Table 4.
Considerations when developing a GDPR compliant app for research purposes.
1. | Conduct a data protection impact assessment to ensure that all risks are identified, assessed and mitigated |
2. | Determine which data protection regulations are applicable based on the locations of all data collection and data processing sites involved |
3. | Create a data management plan |
4. | Create a data sharing agreement |
5. | Create a data processing agreement |
6. | Search for app developers who have expertise in developing and hosting apps in compliance with the GDPR |
7. | Sign a non-disclosure agreement with the app developers and a contract that ensures that one retains ownership of the app, intellectual property and data |
8. | Develop the app on an open-source platform rather than a proprietary/exclusive platform; this will allow one to more easily transfer the app development/support to another service provider in future should it be required |
9. | Develop an electronic informed consent for the app; in the app the app user must be able to view and download/print this document |
10. | Develop a privacy policy for the app; in the app the app user must be able to view and download/print this document |
11. | Develop terms of use for the app; in the app the app user must be able to view and download/print this document |
12. | The first step in the app is to have prospective app users read and agree to the electronic informed consent, privacy policy, and terms of use. Only once app users have provided this consent can any app user registration and other data be captured |
13. | The app should be password protected |
14. | The app and data administration panel must implement the necessary encryption protocols and strategies for data protection and security |
15. | App users must be able to control, access and delete all of their own app data on the mobile device and the storage servers |
16. | Multifactor authentication must be implemented for all means of accessing captured/stored data via the app data administration panel or secure cloud storage solution |
17. | Ensure that the location of the app hosting servers and the applicable data protection legislation in that country/state/region meet the requirements for GDPR compliance |
18. | Retain separate staging (testing) and production environments of the app data administration panel, this way all ongoing iterative development and testing can be done in the staging environment without affecting the app and live data in the production environment |
19. | Ensure that only the data controllers/processors have access to the live (real person) data in the production environment. If support is required from an app developer, server manager, or other third party, ensure that a sufficient data processing agreement has been signed by all parties involved |