After a couple of months trying to understand GDPR and adapting FunRetro to it, that's the summary of things I learned in the process.
Disclaimer: This post is not legal advice and it does not reflect any lawyer information. To understand how to adapt to GDPR the best option is to contact a lawyer specialised in that.
The most important thing that I learned from GDPR is:
The data belongs to the user. So respect it.
That means that you should treat it well, collect only what you really need, be cautious to who you share it with, make it transparent and allow the user to have full control over it.
This is a list of most of the things we did in order to be compliant:
- First analyse all the data you are currently collecting and review what is really needed and which data you can stop collecting and stop sharing. If you have data that you no longer need, delete it.
- Only store data that you really need (example: avoid extra fields on registration form)
- Clean any old data on your database that is not needed anymore
- If you have an old mailing list and you didn't ask for consent, send a consent email and remove everyone that didn't accept it
- Make a list of all data you collect directly and if you can indirectly as well with the reason for collecting that
- Make a list of all data processors that you use and the reason, see if you can stop using any data processor
- Add a checkbox when people are registering to accept your terms (auto accepting and auto checked is not valid)
- Add a checkbox for your marketing consent as well (to be able to send marketing emails)
- Allow people to edit their data, that also includes things like email, name, and any other data you collect from people
- Make sure people can see and export all data you have from them
- Make sure users can delete all data you have from them, and make it clear when data will be completely deleted, also notify your data processors do delete that as well
- Do regular encrypted backups and store it no longer than 30 days
- Create a process to delete inactive users data after 1 year, send an email first to the user and if it does not login on the app, delete the data from your servers and notify your data processors as well.
- Make sure the data is secure (personal data is only accessed by the people that should see it) and if possible create a security page explaining the details
- If you use Google analytics or Mixpanel or other tool that has this configuration, disable IP storing
- If you collect marketing consent yourself, make sure you send that to your email list provider (like mailchimp) and your other providers.
- Save when the user accepted the terms and have a history of the messages you used and your terms
- Log access to personal data so you know who accessed it and what purpose. Don't log personal data, only identifiers if needed