The GDPR right to be forgotten - applies from May 25th 2018

Today(22nd May 2018) I received this notice from an internet service that I signed up for about four years ago and never used:

"The European Union passed some wonderful rules to protect privacy: GDPR. It requires that all services limit the length of time they keep inactive accounts on their servers. While this law is only meant to protect European residents, we’ve decided that privacy is something everyone should have."

etc.

(GDPR = General Data Protection Regulation. It is well explained on Wikipedia.)

The company wants me to renew my account, but will delete all my old data if I don't ask for the renewal. (I'm not renewing).

1. We had a discussion recently here in JR (sorry, I have not found the thread yet) about how to automatically identify inactive members and then eventually delete them. Now it seems this is something we should do by law, if we are operating within Europe, or want to be compliant with European law for our European members.

So we do need an automatic time-limited membership system, and the time point for reference should be when someone last logged in. If they have not been active for a long time since that point (e.g. 2-3 years?) then they need to be shunted to a quota where the data can be reviewed, and the accounts deleted. We also have to make sure that old personal information is deleted from system backups.

2. With Kickbox, we can already identify and move accounts with invalid email addresses to a private quota, where the profiles are not visible online to site visitors and users.

We cannot delete the holding quota until all accounts in the quota are deleted, and we can only delete those accounts one by one, which is tedious for hundreds of old accounts. Seems like I will have to do this though.

3. For situations (1) and (2), it would be useful to be able to select all accounts that had their last login at a certain date or further back in time, and then delete them all, and have that happen in the backup system the next time a new backup copy is made.

Anything else I should be forgetting?


--
PJ Matthews, Kyoto
Migrated from Ning 2.0. Now at Jamroom 6 beta and using Jamroom Hosting for The Research Cooperative (researchcooperative.org)
updated by @researchcooperative: 08/27/18 08:07:58AM

Gary's got a thread with some info and ideas here:
https://www.jamroom.net/the-jamroom-network/forum/new_posts/58361/user-privacy-controls-more-important-now-than-ever

Just wanted to add here that Jamroom is (as far as I can tell reading the GDPR requirements) already mostly GDPR compliant. The only thing a site might want to change is their Privacy Policy and Terms of Service to use more appropriate "GDPR language".

The only thing we are working on right now is an update to the User module that allows the site to change the "notifications" tab - this allows you to pick whatever format may be easier for your users, since a lot of the GDPR is about making it easy for a user to see HOW they will be contacted and how their data is used.

Note that the data retention period for the GDPR is (as far as I know) still a gray area - I do not believe you have to automatically delete a user's account if they have not logged in in X days, but instead you just must make it easy for the user to delete their account and in turn have it delete ALL their data (which JR already does).

Let me know if that helps or you know of a GDPR requirement that needs support on our end.

Thanks!


--
Brian Johnson
Founder and Lead Developer - Jamroom
https://www.jamroom.net

GDPR requires consent to receive an email to be opt in.

JR currently offers an opt out for all notifications, rather than an 'opt in' , and the default for specific notifications appears to be "send email".

Send Email = Send Private Note = no difference?

Private notes are forwarded using the registered email address (unless there is a setting for storing and seeing them online only, the way that online bank services do).

Why not just reduce both of these to "send email"?


--
PJ Matthews, Kyoto
Migrated from Ning 2.0. Now at Jamroom 6 beta and using Jamroom Hosting for The Research Cooperative (researchcooperative.org)

Because you can set notifications to be Private Note, then disable Private Note notifications - that way you receive no email but all notifications will be in your private notes.

It sounds like we need a control in the User module to set all notification options (by default) to "off".


--
Brian Johnson
Founder and Lead Developer - Jamroom
https://www.jamroom.net

Then most member applicants on my site won't even have a clue when/if their membership application has been activated/approved. ?


--
...just another satisfied Jamroom customer.
Migrated from Ning to Jamroom June 2015

So does anyone have a privacy policy and TOS that uses more appropriate 'GDPR language" or know of any good samples as Brian suggests below? I'd love to steal something from someone instead of reinventing the wheel.

I'm looking around the web and found this page of sample privacy policies: https://ico.org.uk/media/for-organisations/documents/1625136/good-and-bad-examples-of-privacy-notices.pdf

I also found this checklist for writing privacy policies: https://ico.org.uk/media/for-organisations/documents/1625126/privacy-notice-checklist.pdf

Deb
updated by @abcd-in-action: 05/25/18 12:04:57PM

ico.org.uk is an excellent source, but it's a shame their GDPR myth-busting page has gone missing!


--
¯\_(ツ)_/¯ Education, learning resources, TEL, AR/VR/MR, CC licensed content, panoramas, interactive narrative, sectional modules (like jrDocs), lunch at Uni of Bristol. Get in touch if you share my current interests or can suggest better :)

Here is a good summary based on the ICO information:

https://litmus.com/blog/5-things-you-must-know-about-email-consent-under-gdpr


--
PJ Matthews, Kyoto
Migrated from Ning 2.0. Now at Jamroom 6 beta and using Jamroom Hosting for The Research Cooperative (researchcooperative.org)

I think/hope we can assume that sending out an email with activation/login link, during the signup process, is acceptable practice!

Perhaps the account activation email can have a message that highlights the need for new members to opt in to receive further communications from the network without logging in.

And "Receive notifications to my online account only" needs to be an easily found option in the notifications page..


--
PJ Matthews, Kyoto
Migrated from Ning 2.0. Now at Jamroom 6 beta and using Jamroom Hosting for The Research Cooperative (researchcooperative.org)
updated by @researchcooperative: 05/25/18 04:49:56PM

I wonder if part of the notifications settings, a nuclear self-destruct option could be offered:

Delete my account and all content if I have not logged in for more than 1 or 2 or 4 years (requires Admin. review if you have posted images or text). Admin review gives Admin a chance to keep valuable content with your permission. Default = 4 years (or other period according to Admin. wish).

Something like this might (1) help make us GDPR compliant, (2) reduce cholesterol accumulation in the arteries of our network, and (3) make Kickbox validation of account email addresses redundant, since someone who changes their email address might be an active member who has not yet updated their account email address.


--
PJ Matthews, Kyoto
Migrated from Ning 2.0. Now at Jamroom 6 beta and using Jamroom Hosting for The Research Cooperative (researchcooperative.org)

When the user puts their email address into the login form they are opting-in. From there they have fine grained control to opt-out of specific types of communication. That is a lot of control.

I think JR has had a basically good system pre GDPR, but the new requirements are:

"For consent to be valid under GDPR, a customer must actively confirm their consent"

and

"Under GDPR, email consent needs to be separate. Never bundle consent with your terms and conditions, privacy notices, or any of your services, unless email consent is necessary to complete that service."

My interpretation of the above is that setting up an account with an email address gives Admin permission to complete the account registration as a service (see Strumelia's question above) but is not a separate, explicit consent for further ongoing communication.


--
PJ Matthews, Kyoto
Migrated from Ning 2.0. Now at Jamroom 6 beta and using Jamroom Hosting for The Research Cooperative (researchcooperative.org)

* User gives email address
* email is sent.
* account is not active until user clicks the link to create the acccout

email is necessary.

Maybe put a line of text in that email if you wanted to be extra sure "By clicking this link you agree to receive emails from us. Various types of emails are sent, you can control which you wish to receive from your NOTIFICATIONS tab on your account or opt of all emails from there too."

Feels to me like this is a way to approve internet censorship by the EU.

This looks excellent to me... it creates an opt in at the first step, separate from other issues, and actively encourages new users to take control of their own account.

On the matter of when accounts should be deleted, after last login, I received feedback from several members on this question, and the average waiting time they suggest is 2-3 years. If the process can be automated to some extent, it can be explained in the Terms of Service. Probably best not to give yet more options for users already overloaded with options (contrary to my own suggestion above).


--
PJ Matthews, Kyoto
Migrated from Ning 2.0. Now at Jamroom 6 beta and using Jamroom Hosting for The Research Cooperative (researchcooperative.org)

For detailed information about GDPR here is a vital url... http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32016R0679
I haven't got around to updating my JR sites to be GDPR friendly yet. I've been very busy these last few weeks helping clients with GDPR updates. If anyone is interested in seeing one of my GDPR privacy pages for a client's App, check out, https://studio.fullblownapps.com/application/privacypolicy?id=577d629f57578 I'm sure this can easily be adapted for my JR sites too.

These are good too:

https://medium.freecodecamp.org/gdpr-terminology-in-plain-english-6087535e6adf

https://techblog.bozho.net/gdpr-practical-guide-developers/


--
¯\_(ツ)_/¯ Education, learning resources, TEL, AR/VR/MR, CC licensed content, panoramas, interactive narrative, sectional modules (like jrDocs), lunch at Uni of Bristol. Get in touch if you share my current interests or can suggest better :)