Updated: Jan 21, 2020
By Avishag Sterngold | Founder & Chief Design Officer
HOW TO PROTECT THE CUSTOMER’S PRIVACY WHILST FIXING PROBLEMS IN A MOBILE APP?
This blog is not intended as legal advice
Are you the type of person who likes everyone to know everything about them? Or are you the type who is careful that all information about them is deleted?
The truth is that it’s not so important which group you belong to - what’s more important is that you are one of those who understands that mobile logs contain important information which is gathered from the user – and it’s not just ‘any’ information.
According to the European GDPR law it is forbidden to collect data on your customer for no particular purpose – and rightly so.
Information collected on logs is intended to improve the quality of use of the mobile app. The information on the logs enables the correction of problems in the app without the user having to contact the app owner. While it is being used the programmer receives a list of logs.
WHAT IS GDPR? GDPR– General Data Protection Regulation.
GDPR is a regulatory document of the European Union which incorporates permanent laws for the protection of privacy. It is a collection of directives which protects the user regarding collecting, storing and processing personal data about him.
WHAT INFLUENCE DOES THE GDPR DOCUMENT HAVE ON THE LOG SYSTEM?
As you know, mobile app logs are collected from the user’s devices to cloud storage and disclose his personal data. Just as it is forbidden to collect irrelevant data so it is also forbidden to collect obsolete irrelevant data for no purpose. In other words the law affects what is allowed and what is forbidden to write in the logs and the frequency of deleting the logs.
Does GDPR force me to work without a system of logs or crash reporting tool?
How is it possible to work with logs management without breaking the laws of GDPR?
What needs to be in a logger platform in order to remain within the laws of GDPR?
WHAT ARE THE MAIN RIGHTS OF GDPR WITH REGARD TO LOGS?
THE RIGHT TO TRANSPARENCY- about the data that was collected about them and the purpose of its processing. Inform the user that data was collected about him in order to identify problems and correct them during his use of the app. Also inform him that this information was passed on to a third party for this purpose.
THE RIGHT OF ACCESS- what information about him was stored. When a customer asks for the information you stored about him – Make sure you have used a platform which allows you to gather all the information that was obtained from the logs which were collected from the user.
THE RIGHT TO BE FORGOTTEN- THE RIGHT TO DELETE- the data about him that was stored It is the right of every user to ask you to delete all the stored data about him . Make sure that the log system you use has a simple mechanism for deleting – a system that allows you to delete the data of this specific user. Check that this deletion is done without harming the logs which were collected about other users.
THE RIGHT TO OBJECT TO PROCESSING- information about him. It is the right of any specific user to limit the collection and processing of data about him. Check that the log system allows you to immediately stop saving future logs about this particular user.
INFORMATION PROTECTION BY DEFAULTNever include the users personal information e.g. credit card details and passwords, in the log.
Let’s go back to the questions that were asked at the beginning of this article.
Does the GDPR document force me to work without a system of logs or crash reporting tool?
The opposite !! Logs are necessary to deal with problems in the app. The GDPR laws help you to protect the final user and encourage you to keep ethical work rules, e.g. maintaining clean logs without personal data. (the right to data protection by default)
How can you work with logs without breaking the GDPR laws?
You must inform the user in a ‘privacy’ document that you are collecting data from him in order to correct any problems ( the right to transparency).
If the user asks to be ‘deleted’ then delete all the logs you have about him ( the right to be forgotten).
If the user asks to receive all the data you have on him – send him a list of the logs you have on him ( the right of access).
If the user asks you to stop collecting data on him , stop storing data on him ( the right to oppose processing) Be careful not to include personal information in the logs e.g. passwords, bank details, credit card details, personal health details ( information protection by default).
It’s forbidden to store old logs which are out of date and have no use - there are log systems with weekly or monthly automatic deletion mechanisms.
What has to be included in the log system in order to obey the laws of GDPR?
A system which enables you to collect data from a specific user ( the right to know).
A deletion system for each specific user, data from the past and the present ( the right to be forgotten)
A system which halts future data collection (the right to object to processing).
Mobile apps collect private information from the user. Logs help to improve the quality of the device and the users experience quickly and efficiently. That is why logs are definitely data which is both permitted and worth collecting from the user. Logs which are out of date and have no use must be erased and not be stored for no purpose.
Before writing a log always ask yourself – what information am I allowed to write in the log?
Never include information such as credit card details and passwords.
Make sure to use a system which complies with the laws of GDPR. Always delete data about a specific user whenever he asks. Don’t forget to tell the user that you are collecting information about him in order to correct problems. – people appreciate problems being solved before they have a chance to complain.