The General Data Protection Regulation (GDPR) sets data protection and privacy guidelines for handling personal data of individuals within the European Union (EU). As such, it applies not only to all organizations established in the EU that handle personal data, but also to any non-EU established organization that processes personal data of individuals who are in the EU.

As GDPR came into force on 25 May 2018, we’d like to share our tips on how Platform OS developers can follow it. Let’s get started with some basic terminology, and then delve into fulfilling the requirements on your Platform OS site.

Basic terminology

For further understanding, you should be familiar with a couple of expressions the regulation uses:

• Data controller: a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
• Data processor: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
• Personal data: any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
• Sensitive data: a sub-category of personal data that reveal any racial or ethnic origin, financial status, political opinion, philosophical belief, religion, trade-union membership, sexual orientation, concerns health or sex life, genetic data, or biometric data.

Based on this, you can see that you are a data controller as soon as you do anything with other people’s personal data through your website (e.g. newsletter subscription, contact form, etc.). If your Platform OS sites use third-party applications that process personal data for you, they are considered data processors. 

Fulfilling GDPR Requirements in Platform OS

Let’s see a couple of requirements related to features that Platform OS developers often implement.

Handling and storing data

Handling and storing personal data in accordance with GDPR requirements means that you have to keep personal data accurate, up-to-date, and secure. If users ask you to have their data fixed or deleted, you should respond promptly (in less than 30 days, but the sooner the better).

To inform users about the way you handle personal data, you should write a Privacy Policy and make it available on your site, so that it’s easy to find. The Privacy Policy should include:

• Why you collect the data (purpose)
• What you do with the data
• How you collect it
• How you store it
• How someone can get in touch with you (e.g. to delete their data)
• Links to the privacy policies of third-party applications you use (e.g. chat, email provider)

In Platform OS, you gather and update data through Liquid forms. Let’s see an example of a user sign-up form for clients (client_sign_up.liquid):

---
name: onboarding
resource: User
resource_owner: anyone
configuration:
  name:
    validation: { presence: true }
  email:
  password:
  profiles:
    manager:
      enabled:
redirect_to: '/'
default_payload: ""
callback_actions: ""
email_notifications: ""
---

{% form %}
  {% assign f = form_builder.fields %}
  {% assign profile = f.profiles.manager.properties %}

  {% input f.name %}
  {% input f.email, as: 'email' %}
  {% input f.password, as: 'password' %}
  {% input profile.enabled, as: 'hidden', value: 1 %}

  <input class="btn btn-primary btn-lg" type="submit" value="Register">

  <p>Already have an account? <a href="/log-in">Log Ina>p>
{% endform %}

You can use the same form with slight modifications to gather and update data: use the form with `resource_id: new` to store data, and `resource_id: [id]` to let a user update data.

Data erasure

You are only allowed to store personal information for the required amount of time—then you have to take measures to securely erase it.

When complying to the data erasure requirement, the main goal is to delete the personal data from production systems (live site). You should make sure to explain that the data may be stored in backup archives, that must be kept for a longer period of time. You have to ensure that data in backup archives is encrypted, and won’t be restored. You should also inform the users about how long you will retain the data in the backup. In Platform OS, we keep backup archives for 7 days as a default.

In Platform OS, you can build your own data erasure solution using Customizations, GraphQL and Liquid: you can use a third-party API encryption service against our endpoint, and flag sensitive data for later deletion.

Getting consent

You should inform your users about the purpose and way you will use their data. You should get their consent, and be able to prove later that you have, so keep a record of the consents (who, when, how, what they consented to, etc.). 

Opt-in, not opt-out

Consent should always be opt-in, and not opt-out. This means, users should actively give their consent to you for using their data (e.g. by clicking a button, or selecting a checkbox). Implied consent is not allowed, so you can’t use a pre-ticked checkbox and consider it consent if the user hasn’t unchecked it. You are not allowed to bundle checkboxes (users should  not be able to check more boxes at once), and you should make it easy for your users to withdraw their consent.

If you are using a third-party email provider for newsletter subscription or a chat application,  make sure they follow GDPR requirements as well. 

Platform OS example

See some example code of a simple opt-in newsletter subscription form and an unsubscribe form implemented in Platform OS. 

CustomModelType

name: Newsletter
custom_attributes:
- name: email
  attribute_type: string

 Page

---
slug: newsletter
layout_name: home
---
<h1>Join Newsletterh1>
{% include_form newsletter_form resource_type: "newsletter" %}

Form

---
name: newsletter_form
configuration: 
  properties:
    email:
      validation:
        presence: true
resource: Customization
authorization_policies:
flash_notice: "Thank you for joining our newsletter"
return_to: '/newsletter/thank-you?email={{ form.properties.email }}'
default_payload: "{}"
---
{% form %}
  {% assign f = form_builder.fields %}
  {{ f.properties.email.name }} type="text" placeholder="Your email">
  {% submit "Save" %}
{% endform %}

Thank you page

---
slug: newsletter/thank-you
layout_name: home
---
<h1>Newsletterh1>
 
You are now subscribed to our newsletter. 
If you wish to unsubscribe place click on {{ params.email }}">this linka>

Unsubscribe page

--
slug: newsletter/unsubscribe
layout_name: home
---
<h1>Unsubscribe from Newsletterh1>
{% query_graph get_newsletter, email: params.email %}
{% assign newsletter = g.customizations.results.first %}
{% if newsletter %}
  You are about to unsubscribe {{ newsletter.email }} from our database.
  {% include_form unsubscribe_newsletter_form resource_type: "newsletter", resource_id: newsletter.id %}
{% else %}
  <p>You are not subscribed to our newsletterp>
{% endif %}

Get newsletter graph

query get_newsletter(
  $email: String,
)
{
  customizations (
    name: "newsletter"
    properties: [
      {
        name: "email"
        value: $email
      }
    ]
  )
  {
    results {
      email: property(name: "email")
      id
    }
  }
}

Unsubscribe form

---
name: unsubscribe_newsletter_form
configuration: 
  properties:
    email:
      validation:
        presence: true
resource: Customization
resource_owner: anyone
authorization_policies:
flash_notice: "You are now unsubscribed"
return_to: '/'
default_payload: "{}"
---
{% form method: 'delete' %}
  {% submit "Unsubscribe" %}
{% endform %}

Cookie notification

The opt-in requirement applies to cookie notifications, too. Implied consent (e.g. user closing the cookie notification window) is not enough. Any new visitor to your website should click to opt-in, so the notification should have a button and a link to your cookie policy as well.

The cookie policy should describe what you collect and why, even for third-party applications, like Google Analytics.

Platform OS Partners can implement a cookie notification in many ways, for example by adding a JavaScript cookie alert popup to their sites.  You can use available cookie consent solutions or reuse code from a GitHub repository.  

Data security

The regulation expects data controllers to ensure the security of personal data. This means you should use some kind of encryption (e.g. SSL), and implement digital security measures. You should have the ability to recover and restore data from a disaster, and implement a workflow for regular testing of security issues.

You have to consider data breaches and their consequences, have a data breach response plan that ensures you can inform your users about the data breach promptly, and report the data breach to your supervisory authority in less than 72 hours. 

We use Amazon Elastic Compute Cloud (Amazon EC2) as server infrastructure, and Amazon Simple Storage Service (Amazon S3) for data storage. All AWS services including these are GDPR compliant, learn more about them in detail in their GDPR Center.

Payment gateways

From the perspective of GDPR, payment gateways are third-party applications that act as data processors. The regulation requires you to have legal contracts with these third-parties that describe:

• the duration of the processing,
• the nature of the processing,
• the duty of confidence,   
• that data processors understand that nothing within the contract relieves the processor of its own direct responsibilities and liabilities under the GDPR.
  

In your Privacy Policy, list the payment gateways you use, and link to their respective Privacy Policies. 

Most of our Partners use Stripe, a payment solution integrated into Platform OS, so all sensitive information is processed through a payment gateway. See Stripe’s GDPR guide to learn more about the measures they take to ensure GDPR compliance.  

We hope this article gave you some insight into following GDPR regulations with Platform OS.

Although the article covers the basics to answer the most fundamental questions, it’s not comprehensive, so you should look into the legislation and ask for legal advice about specific use cases or anything not covered in this guide. Also, there are different technical solutions or approaches to follow each requirement, so the tips we shared are usually not the only option.