Using Laravel to implement good GDPR privacy practices

Privacy by default as a development practice that GDPR pushed into law, how we build Laravel apps.

"Using Laravel in practice developing an app when you need to manage GDPR compliance?"

Which way now

Opt in to compliance

When building Laravel apps we are asked questions on adhering to GDPR.

Lets walk through the aspects of GDPR and how we work with those building an app.

GDPR clear language inside

With the new GDPR regulations data Collectors and partners who are Processors of people's personal data need to be listed clearly in your Privacy statement and opted into collection

Here is mainly concentrated around the language used to the customer in terms, privacy policy and opt in / out forms. If in your app you are asking a user for any personal identifiable data at sign up or later, you are going to be a Controller (this one has nothing to do with MVC, but if you pull any personal user data from the Model through to the View you are). This includes storing tracking data like IP addresses in logging. This is data you will use and process means, do anything with the data like email or generate results because of their choices.

Take the default position that you are Controller, and you would have to work hard to not be one. You may also be a Processor of other data from 3rd parties, and with APIs and marketing tools in your company service you will be using another company as a Processor. i.e. Mailchimp, Drip, Mautic, Stripe, Facebook, Twitter and many other similar helpful services.

So hand to legal and writers of the site to do the front facing messages. Work together on a short privacy message link you can put on forms, where you need to have a clear link. The from data for sign up, marketing and profiles need to keep private personal data too a minimum. Document each field in a spreadsheet, and then the reason you need each one, is needed for GDPR records as well as good for planning.

To send someone an email, do you need also their age, income, job title, or can you remove those? Consider each field adding a little more risk so the better is less. Friction is also reduced for the user with less field, so you should see more submissions. You can look at the docs for which fields count as private and which are sensitive, the level above.

  • The form in the backend should allow for these fields extra to not be required.
  • The user should be given separate options to opt in for each use case, i.e. email list, general marketing, sharing to 3rd party.
  • Track in the form data saved to db, the action, location and date for each of these grouped choices. For a trail if they opt out or back in latter.
  • Keep the personal user data in separate table and models, and even better in a different db or system, so that security measures can be higher, and loose coupling possible.

In terms of packages that can help here, where this is as much data storage and frontend details. Notice if you use any 3rd party martech tools to collect data and share back with the app, then they all follow same steps and process.

With Laravel GDPR export user data traits added to the model object so it is easier to set up export of data for Right to Portability latter.

Visitor Opt-In needs logging for GDPR

Log the location and time of opt-in, where recommend also store Screengrabs with your GDPR data process audits.

  • All options should be opt out by default not opt in, so if no checkbox mention then the user has opted out.

If you are being extra thorougher changes to any form layout with collection and opt in you should screen grab and log this in a file. Keep dated version changes of each of these, plus notes on the fields and use. This allows demonstration if the user questions where did they opt in.

With limiting data in the logs this can do help, to save wrapping each log call Monolog hashes email and IP Under GDPR storage of IP and private data should be tracked and limited in logs too. These processors will replace data with their SHA-1 equivalent, allowing you still to search logs.

Next installment to follow: App Cookies


Photo Credit: Photo by Mike Wilson on Unsplash

#gdpr #laravel #privacy
Mautic Tags

See also