We are asked questions around adhering to GDPR building Laravel apps.
"Using Laravel in practice developing an app when you need to manage GDPR compliance?"
Opt in to compliance
Lets walk through the aspects of GDPR and how we work with those building an app.
GDPR clear language inside
With the new GDPR regulations data Collectors and partners who are Processors of people's personal data need to be listed clearly in your Privacy statement and opted into collection
Take the default position that you are Controller, and you would have to work hard to not be one. You may also be a Processor of other data from 3rd parties, and with APIs and marketing tools in your company service you will be using another company as a Processor. i.e. Mailchimp, Drip, Mautic, Stripe, Facebook, Twitter and many other similar helpful services.
So hand to legal and writers of the site to do the front facing messages. Work together on a short privacy message link you can put on forms, where you need to have a clear link. The from data for sign up, marketing and profiles need to keep private personal data too a minimum. Document each field in a spreadsheet, and then the reason you need each one, is needed for GDPR records as well as good for planning.
To send someone an email, do you need also their age, income, job title, or can you remove those? Consider each field adding a little more risk so the better is less. Friction is also reduced for the user with less field, so you should see more submissions. You can look at the docs for which fields count as private and which are sensitive, the level above.
- The form in the backend should allow for these fields extra to not be required.
- The user should be given separate options to opt in for each use case, i.e. email list, general marketing, sharing to 3rd party.
- Track in the form data saved to db, the action, location and date for each of these grouped choices. For a trail if they opt out or back in latter.
- Keep the personal user data in separate table and models, and even better in a different db or system, so that security measures can be higher, and loose coupling possible.
In terms of packages that can help here, where this is as much data storage and frontend details. Notice if you use any 3rd party martech tools to collect data and share back with the app, then they all follow same steps and process.
With Laravel GDPR export user data traits added to the model object so it is easier to set up export of data for Right to Portability latter.
Visitor Opt-In needs logging for GDPR
Log the location and time of opt-in, where recommend also store Screengrabs with your GDPR data process audits.
- All options should be opt out by default not opt in, so if no checkbox mention then the user has opted out.
If you are being extra thorougher changes to any form layout with collection and opt in you should screen grab and log this in a file. Keep dated version changes of each of these, plus notes on the fields and use. This allows demonstration if the user questions where did they opt in.
With limiting data in the logs this can do help, to save wrapping each log call Monolog hashes email and IP Under GDPR storage of IP and private data should be tracked and limited in logs too. These processors will replace data with their SHA-1 equivalent, allowing you still to search logs.
More to come
- Plugins for Laravel/Wordpress/Joomla
- Done for you GDPR website upgrade
- Steps to developing compliant apps
- Platform.sh have a several part guide
Photo Credit: Photo by on Unsplash