Privacy Engineering for Mobile: GDPR in Practice

PrivacyMobileGDPRAndroid

Privacy engineering is the practice of building data protection into a system rather than bolting a consent banner on at the end. For mobile apps under GDPR, that distinction is the whole game — regulators and users can both tell the difference between an app designed to collect the minimum it needs and one that hoovers up everything and asks forgiveness later. Having shipped apps into fintech and consumer contexts, I've learned the compliant version is usually the simpler version: you collect less, so you have less to secure, explain, export, and delete.

The mistake teams make is treating GDPR as a legal checkbox handed to engineering at the end. It's an architecture concern. Where personal data lives, how it flows to third parties, whether you can find and delete all of it for one user — those are design decisions you make in code, and they're expensive to retrofit.

Data minimization is the cheapest control

The single most effective privacy measure is not collecting data in the first place. Every field you don't store is a field you can't leak, don't have to encrypt, and never have to delete. Before adding a data point, ask what feature genuinely requires it and whether a coarser version would do.

Concrete examples from real apps:

This is privacy by design — Article 25's requirement — expressed as ordinary engineering restraint. It also reduces PII sprawl, which makes every downstream obligation smaller.

Consent that means something

GDPR consent must be freely given, specific, informed, and unambiguous — which rules out pre-ticked boxes and "by using this app you agree" banners. In practice that means:

The engineering consequence people miss: SDKs must not initialize before consent. Analytics and ad SDKs routinely send an install ping or device identifier the moment the app launches. If that happens before consent, you've already violated it.

// Gate SDK init behind stored consent, not app launch
fun onAppStart(consent: ConsentState) {
    if (consent.analyticsGranted) {
        Analytics.initialize(context) // only now
    }
    // Crash reporting with PII scrubbing can often run on
    // legitimate-interest basis, but scrub aggressively.
    CrashReporter.initialize(context, scrubPii = true)
}

Audit what each SDK actually transmits with a proxy like Charles or mitmproxy. I've caught SDKs sending the advertising ID and a list of installed packages on first launch — data the product never used and legal never approved.

Handle PII like it's radioactive

Treat personal data as something to contain and track:

Practice What it looks like
Encrypt at rest Platform keystore for tokens; encrypted DB for PII
Encrypt in transit TLS everywhere, pinned where feasible
Scrub telemetry Strip emails, tokens, IDs from logs and crash traces
Tag data flows Know which fields are PII and where they go
Limit retention Delete data when its purpose ends, automatically

The keystore and encrypted-storage mechanics are covered in Android Keystore and encrypted storage. The point here is that encryption is necessary but not sufficient — you also have to know where the PII is, which is why data-flow mapping matters more than any single control.

Data subject rights are an engineering feature

GDPR gives users the right to access, export, correct, and delete their data. If fulfilling a deletion request means an engineer manually running SQL across six services and hoping they got the backups and the analytics warehouse, you're not compliant — you're improvising.

Build these as features:

The hard part is the long tail: the analytics platform, the email provider, the support tool. Each is a processor you must be able to instruct. Keep a register of where personal data flows so deletion is a known list, not an archaeology project.

The third-party SDK trap

Your GDPR liability extends to every SDK that collects data through your app — you're the controller, the SDK vendor is a processor, and their leak is your incident. Minimize third-party SDKs, gate them behind consent, and prefer server-side integration where you control the data before it leaves. This dovetails with zero-trust mobile thinking: the app is a place data leaks from, so keep sensitive processing on your backend where you can audit and control it.

A pragmatic starting point

For a team retrofitting privacy into an existing app:

  1. Inventory every field you collect and every SDK that phones home — most teams are surprised by the list.
  2. Delete collection you can't justify. This is free risk reduction.
  3. Build the consent gate and move non-essential SDK init behind it.
  4. Implement export and deletion as real endpoints, tested end to end.
  5. Set retention limits and automate the deletion of expired data.

Done well, privacy engineering isn't a tax on the product — it's a forcing function toward a leaner, more secure system. You end up storing less, understanding your data flows, and being able to answer a regulator's or a user's question in minutes. That's a better-engineered app by any measure, not just a compliant one.

Resources

Frequently asked questions

What does GDPR actually require from a mobile app?

A lawful basis for processing personal data, genuine consent where consent is the basis, data minimization, the ability to fulfill data subject rights (access, deletion, portability), and appropriate security. In practice that means collecting less, documenting why, and being able to export and delete a user's data on request.

Does telemetry and crash reporting count as personal data?

Often yes. Device IDs, IP addresses, and advertising identifiers are personal data under GDPR, and crash reports frequently contain PII in stack traces or logs. You need a lawful basis and consent for non-essential analytics, and you should scrub PII from telemetry.

Do third-party SDKs make me liable under GDPR?

Yes. If an analytics or ads SDK collects personal data through your app, you're responsible as the data controller. Many SDKs phone home before consent is granted, so you must gate their initialization behind consent and audit what they actually send.

Hiring a senior Android / Flutter engineer?

I architect and ship production mobile software — Kotlin, Jetpack Compose, Flutter — for robotics, EV infrastructure, fintech, and real-time systems. Open to remote roles in Europe and the US.

Get in touch →