Razeware and GDPRGDPR

          “Discover what GDPR means, and how Razeware is dealing with the challenge of compliance”

[ May 20, 2018 · Sam Davies ]

We live in interesting times, when it comes to user privacy and protection of data. Access to large amounts of our personal data has increasingly become the price we pay to use many online services — all too often without much knowledge of what data we’re giving up, or how it’s being used.

This has largely been unregulated, as the law has struggled to keep up with technological change. GDPR is the latest in a line of regulations that attempt to make the use of personal information more transparent. In many respects, it looks like GDPR may be the most successful.

You’ve probably seen a lot of notifications from different websites and services you use requesting that agree to a new, clearer privacy policy. These changes are all a knock-on effect of GDPR, and as you may have noticed, Razeware, the company behind raywenderlich.com has jumped on the bandwagon.

In this post we’ll take a look at some of the changes that have come into effect, along with the approach we took as a company to assess and work towards compliance.

What is GDPR?

The General Data Protection Regulation (GDPR) is legislation from the EU which specifies the rights of every EU citizen when they interact with websites and services. That sentence alone includes an incredibly significant nuance: the regulation is applied to all companies that have EU citizens as users or customers. This includes companies, such as Razeware, that are based in the US.

The core tenets of GDPR can be summarized as follows:

These all seem like perfectly reasonable requirements for collecting personal data. But what actually constitutes personal data?

‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

— article 2, GDPR

Most significantly, anything that can uniquely identify a user is considered personal information, including things such as an IP address.

Handling GDPR Compliance

We started planning our GDPR compliance project at Razeware in March 2018, which gave us over two months to establish and execute an approach. We’d scheduled a week of engineering time to provide the highest-priority implementations, in an attempt to reduce the overall cost.

The first problem was establishing exactly what GDPR meant in the context of raywenderlich.com. This involved an extensive literature review of official sources and (surprisingly) informative blog posts. From this, we planned to start with a review of the personal data we currently stored and the processing tasks we engaged in.

Data Audit

There were three areas where we needed to audit the customer data Razeware collected:

We reviewed each of these data stores against the following simple criteria:

We formalized this information into a register of processing activities and a privacy impact assessment. But far from being a complete and finished document, these documents were full of TODO items, notes, and questions. As we worked on the various sticky bits of implementing GDPR, we answered those questions and filled in the blanks as we went along.

It was quite an exploratory process; almost “design-by-discovery” if you will, and involved a good dose of pragmatism at every stage. The key challenge was to balance business decisions and goals, which we clearly have a vested interest in, with the spirit of the legislation.

User Features

GDPR includes a set of required functionality that should be offered to users of your service:

These features are all things we’re very glad to add. They symbolize a level of transparency we’re very proud of at Razeware. It is worth noting that we don’t consider these features complete, and they will continue to evolve as we redefine the data we collect from users and add features to improve the user experience across raywenderlich.com.

Third Parties

One of the most challenging aspects of our compliance journey was our audit of third-party services. GDPR is very clear in that it expects first-parties (i.e., us) to take responsibility for compliance of the third-party data collectors and processors.

Until now, it’s been all too easy to add a third-party JavaScript framework to your website to add a new feature or solve a problem. This is especially common with WordPress-based sites, where installing plugins is as simple as clicking a button.

The first aspect to this audit was to simply list the third-party components we use — which was more challenging than it should have been. As raywenderlich.com has evolved over the years, we’ve added bits and pieces to better serve our users. In fact, we’ve had a long-running project to unpick complexity on our WordPress install for the past two years. But still, it took some time to dig in and figure out exactly what components were underneath all of our sites.

At this point we took advantage of legal advice to help clarify our use of third-parties. This resulted in three distinct categories of usage:

All of our third party providers are listed in our updated privacy policy, and all are compliant with GDPR.

As part of this process, we actually decided to cut back on some of our third-party providers, to reduce the sharing of our users’ personal data:

User-facing Changes

This GDPR compliance process has resulted in some user-facing changes that you’ll see across the raywenderlich.com sites:


It’s all too easy to criticize the introduction of such a wide-reaching law, especially when your company isn’t even based in the appropriate jurisdiction. But the spirit of this legislation is wholly in the right place, and deserves attention. Company compliance results in customer personal data being handles with the respect it deserves.

We had to make a lot of judgment calls as part of our compliance exercise, balancing our understanding of the law with business decisions. We’ll continue to exercise this pragmatic approach as we continue to develop the site, and as we learn over the next few months how other providers are handling their own GDPR compliance.

Written by Sam Davies — CTO Razeware

Writing code, solving problems and entertaining the masses