Cookiecutter-django: EU GDPR Compliance - Feature / Discussion

Hi there,

I'm submitting a...

• [ ] bug report
• [x] feature request
• [ ] support request => Please do not submit support request here, see note at the top of this template.

Do you want to request a feature or report a bug?

I'd like to suggest a feature / discuss if the feature makes sense for cookiecutter-django.

What is the current behavior?

GDPR is not being taken into account, as far as I can tell.

What is the expected behavior?

For cookiecutter-django projects to be GDPR compliant from the get go. Broadly speaking this means:

• [ ] “Forget me” – you should have a method that takes a userId and deletes all personal data about that user
• [ ] Notify 3rd parties for erasure – deleting things from your system may be one thing, but you are also obligated to inform all third parties that you have pushed that data to. -> I'm not sure this would apply to cookiecutter-django
• [ ] Restrict processing – in your admin panel where there’s a list of users, there should be a button “restrict processing”. The user settings page should also have that button.
• [ ] Export data – there should be another button – “export data”. When clicked, the user should receive all the data that you hold about them.
• [ ] Allow users to edit their profile – Users must be able to fix all data about them, including data that you have collected from other sources
• [ ] Consent checkboxes – “I accept the terms and conditions” would no longer be sufficient to claim that the user has given their consent for processing their data. So, for each particular processing activity there should be a separate checkbox on the registration (or user profile) screen. -> I don't think this applies to brand new projects
• [ ] Re-request consent – if the consent users have given was not clear (e.g. if they simply agreed to terms & conditions), you’d have to re-obtain that consent. -> probably outside the purview of cookiecutter-django
• [ ] “See all my data” – this is very similar to the “Export” button, except data should be displayed in the regular UI of the application rather than an XML/JSON format.
• [ ] Age checks – you should ask for the user’s age, and if the user is a child (below 16), you should ask for parent permission.
• [ ] Keeping data for no longer than necessary – if you’ve collected the data for a specific purpose (e.g. shipping a product), you have to delete it/anonymize it as soon as you don’t need it. -> probably outside the purview of cookiecutter-django

My expectation would be for projects generated by cookiecutter-django to comply to this. Once the developer starts building on it would obviously be up to the him/her to keep things in check.

What is the motivation / use case for changing the behavior?

GDPR is the new European data protection regulation (basically a law) that must be followed in all European countries but also applies to non-EU companies that have users in the EU. In this particular case, it applies to companies that are not registered in Europe, but are having European customers. So that’s most companies. More details on:

• GDPR – A Practical Guide For Developers

Being able to create Django projects that start off GDPR compliant would be of great advantage to anyone serving EU users.

I'm European so I'm probably biased towards the importance of GDPR 🙂 . Anyway I'd love to hear some thoughts about GDPR impact on Django sites and if it's something cookiecutter-django should comply to.