App development – Best practice #3: security and privacy
When developing your application, security and privacy issues are essential. Only, how to implement them without affecting your users experience? How to respect the legislation without having your customer journey becoming a real nightmare?
Discover 3 key points to deliver a secure and functional app.
Since the application of the GDPR in May 2018, the general audience has become particularly sensitive to issues involving the confidentiality of personal data. No one wants to see their data used without their consent, and yet: many applications require the capture of this data to provide an exemplary and personalized service.
A pretty telling example is the limited success of the search engine Qwant, whose motto is “to offer a respectful alternative to privacy”. However, the French start-up struggles to federate users, for which Google’s approach is much more effective, and for good reason: the American browser feeds daily on everyone’s data, in order to propose research results almost “made to measure”.
It is therefore in this slightly schizophrenic context that you must operate. Here are the 3 key points you need to focus on, if you want to both respect privacy and regulations, and keep a service/offer (and more broadly an experience) impeccable for the user.
1 – Define sensitive data
The first question to ask, when it comes to developing an app, is: what are the user data that my business actually needs? The time when a business could ask any information to its user without the latter asking questions is over: more and more people are reluctant to give more than their e-mail address and their name to a service they don’t know. The long and tedious forms are obsolete, because of a general mistrust of privacy issues, but also because they have become obvious obstacles to a simple and clear experience.
How many applications were erased (or never used) from the first moment, for the simple reason that the user, when trying to activate them, preferred not to waste time filling out a form asking for a number of personal information? Also, setting up a Facebook Login can simplify the experience – even if, here too, very specific security measures must be taken into account.
Let’s not forget either that the primary mission of GDPR is to “empower” the user. In order to do that, each company should collect only what is absolutely necessary.
2 – Apply “Privacy by design”
The concept of “Privacy by design”, at the heart of the issues raised by GDPR, exists since the 90s. It is the former Information and Privacy Commissioner of the Canadian province of Ontario, Ann Cavoukian, who first made it an important issue, in 1997. The main idea is to oblige every company whose technology is focused on collecting personal data of users, to integrate some key points in order to respect users privacy. As a proactive and preventive measure, the “privacy by design” is now mandatory, with a view to ensure a clear and respectful treatment of data, which also provides visibility and transparency.
This concerns obviously every new application, and also every new technology. Let’s take the example of Apple and its famous Face ID, its facial recognition technology offered on the iPhone X and the following models. Depending on the use made of the information collected (in this case, personal data as to the shape of your face), the American company has been legally obliged to guarantee its users the security and confidentiality, since the very conception of this technology.
3 – Security > UX
This is probably the most important key point: despite every effort to provide the user with the best possible experience, security and privacy issues must always prevail over UX. As a result, any application deployed on mobile devices must contain security and control levels that block the leakage of the logged data.
Also, different security measures must be integrated. The first and probably most obvious for the end user (let’s say one of the ones he understands best) is data encryption. Some globally used apps have built their entire data encryption communication plan – with the goal of creating a safe and secure hacking environment.
Then, it is all about protecting this data from external threats, whether they come from third-party applications, the terminals where they are installed or even network connections. To do this, you need to enrich your suite of monitoring tools, which will help you avoid leaks.
Last but not least: do not forget that the user remains the owner of his personal data, his history and exchanges he has had with/as part of your service. Its security must constantly be the main focus of your attention – this will allow you to create a secure environment, with the least possible risk. This will increase user loyalty, and ultimately, make your business more interesting, and more lucrative.