GDPR: What to keep in mind when developing or deploying apps for research?
If you are going to develop an app (mobile, web or software application) that will collect and process personal data in the context of or as part of a research study, you as the researcher must ensure that the app and its use is compliant with the General Data Protection Regulation (GDPR).
How to develop a ‘GDPR-compliant’ app?
'GDPR-compliant' first and foremost requires the correct development of the app based on the principles of 'privacy by design' and 'privacy by default'. This means that, starting in the design phase of the app, you think about the necessary measures to ensure the privacy and data protection principles are met from the start ('privacy by design'). Examples of such measures include applying pseudonymisation (replacing identifiable personal data with pseudonyms) and encryption (a method that makes data unreadable using certain algorithms).
You should also build in the maximum degree of data protection into the default settings for your app ('privacy by default'). This ensures that the privacy of the app's users is protected from the beginning of the study, without requiring any extra effort from the users.
In addition, the other basic principles of the GDPR must be followed.
Developing a ‘GDPR-compliant’ app therefore starts with you.
The following questions might help guide you:
Design of the research / study set-up
- Do you really need personal data? If not necessary, you should use anonymous data or just not collect personal data at all.
- What personal data do you strictly need to achieve the research goal (data minimization)? Try to limit the collection of data to only those personal data that contribute to answering the research question.
- Do you need ‘raw’ personal data, or can you work with pseudonymized data (after collection of the personal data)?
- How will personal data be pseudonymized and/or anonymized, and when? This can be done at the start of data processing or later in the process.
- Does the way in which you will process personal data entail risks for the data subjects? For example, will you collect sensitive personal data? Will you collect personal data from vulnerablepersons or minors? Will the data subjects be monitored systematically...?
- What legal basis do you rely on to process personal data?
- Have you created a GDPR record to register the processing of personal data (in DMPonline.be)?
Information- and consent letter, privacy statement
- Are app users adequately informed in advance about data collection, the purpose of the processing of personal data and their rights (transparency)?
- How will you inform users? Is there an invitation to use the app? Is there an information letter, email or page in the app? Is there a project/app-specific privacy statement?
- When invoking the legal basis "consent" to collect and process personal data, how will you obtain consent (in the app itself?)?
User access and control
- How does user authentication and authorization take place and what personal data are collected and/or stored in the process? Can the users use the app in an anonymous way (e.g. without a link to the natural person, without storage of the IP address…)?
- Are web analytics used to monitor user behavior (e.g. Google Analytics)? Are cookies used? Is a cookie banner provided that’s in line with the UGent guidelines?
Data storage and transfer
- Is the data collected in the app securely transferred and stored (informationsecurity)?
- Is the user's IP address or other identifying data used to link data during or after data collection? Will this identifying data be deleted after data collection?
- What happens to the data after data collection (data transfer, data analysis)? Will the data be shared with other researchers or parties? With whom and for what purposes? Under what form will this occur (pseudonymized or anonymized)? If other researchers or parties (i.e. non-UGent) are involved, what are the roles of these parties and their different responsibilities and have the required agreements been set up?To this end, contact the UGent TechTransfer legal team.
Use of external (cloud) platforms
- Where will the app be installed? On which server? Centrally offered by UGent or not, in the cloud?
- Is this external platform hosted inside or outside Belgium or even outside the EU?
- Where will the data be stored? Locally on a UGent server or in a cloud solution or platform? Inside or outside of Belgium? Inside or outside the EU?
Data subject’s rights in accordance with the GDPR
- Do you need additional mechanisms for users to access, modify or delete their data?
- How can participants withdraw their consent, view their data or even have their data deleted?
Make sure that you have taken appropriate and sufficient measures to collect and process the personal data in your app securely and in line with the GDPR. Consider data minimization, data protection and transparency.
Keep in mind the following concerns:
- Only collect those personal data that are necessary to achieve the research purpose.
- Inform users about the app and the underlying processing of personal data; do so before any data is collected.
- Take into account cookies and trackers, tracking pixels, plug-ins... in your app. These too can process personal data.
- Enter into correct (processing) agreements with external service providers (app developers, ...). To this end, contact the UGent TechTransfer legal team.
- Make sure personal data is encrypted as much as possible and inform users about this.
- Register your data processing and app for use in the GDPR-record of UGent (via dmponline.be).
- GDPR: how do I register personal data processing activities? (Research integrity & ethics)
- GDPR: how to be transparent to data subjects in my research? (Research integrity & ethics)
- GDPR: what are personal data? (Research integrity & ethics)
- GDPR: what rights do data subjects have, how do I respect them and what exceptions may apply to research? (Research integrity & ethics)
- GDPR: When am I processing high-risk personal data and when do I need to conduct a DPIA? (Research integrity & ethics)
Last modified Jan. 16, 2023, 3:48 p.m.