Reviewing business app T&Cs isn’t as fun as it sounds … until it is. Some app developers take their GDPR compliance seriously, while some clearly just want to tick the appropriate boxes and move on. And then there are those that are completely oblivious.
This month, we’ve come across some real howlers while doing a data audit for a client. We’ve uncovered about 70 different apps and websites that this client uses in its business. Each of these apps *should* have GDPR-compliant T&Cs and privacy notices, but few of them do.
The list of apps this client uses is pretty typical – some are among the most widely used apps today. Their approaches to data privacy are… let’s say… not as widely compliant.
Where you live makes a difference.
Some apps try to deal with GDPR by not dealing with it at all. A favourite example:
“[this app is] not GDPR compliant. If you are based in the European Union, you are prohibited from using [this app].”
Nice try. If we can access your app from the EU or the UK, then the GDPR probably applies. This attempt at a cheap and cheerful dodge isn’t likely to work.
An apology isn’t security.
Many apps explain their security features, data storage facilities, and international data transfer safeguards. That’s great.
Some apps prefer to make apologies instead:
“We don’t currently run any external vulnerability scanning tools, but are happy to at the request of a client (costs may apply). We don’t have a formal process for ensuring compliance with security standards, but all servers are updated on a weekly basis. We’re not as big as Google :-).” [happy face emoji is original]
Yes, privacy compliance is challenging and can be expensive. Most app developers don’t find it terribly exciting, either. But being small is no excuse for not securing data properly. And using apps that use this excuse is risky business – when they get hacked, their data breach becomes your data breach in a hurry.
T&Cs can be well hidden.
Larger tech companies can be the worst. Some direct you to the parent company’s website and leave you to wade through dozens of screens of umbrella T&Cs for the whole portfolio. Good luck figuring out if they even apply to the app you’re interested in.
Can you even find the T&Cs?
Investigating over 70 apps for this one client required a fair bit of scrambling. This is annoyingly common, and in some cases the only way we could see the T&Cs was by requesting a copy from the app developer.
Are you reading the latest version?
In fairness, we eventually found the current T&Cs, but it took a bit of work.
“We are GDPR compliant.”
Always our favourite line. We have a short reply to that: “That’s unlikely. Now could you show us your T&Cs and privacy notice please?”
Trust no one.
And just before we went cross-eyed after pages and pages of T&Cs, we came across this little gem:
“[this app] can help when it comes to data transfer and secure communication. This means that all data (including media and files) that you send and receive via [the app] cannot be deciphered when intercepted by your internet service provider, owners of Wi-Fi routers you connect to, or other third parties.
But please remember that we cannot protect you from your own mother if she takes your unlocked phone without a passcode.”