GDPR - new user data law, May 2018. What is your plan?


(Gear Buzz) #21

(Sarah Hawk) #22

I would hope so, but I suspect not. It relates to what Rich says here, which I’m not sure I actually agree with. I’ve always been of the opinion that people should post in forums under the premise that it will be there forever.

In some situations I think it’s completely appropriate to anonymise content, but I’d rarely (if ever) want to remove it.

(Gear Buzz) #23

So I wonder if terms of use permissions granted to use content will be made useless by GDPR?

(tophee) #24

I am no expert in this but but in Sweden the law says that you have the right to get a copy of your data (i.e. data stored about you) from any organisation that stores data about you for free, but this right is limited to one request per year. I’d assume that similar regulations exist in other countries, which would limit the potential for “red tape attacks” by disgruntled members.

Here is the information of the Swedish data protection agency on this:

In addition, at least discourse provides users with the possibility to download all their data at any time themselves…

(Gear Buzz) #25

One per year - I like that

(Luis Villa) #26

I can say from some experience that the UK’s ICO already sees a variety of abusive techniques, and is fairly reasonable about dealing with it as long as it looks like you’re operating in good faith. I expect that as this becomes more pervasive, a good way to demonstrate good faith will be using tooling that is supportive of export and deletion - suspect they’ll get more and more impatient with people who can’t do that “because our software doesn’t support it”.

(Michael Norton) #27

Hi all

I just wanted to say thank you for all the info shared on GDPR, it’s given me a better understanding and based on the links and comments we have used it as a basis to start developing our plan.

As a follow up, are there any platforms out that are looking to make a GDPR compliant platform?

As a platform admin, we can only do so much. We will have plans around the data handling etc. But if the platform does not make it easy to be forgotten or if you are unable to extract all the content that you have created etc it’s potentially going to cause a headache.

I’m at a conference next week with our platform provider and want to raise the question if they will be working toward making the platform GDPR compliant.

Do you know if any platform providers are thinking along those lines?


(rhogroupee) #28

We plan to make our platform GDPR compliant before the deadline hits. Things will get interesting once all of the individual counties within the EU make their own determinations regarding enforcement!

(Sarah Hawk) #29

Yeah, we’re working pretty hard to get things in place before May. We plan to colocate servers in the EU and offer hosting on AWS. The privacy and deletion stuff is already covered.

(Robert McIntosh) #30

I was going to post this elsewhere, but I think this debate deserves to be revived with a little more attention as we approach the deadline. I’m not convinced I’ve seen enough definitive information on the impact of GDPR on communities.

Discourse have addressed the Data transfer to the US issue with the server move, but there are still fairly fundamental issues here on privacy, deletion and opt-in which I still think most, or all, platforms (not picking on Discourse) have yet to deal with.

One specific issue to consider:

  • When the user signs up for an account, can they SPECIFICALLY opt-in to any communications they will receive, including digests, notifications and marketing messages?

It may be enough for individual communities to default all of these settings to “no email”, but what processes are in place to encourage them clearly and easily to change this for the good of community engagement?

I’m not convinced that you should default the Activity Summary to anything other than “never” unless the member chooses to have it. In that case, other than some complex call to action in a post, to visit their preferences, find the email settings and turn it ON, how would you get them to do this? CMs probably need an automated onboarding journey that explains the options and allows them to make the relevant settings. AFAIK this does not exist in Discourse (we are building something for a Higher Logic site).

Does the same apply also for notifications? Do they escape the opt-in requirement?

(Sarah Hawk) #31

Kind of… you do have the ability to customise the signup/welcome emails so you could include this kind of content.

If you want something more complicated you can address it in Discourse based communities by pushing new members into a MailChimp or CM group and sending onboarding messages from there.

(Bart van Bragt) #32

A bump for this topic now the deadline is getting close…

Regarding the ‘are posts personal data question’; the GDPR is fairly close to the privacy rules which we already have in place in The Netherlands. Posts by users on a community site are considered personal data if they can be easily associated with a a specific person. When personally identifiable information is deleted (username, names, addresses, profession, etc) the posting data becomes just data.

In our community people can ask to anonymize their account. We change the username into a ‘Guest’-account, deactivate the account and delete or edit posts that contain privacy sensitive information. The user provides us with a list of posts or names, we have tools to automatically remove those names.

I really do like the core concepts behind the GDPR but it’s maddening how many times our DPA says “we don’t know yet” in answer to GDPR related questions.

Curious if there are online community/UGC related resources about the GDPR yet? Would be nice to check if we have missed or misinterpreted something.

(Richard Millington) #33

thanks for sharing this @bartvb

I haven’t yet dived deep enough into the complexities of this.

Is there a summary for communities that you’ve seen? Would also be useful to see if discourse has posted something here too (@hawk)

(Sarah Hawk) #34

There is a pretty in-depth discussion on Meta. Check the GDPR tag.

Bottom line with Discourse is that any CM can customize the rego process to include explicit opt-in (if you use SSO with a third party auto provider you’ll need to do your DD) and the right to be forgotten stuff will be covered when we make a couple of changes to how we handle IP addresses (currently underway).

If anyone has other concerns specific to Discourse I would encourage them to join the Meta discussion so that we can work through them with our lawyer. Or DM me here or on Meta if you’d prefer.

(Luis Villa) #35

Probably not quite what you had in mind, but possibly useful: