Franchise

Top tips for app developers in light of the new code of practice for app store operators and developers

The Department for Culture, Media and Sport (DCMS) and National Cyber Security Centre have collaborated to produce a voluntary code of practice for app store operators and developers.

Whilst the code focusses heavily on app store operators, it also contains obligations for app developers.

The code aims to ensure customers are protected from online threats, to reduce the threats posed by maliciously or poorly developed apps and to set out minimum security and privacy requirements for apps. So, what should developers do to comply?

  • Ensure the baseline security and privacy requirements are met: Developers should not request permissions from users which are not functionally required for the app and should ensure that the primary function of an app will operate even if a user chooses to disable its optional functions and permissions. There is a requirement to ensure the app adheres to security requirements, data protection by design and the broader requirements set out in data protection law. The developer should have processes in place to update the app and monitor for vulnerabilities and ensure a simple uninstall and data deletion process is available to users. Industry standard encryption should also be used.
  • Ensure information about the app’s security and privacy settings are displayed to the app user. The information to be displayed includes the purpose for which personal data is processed, where data is stored, shared and processed, when the app was last updated, information on the privacy and security measures in place, a list of stakeholders who are given access to personal data and when and why an app is to be made unavailable. Developers will be sharing much of this information already as part of their obligations under UK GDPR, so this should not impose much of an additional burden.
  • Ensure a vulnerability disclosure process is in place, i.e. a process by which a vulnerability in an app can be reported to the app developer. There is no prescriptive process, but there is an indication that apps which have a large number of users or significant security requirements should have a robust process in place.
  • Update apps straight away when vulnerabilities are discovered.
  • Ensure appropriate steps are taken (in accordance with data protection law) when a data breach arises. The code promotes information sharing between app store operators, developers and third-party developers on the basis that a data breach may affect more than one party and requires operators and developers to provide users with information on how to protect themselves if their data is involved in a breach.
  • Consider getting compliant with the code and publicising the fact! This is being encouraged by DCMS, who will work with developers to check on compliance.  As many of the requirements are already existing obligations under data protection law, compliance with the code, could be a good way to make your organisation stand out as one that is privacy focussed!

Find the full text of the code here.

Share:

Facebook
Twitter
Pinterest
LinkedIn

Related Posts

Don't just take our word for it
"We have been working with HelloDPO for several years now and I have always found them to be friendly, approachable and above all professional in their approach. I would have no hesitation in recommending them."
Serena MayDirector, Southern HR Ltd
Serena May
"We have been working with HelloDPO for several years now and I have always found them to be friendly, approachable and above all professional in their approach. I would have no hesitation in recommending them."
Serena MayDirector, Southern HR Ltd
Serena May
“We have worked with Jenai, Alison and the HelloDPO team for over 5 years as our DPO and have found their advice and support invaluable. They are pragmatic and flexible in the advice they provide, and assist in making data protection compliance apply in a corporate environment. Working with them is like having additional members of our team, and the relationship has flourished over time."
Craig SaundersHead of International Privacy, Aetna Global Benefits (UK) Ltd
Craig Saunders
“The team (Jenai and Lisa) provided DPO services and compliance support to our business for over a year, during which they consistently delivered high quality advice and excellent client service. The demands of the hospitality industry are high and HelloDPO adapted to this quickly and seamlessly – they are responsive, knowledgeable, and pragmatic. They are also a pleasure to work with.”
Frasers Hospitality (UK) Ltd
“We have been working with HelloDPO for nearly a year. The team have been great to work with, highly professional and flexible. Most importantly, they have given clear advice and guidance in what is a very complex area. Well done and we look forward to continuing working with you!”
Ruth HidalgoDirector, Chartered Accountants Worldwide
Ruth Hidalgo
“The HelloDPO team have led us patiently through the intricacies of GDPR over the years, helping us to navigate a careful path to ensure understanding of the rules and therefore compliance with them. HelloDPO are a pleasure to work with and I’d have no hesitation in recommending them to others looking for good, commercial advice in this complex area.”
Sanjay PatelFinance Director, Cadogan Group Limited
“We have recently engaged HelloDPO and the team, led by Jenai, has been responsive, practical and generally very helpful when dealing with our data protection queries. We look forward to what’s on track to becoming a great working relationship!”
Federica CozzaniSenior Legal Counsel, Compre Group
Federica Cozzani
“If you’re looking for trustworthy, pragmatic and diligent legal advisors, say Hello(to)DPO! The team has been a great support to Skyscanner on a broad range of privacy and data protection matters, whether advising at a compliance level or on more acute legal issues. You’ll enjoy considerate, timely and helpful advice, provided by professionals with whom it’s a delight to work.”
Gemma WithamDirector of Legal (Privacy), Group Privacy Officer, Sykscanner Limited
Gemma Witham
“Jenai and Emma are amazing to deal with. They strike the right balance between understanding the business needs while doing it’s fiduciary duty to ensure we are on the right track from a legal, ethical and moral perspective. Working with HelloDPO’s guidance over the past 2 years has enabled X-Mode (now known as Outlogic) to be able to navigate complex and at times uncertain waters with GDPR in a strategic and ethical manner.”
Joshua AntonCEO, Outlogic
Joshua Anton
“A great bespoke service, delivered flexibly by absolute experts in a friendly, collaborative and accessible way. I cannot recommend more highly!"
Clare RussellInterim Head of Legal, Vue UK & Ireland
Clare Russell
“HelloDPO have been brilliant at getting our data compliance into shape. We have come such a long way in our ways of working and they are always on hand to help when we have complicated or urgent issues – they have simply become part of the team."
Josh TowbHead of Business Transformation, Jigsaw
Josh Towb
“The HelloDPO team have provided Channel 4 with a wide range of data protection advice over the years. Alison is always delightful to work with, and her advice is pragmatic and set within a commercial context, which is particularly helpful. HelloDPO runs regular DP Confessionals, which provide our team with a valuable wider industry view and a sense of issues which other organisations are struggling with, and the ways in which they are approaching them."
Rebecca MillerChannel 4
Previous
Next

Subscribe to our privacy news and legislation updates

Subscribe now

We are here to make our data-driven world a more equitable and ethical place to live, work, and thrive by pragmatically balancing our clients’ commercial ambitions with every individual’s right to privacy.

Linkedin
Navigation
Legal & compliance
HelloDPO Law Logo
© 2024 HelloDPO. All rights reserved. The use of any material on the website without our prior written consent is strictly prohibited.

Website developed by Bowler Hat

Data Protection; Demystified