2

I have build a web application using Django, Vue.js and deployed it on Heroku. It is a web application made for a big charity where you can win prizes by donating to the charity. The following information is collected:

  • Name
  • Username
  • Email
  • Password

Which is pretty basic, I guess. The reason no payment information is stored is because, upon clicking 'Donate', the user is redirected to JustGiving (implemented the JustGiving API) where they enter their payment information and such and are then redirected back to our website.

A few emails are sent:

  • An email when somebody wins a prize
  • An email if you are the winner of the prize
  • An email when a new prize draw is taking place
  • A receipt of your donation

This will be the first time I properly publish a web application so wanted to ask what steps I need to ensure to make sure the web app is legal. I know I have to probably have a 'cookies' alert and a section where users choose to receive emails or not.

What other steps must I take to make sure I am not breaking any rules?

user745587
  • 125
  • 1
  • 12
  • I'm closing this question as off-topic because it is not about a practical programming problem as outlined in the [help/on-topic]. – Martijn Pieters Oct 11 '20 at 10:48

2 Answers2

3

GDPR can feel complex, but since you're gathering minimal information here, it doesn't need to be. Following best practice as a developer should ensure you're doing your due diligence with regards to security.

To keep you and the charity safe in case of a breach, I would ensure you have a signed document between you laying out clear responsibilities, and detailing how long you will be holding the information. For example, if someone signs up but doesn't win a prize, at what point is you holding that person's information unnecessary?

I would work through the ICO's guidance to charities - https://ico.org.uk/for-organisations/in-your-sector/charity/charities-faqs/

Dharman
  • 30,962
  • 25
  • 85
  • 135
Andy Pestell
  • 58
  • 4
2

GDPR compliance is shaped by the eight rights bestowed on users with respect to their data. You need to ensure all of the rights are preserved:

Right to be informed

Your use of user data must be transparent. What data do you collect, what do you use it for, and with whom is it exchanged? This is typically documented in your site's privacy policy.

Right of access

If someone asks you for their data, you must provide it to them. The way you provide it needs to be a commonly used format, e.g. JSON or CSV.

Right to rectification

If there is incorrect data about a user you must let them correct it.

Right to erasure

Users can ask that their data be deleted or removed, if there isn't a strong reason to keep it around. In your example this would correspond to deleting their account.

Right to restrict processing

Users can ask that you block any further processing of their data; you may continue to store it but you can't perform other business operations on it.

Right to portability

Similar to the right of access above, you must allow users to export and reuse their personal data for their own purposes.

Right to object

Users can object to having any personal information used for purposes they don't want, like for analytics or marketing.

Individuals can object to having their personal information used. This includes for purposes of direct marketing, research and statistics.

Rights related to automatic decision making

This defines requirements you have to meet to use user data as part of automatic decisions like issuing credit or deciding whether they can be on a waitlist.

Ultimately, however, GDPR compliance is a legal question and can't be answered through a technology lens.

John Feminella
  • 303,634
  • 46
  • 339
  • 357