Re: Is this forum prepared for the GDPR?
- Posted by jimcbrown (admin) Apr 30, 2018
- 2354 views
- We currently collect and store personal information from any number of EU residents (at least name, email, and IP address). So at the very least that makes us GDPR-adjacent. I think it would be wise to ensure we're GDPR compliant even if it's not required. Better safe that sorry, right?
Agreed.
- Anyone reading between the lines in some of my recent comments on other discussions will see that I've already been thinking about how to bake in GDPR compliance into a new website.
Excellent news, the best I've had all day.
- But even if I had started all that a year ago, I still wouldn't have anything ready for the deadline next month.
If only I'd heard about the GDPR earlier. Apparently it passed in 2012 and was effective from 2016 - but with a two year grace period, making the real start date in 2018.
Kinda ticked off about the whole thing.
- This is absurdly draconian and bureaucratic. These laws were clearly written by people who do not understand how the Internet works. Personal privacy is an extremely important ideal to me, so I want to do everything to support that, but this is ridiculous.
Not sure I agree. The rules have to be as tough as they are BECAUSE of the nature of the internet - it is distributed, world-wide, with no single centralized authority controlling it.
Without extraterritoriality it'd be too easy for Facebook etc to just set up a website in Bermuda or something and require all European users to use that website, bypassing EU juristiction.
- We could anonymize any account requested to be deleted, such that you'd see posts from DELETED USER or some such.
That's pretty straightforward today, it's a simple SQL query.
All that being said, here's what I propose that we do to proceed. The first two steps should make us effectively compliant, even if we don't have to be.
- Set up a "GDPR Compliance" page listing how, why, and what information is collected for use on this site. List out the basic steps to request information and request to be deleted.
- Set up a written policy on how to handle a personal information request or request to be deleted.
Can we start a wiki page for this? The policy part.
- This is probably as simple as a few SQL queries. Dump info; send to user; done.
Yup. Agreed. Once the policy is written up, I can come up with a set of SQL queries and statements to handle dumping the info to user/purging info from our databases.
- Rebuild the entire website with GDPR in mind. Implement pseudonymization and automate personal data requests and account deleting.
I'm 100% behind this.
- Better logging of website activity to help detect breaches, which must be reported under GDPR.
Reporting to who?
