Do we need to make our projects GDPR compliant?

I’m not really sure about GDPR and how to integrate the necessary options / requirements into building a full stack app. If I finish my full stack apps and showcase them with the world, and people sign up and start using the applications, do I need some options in an admin panel to allow the users “access” to their data, or an option for them to delete themselves?

Has free code camp made some guidelines for building full stack projects and complying with GDPR?

I think if you’re dealing with European users, the answer to this is yes, you need to take GDPR into account.
Here’s an overview article for web developers

There are many more articles online.

I don’t think FCC has a topic on this (I haven’t looked at all the content available here though).

Edit: and here’s a checklist for app devs

1 Like

Thanks for the links! Yeah I suppose, when building an app and showcasing to the world, you don’t really know who will sign up. I bet there are thousands of people on fcc from Europe, so it’s certainly a requirement now.

I suppose, I’m just interested in how to provide all the users data in some sort of admin UI for the user to see / remove their data … using mongodb or firebase etc. Has anyone out there created this for their backend projects? I’d love to see some examples.

I’m certainly no legal expert, but this:

Would seem to exclude something like fCC projects:

This Regulation does not apply to the processing of personal data […] by a natural person in the course of a purely personal or household activity;

Of course, if you found your project was morphing into an actual product with a significant user base, you’d want to make sure it’s compliant.

2 Likes

Good catch!

Haha I love the definition “natural person”. I wonder what that includes…

(。◕ ‿ ◕。)

I think it means people that recycle and eat a lot of granola. So pretty much Scandinavians.

1 Like

In law, “person” sometimes includes businesses as well as actual people. So I think “natural person” just means a human with flesh and bones and guts and stuff (and not acting on behalf of a company).

2 Likes

Also freelancers, of course :smiley:

In jurisprudence, a natural person is a person (in legal meaning, i.e., one who has its own legal personality) that is an individual human being, as opposed to a legal person, which may be a private (i.e., business entity or non-governmental organization) or public (i.e., government) organization.

Source : Wikipedia

So weird that the definition of a person can actually be not a person. wtf!

That doesn’t apply to the OP’s question though which is about a full-stack app which allows “people sign up and start using the applications”. Once “people sign up” you have to apply the GDPR rules. It doesn’t matter how small your app is or that it came about via FCC projects.

if you have a google or facebook account, there are options to ask for all your data. You can check out their service to learn how the pros do it.

The text I quoted is from the GDPR itself. Again, I’m no legal expert, but it seems to me that it would cover fCC projects (and I suspect that clause was added to cover exactly this type of case — where the data in question is being collected simply as an educational exercise, not for any marketing or monetization purposes).

If you are in fact collecting data for your own personal educational purpose, and do not plan to do anything further with it, then yes, it would seem you are exempt. But I didn’t understand the OP’s original post this way. As the OP said: “finish my full stack apps and showcase them with the world, and people sign up and start using the applications”, I took that to mean it was past the educational purpose point.

ps. having a clear privacy policy even for an education purpose app seems like a small thing to do just to make sure that at least people who are providing their data are aware what it will be used for (education) and that it won’t be mishandled/misused.

1 Like

Thanks for the great discussion and help figuring this all out :slight_smile:
I’m basically just referring to my FCC projects that I finish and deploy to a live site. Once they are live, I wasn’t sure of the implications, and in most cases being for “educational purposes” will suffice.

I guess if things were to go beyond a simple demonstration, to something that would be commercialized, then yeah, ensuring it is GDPR compliant is certainly required. For now, it’s no big deal, but still - how to create a backend admin UI for users to download their data & or remove themselves would be cool to know how to do :slight_smile:

Thanks again !

Just for exactness’s sake though, the question isn’t about whether they are commercialized or not. You could be offering a free service for a non profit and still have to be compliant. Have you looked up how social apps like facebook are adapting to GDPR? I am sure you will find many discussions online about this (to use for ideas).