I have build a web application using Django, Vue.js and deployed it on Heroku. It is a web application made for a big charity where you can win prizes by donating to the charity. The following information is collected:
Which is pretty basic, I guess. The reason no payment information is stored is because, upon clicking 'Donate', the user is redirected to JustGiving (implemented the JustGiving API) where they enter their payment information and such and are then redirected back to our website.
A few emails are sent:
This will be the first time I properly publish a web application so wanted to ask what steps I need to ensure to make sure the web app is legal. I know I have to probably have a 'cookies' alert and a section where users choose to receive emails or not.
What other steps must I take to make sure I am not breaking any rules?
GDPR can feel complex, but since you're gathering minimal information here, it doesn't need to be. Following best practice as a developer should ensure you're doing your due diligence with regards to security.
To keep you and the charity safe in case of a breach, I would ensure you have a signed document between you laying out clear responsibilities, and detailing how long you will be holding the information. For example, if someone signs up but doesn't win a prize, at what point is you holding that person's information unnecessary?
I would work through the ICO's guidance to charities - https://ico.org.uk/for-organisations/in-your-sector/charity/charities-faqs/