I think everyone needs a plan.
Hmmm, I’m not sure that we have a plan! Do you have one?
I found this handy checklist, but I’d love to hear from someone that understands the potential risks for our industry.
The EC also has an interactive info graphic (which is a bit ‘design heavy’).
Keep in mind that it is the national data protection authority that monitors compliance with the directive, so probably the best place start (and keep up to date with) is your national DPA.
Also keep in mind that the DPAs themselves are still figuring out how to apply this regulation in practice. If you read through the regulation it uses a lot of broad terms that will need to be applied to real world scenarios. For example, ICO recently had a public consultation about the meaning of ‘consent’ under the regulation.
That said, it seems the main potential risks for online communities are:
- Inadequate consent when obtaining and retaining personal information (see e.g.)
- Ensuring individual rights are protected (see e.g.). Functionality for dealing with each of these is already built into Discourse, but I would briefly make sure you know how to handle each scenario.
- Accountability. This seems to be an important new aspect of the GDPR. Basically, it seems to involve thinking about data protection for longer than 2 seconds and making an organization-specific plan.
There are other area specific risks (e.g. communities targeted at, or including, children).
Personally, as I have a community that has not even launched yet, I’m not that worried about it. The thrust of the enforcement aspects of the new regulation seems to be targeted at the processing of large amounts of sensitive data.
As the EC says in their FAQs:
What are the benefits for SMEs?
The data protection reform is geared towards stimulating economic growth by cutting costs and red tape for European business, also for small and medium enterprises (SMEs).
By having one rule instead of 28, the EU’s data protection reform will help SMEs break into new markets. In a number of cases, the obligations of data controllers and processors are calibrated to the size of the business and/or to the nature of the data being processed. For example:
- SMEs need not appoint a data protection officer unless their core activities require regular and systematic monitoring of the data subjects on a large scale or if they process special categories of personal data such as that revealing racial or ethnic origin or religious beliefs. Moreover, this will not need to be a full-time employee but could be an ad-hoc consultant, and therefore, would be much less costly.
- SMEs need not keep records of processing activities unless the processing they carry out is not occasional or likely to result in a risk for the rights and freedoms of data subject.
- SMEs will not be under an obligation to report all data breaches to individuals, unless the breaches represent a high risk for their rights and freedoms.
My overall take is that it is worth spending an afternoon on your org-specific plan and keeping up to date with developments with your national DPA, but not worth sweating it too much.
Disclaimer: I am not an expert in European or UK law and none of this constitutes legal advice. It is purely layman opinion.
In general this will be more of an issue for we platform vendors to deal with (providing tools so that platform owners/admins can provide clear notices, allow members to edit/delete consent and edit/delete/export their personal data at any time, etc.).
One challenge that I haven’t seen resolved yet is the question of whether a member’s history of posts/comments within a community constitute “personal data.” It’s pretty clear that a member profile (name, ID, other data) falls under that purview. However, it’s an open question as to whether, when a member chooses to “delete” him/herself, the community must also delete the content that member has shared as well, or can simply disassociate the content from the member’s ID (ie, just make it say “guest” or “anonymous”). In some communities, there will have been obvious sharing of personal data inside topics and replies, and some not…do we have to have a system to cherry pick posts that contain personal data for deletion? (Rhetorical question that I don’t think has an official answer yet from the EU.)
Lots of details to chew on here, that’s for sure!
I wonder the same thing. I would happily anonymise a member but I’d be frustrated if I had to removed posts (and therefore the data integrity – and value – of topics).
In my last community, the site was set up so that, when a member deleted their profiles, all comments and posts were deleted as well. It could be frustrating but fortunately, sometimes the context of the threads weren’t affected too badly.
I’m generally of the opinion that members should always retain the right to delete everything they have contributed to any community at any time. It probably needs to be replaced with a [deleted] request to clarify some conversations that no longer work.
Community owner / managers can really dislike wholesale member content removal as the missing content can make for nonsensical threads.
ie what does a CM do about reply posts that contain quoted material from the Original Poster. if thats deleted then the reply posts will make make little or no sense.
I would like to see detailed GDPR advice specifically for community managers emerge (anyone can read the general guidelines and I found a comment by one big publishers chief legal council’s comment that the GDPR legislation was put together by people that weren’t necessarily ‘web experienced’ or had a solid understanding of how it might affect web publishers)
I am also concerned (and think CM’s should forward think about) future scenarios where disgruntled / banned community members feel able to harass CM’s with repeated demands for GDPR reports on all their content and all tracking history. (making a CM’s life a misery and burying them in repeated compliance ‘red tape’ tasks) It wouldnt be hard for curmudgeonly members to soapbox about how every member “has the right”… and should “demand” their info…
This leads me to want to develop functionality to generate the data they demand at the press of a button.
Further - If you do have a community member demanding data - how do you determine securely the ID of the person demanding it? Is the email address enough? Should they send in a scan of their passport or driving licence?
Further - if you do send the requested data / tracking history to the community member - in what format do you send it? AND (!) HOW do you send it? Should it be via a secure password protected retrieval method? (suitably compliant with user data transmission?) because in the context of all this just sending data as an email attachment itself might be regarded as reckless and bad practice.
I am going to have a GDPR day / afternoon with my team soon. I feel we need to do it face to face, to take notes, build an action plan and system.
Thanks @HAWK! I am building a community that will support customers globally and I have yet to look into some of these regulations. Do you (or anyone else) have a good starting point for a new CM like me? How do most communities keep up on these laws and trends?
That is a very interesting question. I concede to being a bad example here, I don’t spend a lot of time worrying about it. I tend to keep up to date either through my colleagues (who read a lot more than I do) or through topics like this. Once something is mentioned, I research.
I’d be very interested to hear how others stay up to date.
Me too! My company has a legal department that takes care of a lot of our legal questions and guides us on policy. This is new territory for our company.
Maybe @Gear_Buzz has some additional insight.
I don’t know how I’m the “lucky” one, but I’m the designated privacy expert in-house, and I have all sorts of Google alerts and “Mention” alerts set up for “COPPA,” “privacy shield” “GDPR” “safe harbor”“APEC CPBR” etc., so I can stay up to date. I also follow the US FTC website directly. This EU GDPR portal site is pretty good, but I don’t see a way to “subscribe” to updates on the guidelines: http://www.eugdpr.org/
So what about “delete all my content” requests?
If they have agreed that all content is irrevocably licensed to the community?
Community content isnt personal data is it?
If we de-attribute it (remove their name and all personal data like signatures)
We should be OK to keep the content right?
Also - what about volunteer moderators being able to look at registration data (email addresses etc)
That won’t be very cool with GDPR right?
No, it is not, unless they’ve revealed private information (such as address, etc.) in their post, and you can deal with individual posts that way
I imagine that will be viewed harshly, but you can probably get around that by having a well-worded agreement with them in the first place. BIG KUDOS to someone who could write such a template document to share (hint: @richard_millington)
Probably true. If you take the position of getting specific opt-ins, not sharing or selling data, and having sensible rules in place for security, then you should cope
,… but I am also looking into this and if something does arise I’ll try to remember to share here
Double post. …
I chortled really hard!!! Do you think I could get Sammy to coach me in math?
We could probably ask our lawyers Lewis Silkin to put something together.
But we’ve asked a lot from them recently so they would probably charge for
something like this.
A while back I thought about starting kickstarter campaigns for topics like
these, but I suspect there wouldn’t be enough interest to make it work.
there are companies that offer legal templates for sites, including communities (sort of) - something like this could be more up their street? (I was only being cheeky)