GDPR and AppCreator

This article covers what EU's GDPR is about, as well as the features and capabilities of AppCreator that can help you build GDPR compliant custom apps.

What is GDPR?

The European Union (EU)'s General Data Protection Regulation (GDPR) is a revolutionary regulation that came into effect on the 25th of May, 2018. It aims to harmonise the data privacy laws across the EU, and (in particular) protect the rights of residents of the EU with regard to the processing of their personal data. It recognises the data privacy rights of EU residents, and lays down rules relating to the processing of their personal data. At its core, the GDPR aims to give EU residents full control over their personal data.

What is personal data?

In the context of GDPR, personal data is any data that can directly or indirectly identify a natural person. This includes, but is not limited to: name, address, phone number, email address, IP address, traveling habits, and photos.

When and where does GDPR come into play?

GDPR applies for any activity that collects or processes the personal data of EU residents. It does not matter if the said activity takes place inside the EU or not and thus the GDPR has a global reach.

Why be GDPR compliant?

EU's GDPR comes into effect on the 25th of May, 2018. It is legally binding. The concerned Supervisory Authority (as defined by GDPR), would levy penalties on non-compliant person or organization costing up to 20 million Euros or 4% of their annual worldwide turnover from the preceding year, whichever is higher. Levying a fine is in place for two reasons:

• A deterrent, so that Data Controllers and Data Processors act responsibly, and adhere to GDPR's guidelines
• A compensation for the persons who have suffered material or non-material damage as a result of an infringement of GDPR

Key roles that GDPR identifies

• Data Subject: A resident of the EU from whom, or about whom, data is collected and/or processed
• Data Controller: The person or organization that defines the purpose and means of collecting and processing data
• Data Processor: The person or organization that processes the collected data on behalf of the Data Controller

When you use AppCreator to build an app:

• The natural persons that you collect data from (the users that you share your forms with, for instance) are the Data Subjects
• You act as the Data Controller for all the apps in your workspace
• AppCreator is the Data Processor

AppCreator's GDPR readiness

Addressing rights of Data Subjects

The following are the Data Subject Rights that GDPR extends, and this is how AppCreator helps you address them in your apps:

Right to be informed: Add an add notes field to your form The Data Subject has a right to be informed on how their personal data was, is, and will be processed. By adding an add notes field to your form (next to the fields in which you're collecting their personal data), you can explain why you need said data, what you will be using it for, and how it will be processed. You can also insert a hyperlink (in the note) to your organization's privacy policy.

Right to access, and right to erasure: With their right to access, a Data Subject can demand Data Controllers to furnish the following: the personal data (of the Data Subject) that was collected and processed, how it was obtained, how it is processed, and to whom it was shared with — all the details from point of collection to the point of disclosure.

With their right to erasure, the Data Subject can demand that Data Controllers erase all their personal data, subject to certain conditions.

The Data Controller must comply with these requests

Right to rectify: Users have the capability to modify their records through access to the relevant reports

The Data Subject holds the right to promptly request access to edit their records from the Data Controllers. This includes rectifying any inaccurate personal data concerning them and ensuring completion of any incomplete data point.

Right to object to processing of their personal data: Add a decision box to your form.

Use separate decision box fields to capture the Data Subject's consent to process their personal data, and define your workflows such that these permissions are checked for before they are processed. To give or take away their permission, the Data Subject can simply update the relevant decision box field accordingly.

Right to data portability: Data submitted by your users can be exported as spreadsheets and PDFs

The Data Subject has a right to receive all their personal data, submitted to the Data Controller. To do this, users can simply export their records from reports.

Implement some best practices

You can leverage the features and capabilities of AppCreator to implement the following in your apps:

Denote fields that contain personal data: The Contains personal data field property helps you define if the concerned field is one in which your users will be entering some personal data.

Encrypt data: Upon enabling this field property, the data your users enter that field will be stored in an encrypted format. Learn more

Getting consent: Data Subjects have a right to be informed on why your app, or a form in your app, is collecting data, and how it will be processed. Also, as a Data Controller, you may need to show if your users gave their consent for this. Here's how you do it:

If consent is required along with the data a form is already collecting, then add an add notes field (which will display information on why you need to collect certain data points, and how you will process them), and a decision box field (marked mandatory) that lets your users give their consent.

If consent is required on the app level, add a new form and use the combination of add notes and decision box fields as given above.

To let your users know what they consented to, you can send them an email saying they've given their consent (and copy-paste the add notes field's content in the email's message)

Provision a double opt-in mechanism for your form or app: Double opt-in is a widely used mechanism to get the intended audience to confirm before proceeding. You can put in place a double opt-in before you let your users access any form in your app. Here's how you do it:

Add a new form to your app, which contains an add notes field (where you can add whatever information you want your users to know), an email field (to which you'll send an email) and a decision box field (to capture if user yours consent to receiving an email).

The email you send on form submission must contain the link to your intended form.

How AppCreator helps you achieve GDPR compliance?

AppCreator ensures secure communication through HTTPS, guaranteeing the protection of personal information by encrypting it before storing it within our databases or systems. Alongside standard security measures, users have the option to obscure custom fields as PII.

AppCreator manages user accounts by allocating permissions to specific user groups. This system restricts access to administrative functions, ensuring that only authorized users can interact with, modify, or remove personal data within the system.

AppCreator provides a feature called audit trail, designed to monitor alterations within your application data. This includes the history of changes made to records, print and export actions, detailing when, by whom, and the extent of data modifications. This serves as documentary evidence for the sequence of activities in your application records and reports.

As an on-premise solution, AppCreator grants end-users the freedom to delete their personal data. Users have the option to back up or export essential information from their database prior to uninstalling the product.

Additionally, the on-premise setup ensures that the customer has greater assurance and peace of mind, as the data remains within their physical control, unlike when stored on the cloud.