GDPR Compliance

[BradleyChatha]

Even if this is only for internal use at AIM, I'm pretty sure that doesn't exempt us from having to follow GDPR. Besides, I need to learn to implement this stuff anyway...

List that will need to be updated with anything new, since I don't know everything I need to get done for GDPR:

• [ ] Allow users to download all information we contain about them (AimDataMapper should directly support this as a feature).
• [x] Cookie consent notice. While the AimLogin cookie is exempt, the ASP ones probably aren't, and I will likely need to make more in the future for preference settings.
• [ ] GDPR compliant Privacy Policy (Andy probably has some law-savvy person for this).
• [ ] Allow users to fully erase information we store about them. This will be interesting since there's a possible use case of the AimLogin database being used between multiple websites, which each need to then be informed so they can remove/anonymise their data on the user.
• [ ] Make sure the server(s) containing the database are properly secured, and that we backup and securely store the backups of these databases. I think we even have to make sure the service we use to store the backups only stores them on EU servers. Maybe we can use Digital Ocean's Storage service for this.
• [ ] A system to notify users (and probably some kind of governing entity for GDPR) about data breaches, should they occur.
• [ ] Articles 33 & 33a. God knows about this one.
• [ ] We don't need to worry about Article 35 for this website (I think), but if we ever do end up making the MIS system, we'd probably need to do this one.
• [ ] I doubt this information will ever leave the UK, so article 45 we don't need to worry about.
• [ ] We need to do something about displaying a user's email on the Users page, since it probably breaks some kind of data protection law, letting us see their email without permission.