So this is an example of an application that adheres to GDPR regulations (aka EU wide fundamental changes to how personally identifiable information is stored). A lot of people seem to consider it really hard whereas in practice it's really not that bad and hopefully this small project helps you solve some problems.

Points covered:

• Per row encryption for personally identifiable information (also helps with right to be forgotten, it's just a matter of removing your encryption_key for a given user now)
• Retention policy
• Separate types of user consents

Points partially covered:

• Your ToS/consents types changing (all model requirements are in here, it's just a matter of adding a redirect after user logs in with a form to fill)
• Log cleansing - slightly modified config/initializers/filter_parameter_logging.rb

Points not covered:

• auditing - no admin panel built in to show this kind of functionality but you can get really far by adding audited gem anyway
• testing - will probably add some if I see anyone interested in using this app for something

Tested on:

• Ruby 2.5.0
• Redis 3.2.1 (everything is namespaced in encrypt namespace so it probably won't hinder your environment)
• Standard SQLite adapter

Usage:

There is a seeds.rb file so you can do rails db:seed to have two standard types of user consents, this is enough to complete registration.

If you need a more detailed description then visit https://blog.vraith.com for details