple iTunes.
As App47 is not the distribution mechanism, all analytics and log data are anonymized and no user information is captured. However, best practice is to notify the user of such data capture, data retention and provide an option to opt out. This should be done at the app level.
In general, care should be taken when creating log entries to not collect PII information relative to the user. Although the log entry will expire after 30 days, it is best practice to NOT store PII information in log data, instead using an Pseudonymization technique to map the log back to a user.
Summary - Ensure your application provides privacy information regarding the capture of analytics and logging data. Data retention for logging and raw analytical data is 30 days. Most importantly, applications must allow the user to opt out to be GDPR compliant.
eCommerce or Embedded Digital Products
Using App47 to provide an embedded App Store for your digital product is a bit more involved than the two cases listed above. Please contact support@app47.com to schedule some time to walk through your use case and how best to comply with GDPR.
Comments
0 comments
Please sign in to leave a comment.