Homepage > Journal > How to collect users' data? Website owner vs. GDPR
Journal

How to collect users' data? Website owner vs. GDPR

How you like that:

With the entry into force of GDPR, the responsibility for users' data was placed upon website owners.

However, this responsibility can be avoided with the help of services from external companies — that are much more specialized and ensure higher security and meet the requirements of the "General Data Protection Regulation."

When creating a website, it is necessary to think about personal data storage from the beginning of the process. The site should be created following the idea of "secure by design." It's about developing a website so that it's secure as early as the design phase.

Meanwhile, I often encounter simple designs of company websites that forget about the aspect of data storage.

The customer's lawyer looks at the effects of the work on the website after its publication (if at all). They may then find out that the contact form or the newsletter form doesn't meet the requirements of the GDPR.

A hacker emerging from a computer
GDPR is primarily about an obligation to provide information because hacker attacks are commonplace nowadays, and data leakage can always occur.

GDPR and the freedom to choose security measures

I must add that GDPR doesn't specify what kinds of organizational and technical conditions in terms of data processing need to be met. Besides, it would be impractical considering the differences between businesses and how quickly technological solutions change.


At The Story, we make damn good websites. Check it out!


That's why we have considerable freedom. Our task is to offer a system in which data are processed according to regulations and protected from accidental deletion or modification.

And we also must guarantee that third parties can’t access the data.

On top of that, there is the aspect of the user giving informed consent to the processing of personal data. They can provide written consent or check an appropriate box on the form.

But the user needs to be informed what entities will process their data and for what purpose. So if they don't directly consent to personal data processing, the company has no right to use it.

GDPR and technical issues

The issue is much more complex when looking at the GDPR problem from a technical perspective. Let's imagine that the user of our platform provides a variety of data such as a name, surname, e-mail, etc., and also adds a message asking for help. This data is saved in our database or sent to the indicated e-mail address.

Meanwhile, it should be appropriately secured and supervised.

Screenshot from MailChimp
MailChimp makes it easier to, among others, send newsletters.

Are you looking for an experienced UX agency?

Is it a good idea to store data by ourselves?

With an internal database, we can control everything to a certain degree — we can check if a given person just logged in, viewed a given post, or exported it.

However, if everything is sent to the e-mail address, we lose this control. We don't know when such an e-mail will be forwarded. Moreover, it isn't easy to register this kind of data collection and then manage it.

CRM system — an IT system that automates and supports processes on the customer-organization line in terms of acquiring and maintaining the customer.

That's why in The Story, we use a different approach. In the case of typical websites, when we have a contact form or a newsletter subscription, we try not to store personal data in our infrastructure.

API (Application Programming Interface) — a mechanism that enables data exchange between independent IT systems.

It's possible thanks to the use of an external tool. We're talking about CRM software in the form of HubSpot. Although many companies use Salesforce or Bullhorn, there are a lot of CRMs available in the cloud that provide public APIs.

And thanks to this API, we can altogether avoid the step of storing data in our system. Our website offers only a contact form, while the rest is handled by external software.

Contact form

Let me illustrate the problem with the example of a contact form. The user fills it out and clicks on the "Send" button. In a traditional approach, we would save it in our database or send the data from the form to a list of designated e-mails.

In the case of The Story, we don't save anything in our database and neither forward it with traditional e-mail, but through a public API, we save the data directly to CRM.

Such solutions like HubSpot or Salesforce meet all the requirements regarding the storage of data compliant with GDPR and other regulations.

Let's remember that GDPR applies only within the EU. Whereas we have many other regulations (e.g., in Russia, USA, or China) to which the biggest players, such as HubSpot and Salesforce, adapt.

That's why we move entirely the routine of overseeing the collection of personal data to, for example, HubSpot. And only from the level of such a tool we manage our customers' personal data.

A computer with a face and hands

Newsletter subscription

The situation looks the same in the case of newsletter subscriptions — we moved a long time ago from the approach in which we write our own systems for sending e-mails to customers. It would involve a lot of complications regarding the delivery of such messages (they can, for example, end up in the spam folder) and also a lack of monitoring of mailing campaigns, statistics, or analysis of receivers' behavior.

In such a situation, for example, MailChimp comes to the rescue. It's a global player that seriously approaches the problem of spam and storing personal data.

That's why, similarly to the contact form, I recommend that the submitted data shouldn't go to our internal system and database, nor should it be sent to the company e-mail box. But — thanks to a public API — it is directed to a specific system that will later be responsible for mailings, such as MailChimp, Freshmail, Salesforce, or HubSpot.

The most important obligation to provide information

In the case of GDPR, it's important to remember that there is no strictly defined concept of responsibility for data storage. We know that IT systems are more or less vulnerable to hacking which may involve data theft.

The most important thing, therefore, is the obligation to provide information and demonstrate that all possible measures have been taken. We need to detect the leakage as early as possible and inform all those who have become its victims.

If there were a data leak at HubSpot, everyone using its services would likely be notified quickly.

Hence, companies using HubSpot will be able to warn their customers swiftly. The probability of detecting an attack is much smaller when we run a small company and supervise the collection of personal data by ourselves.

MailChimp logotype

When a website isn't equipped with special tools (or supervised by a professional DevOps that continuously monitors access logs and data integrity), we most likely won't be able to detect the leakage.

And serious consequences may follow. Undetected leakage, unless reported to Personal Data Protection Office by a user of our platform, means hefty penalties.

However, suppose we're using external, professional systems. In that case, there is a much higher probability that the data loss will be detected, and thus our users will be informed by us.

Also, it's a CRM provider's responsibility to patch security vulnerabilities as quickly as possible, which, in the case of small businesses with an internal collection of data but without a development team, can be costly and slow.

Screenshot from HubSpot
HubSpot is a very effective tool for storing data.

GDPR is not as scary as it's painted

SaaS (Software as a service) — one of the cloud computing models. The application is stored and executed on the service provider's computers and is made available to users via the Internet.

GDPR is not our enemy. It's a general collection of guidelines and regulations, thanks to which the security of our personal data and customers' data constantly grows. Thanks to GDPR, the awareness of people regarding the value of their identities (not only on the Internet) also increases.

PaaS (Platform as a service) — involves the provider sharing a virtual work environment.

Let's always remember the "secure by design" rule and try to provide genuinely safe and thoughtful solutions. In the age of SaaS and PaaS, let's use as often as possible proven professional tools that, with little effort and monthly cost, will guarantee the highest level of security of personal data.

Hero shot: elhombredenegro / Flickr.com / Bit.ly/382zmh8 / CC BY 2.0


Thanks for reading! Feel free to share this article!

How you like that:
Journal / JPG / Jarek - avatar
Author: Yaroslav Shatkevich
A programmer with 17 years of experience. Co-founder and CTO of The Story. Fascinated with planning programming works, author of numerous IT and DevOps specifications. Honored by Awwwards, awarded iF Design Award 2018. He works in Python, PHP, React and JavaScript technologies. He created over 90 web and mobile applications and dedicated systems.

Are you interested in working with us? Take a look at our Portfolio