The GDPR right to be forgotten - applies from May 25th 2018

researchcooperative
@researchcooperative
6 years ago
694 posts
Today(22nd May 2018) I received this notice from an internet service that I signed up for about four years ago and never used:

"The European Union passed some wonderful rules to protect privacy: GDPR. It requires that all services limit the length of time they keep inactive accounts on their servers. While this law is only meant to protect European residents, we’ve decided that privacy is something everyone should have."

etc.

(GDPR = General Data Protection Regulation. It is well explained on Wikipedia.)

The company wants me to renew my account, but will delete all my old data if I don't ask for the renewal. (I'm not renewing).

1. We had a discussion recently here in JR (sorry, I have not found the thread yet) about how to automatically identify inactive members and then eventually delete them. Now it seems this is something we should do by law, if we are operating within Europe, or want to be compliant with European law for our European members.

So we do need an automatic time-limited membership system, and the time point for reference should be when someone last logged in. If they have not been active for a long time since that point (e.g. 2-3 years?) then they need to be shunted to a quota where the data can be reviewed, and the accounts deleted. We also have to make sure that old personal information is deleted from system backups.

2. With Kickbox, we can already identify and move accounts with invalid email addresses to a private quota, where the profiles are not visible online to site visitors and users.

We cannot delete the holding quota until all accounts in the quota are deleted, and we can only delete those accounts one by one, which is tedious for hundreds of old accounts. Seems like I will have to do this though.

3. For situations (1) and (2), it would be useful to be able to select all accounts that had their last login at a certain date or further back in time, and then delete them all, and have that happen in the backup system the next time a new backup copy is made.

Anything else I should be forgetting?


--
PJ Matthews, Kyoto
Migrated from Ning 2.0. Now at Jamroom 6 beta and using Jamroom Hosting for The Research Cooperative (researchcooperative.org)

updated by @researchcooperative: 08/27/18 08:07:58AM
brian
@brian
6 years ago
10,148 posts
Just wanted to add here that Jamroom is (as far as I can tell reading the GDPR requirements) already mostly GDPR compliant. The only thing a site might want to change is their Privacy Policy and Terms of Service to use more appropriate "GDPR language".

The only thing we are working on right now is an update to the User module that allows the site to change the "notifications" tab - this allows you to pick whatever format may be easier for your users, since a lot of the GDPR is about making it easy for a user to see HOW they will be contacted and how their data is used.

Note that the data retention period for the GDPR is (as far as I know) still a gray area - I do not believe you have to automatically delete a user's account if they have not logged in in X days, but instead you just must make it easy for the user to delete their account and in turn have it delete ALL their data (which JR already does).

Let me know if that helps or you know of a GDPR requirement that needs support on our end.

Thanks!


--
Brian Johnson
Founder and Lead Developer - Jamroom
https://www.jamroom.net
researchcooperative
@researchcooperative
6 years ago
694 posts
GDPR requires consent to receive an email to be opt in.

JR currently offers an opt out for all notifications, rather than an 'opt in' , and the default for specific notifications appears to be "send email".

Send Email = Send Private Note = no difference?

Private notes are forwarded using the registered email address (unless there is a setting for storing and seeing them online only, the way that online bank services do).

Why not just reduce both of these to "send email"?


--
PJ Matthews, Kyoto
Migrated from Ning 2.0. Now at Jamroom 6 beta and using Jamroom Hosting for The Research Cooperative (researchcooperative.org)
brian
@brian
6 years ago
10,148 posts
researchcooperative:
Why not just reduce both of these to "send email"?

Because you can set notifications to be Private Note, then disable Private Note notifications - that way you receive no email but all notifications will be in your private notes.

It sounds like we need a control in the User module to set all notification options (by default) to "off".


--
Brian Johnson
Founder and Lead Developer - Jamroom
https://www.jamroom.net
Strumelia
Strumelia
@strumelia
6 years ago
3,603 posts
brian:
It sounds like we need a control in the User module to set all notification options (by default) to "off".

Then most member applicants on my site won't even have a clue when/if their membership application has been activated/approved. ?


--
...just another satisfied Jamroom customer.
Migrated from Ning to Jamroom June 2015
alt=
ABCD in Action
@abcd-in-action
6 years ago
61 posts
So does anyone have a privacy policy and TOS that uses more appropriate 'GDPR language" or know of any good samples as Brian suggests below? I'd love to steal something from someone instead of reinventing the wheel.

brian:
Just wanted to add here that Jamroom is (as far as I can tell reading the GDPR requirements) already mostly GDPR compliant. The only thing a site might want to change is their Privacy Policy and Terms of Service to use more appropriate "GDPR language".

The only thing we are working on right now is an update to the User module that allows the site to change the "notifications" tab - this allows you to pick whatever format may be easier for your users, since a lot of the GDPR is about making it easy for a user to see HOW they will be contacted and how their data is used.

Note that the data retention period for the GDPR is (as far as I know) still a gray area - I do not believe you have to automatically delete a user's account if they have not logged in in X days, but instead you just must make it easy for the user to delete their account and in turn have it delete ALL their data (which JR already does).

Let me know if that helps or you know of a GDPR requirement that needs support on our end.

Thanks!
alt=
ABCD in Action
@abcd-in-action
6 years ago
61 posts
I'm looking around the web and found this page of sample privacy policies: https://ico.org.uk/media/for-organisations/documents/1625136/good-and-bad-examples-of-privacy-notices.pdf

I also found this checklist for writing privacy policies: https://ico.org.uk/media/for-organisations/documents/1625126/privacy-notice-checklist.pdf

Deb
updated by @abcd-in-action: 05/25/18 12:04:57PM
SteveX
SteveX
@ultrajam
6 years ago
2,584 posts
ABCD in Action:
I'm looking around the web and found this page of sample privacy policies: https://ico.org.uk/media/for-organisations/documents/1625136/good-and-bad-examples-of-privacy-notices.pdf

I also found this checklist for writing privacy policies: https://ico.org.uk/media/for-organisations/documents/1625126/privacy-notice-checklist.pdf

Deb

ico.org.uk is an excellent source, but it's a shame their GDPR myth-busting page has gone missing!


--
¯\_(ツ)_/¯ Education, learning resources, TEL, AR/VR/MR, CC licensed content, panoramas, interactive narrative, sectional modules (like jrDocs), lunch at Uni of Bristol. Get in touch if you share my current interests or can suggest better :)
researchcooperative
@researchcooperative
6 years ago
694 posts
Here is a good summary based on the ICO information:

https://litmus.com/blog/5-things-you-must-know-about-email-consent-under-gdpr


--
PJ Matthews, Kyoto
Migrated from Ning 2.0. Now at Jamroom 6 beta and using Jamroom Hosting for The Research Cooperative (researchcooperative.org)
researchcooperative
@researchcooperative
6 years ago
694 posts
Strumelia:
brian:
It sounds like we need a control in the User module to set all notification options (by default) to "off".

Then most member applicants on my site won't even have a clue when/if their membership application has been activated/approved. ?

I think/hope we can assume that sending out an email with activation/login link, during the signup process, is acceptable practice!

Perhaps the account activation email can have a message that highlights the need for new members to opt in to receive further communications from the network without logging in.

And "Receive notifications to my online account only" needs to be an easily found option in the notifications page..


--
PJ Matthews, Kyoto
Migrated from Ning 2.0. Now at Jamroom 6 beta and using Jamroom Hosting for The Research Cooperative (researchcooperative.org)

updated by @researchcooperative: 05/25/18 04:49:56PM
researchcooperative
@researchcooperative
6 years ago
694 posts
I wonder if part of the notifications settings, a nuclear self-destruct option could be offered:

Delete my account and all content if I have not logged in for more than 1 or 2 or 4 years (requires Admin. review if you have posted images or text). Admin review gives Admin a chance to keep valuable content with your permission. Default = 4 years (or other period according to Admin. wish).

Something like this might (1) help make us GDPR compliant, (2) reduce cholesterol accumulation in the arteries of our network, and (3) make Kickbox validation of account email addresses redundant, since someone who changes their email address might be an active member who has not yet updated their account email address.


--
PJ Matthews, Kyoto
Migrated from Ning 2.0. Now at Jamroom 6 beta and using Jamroom Hosting for The Research Cooperative (researchcooperative.org)
michael
@michael
6 years ago
7,746 posts
When the user puts their email address into the login form they are opting-in. From there they have fine grained control to opt-out of specific types of communication. That is a lot of control.
researchcooperative
@researchcooperative
6 years ago
694 posts
I think JR has had a basically good system pre GDPR, but the new requirements are:

"For consent to be valid under GDPR, a customer must actively confirm their consent"

and

"Under GDPR, email consent needs to be separate. Never bundle consent with your terms and conditions, privacy notices, or any of your services, unless email consent is necessary to complete that service."

My interpretation of the above is that setting up an account with an email address gives Admin permission to complete the account registration as a service (see Strumelia's question above) but is not a separate, explicit consent for further ongoing communication.


--
PJ Matthews, Kyoto
Migrated from Ning 2.0. Now at Jamroom 6 beta and using Jamroom Hosting for The Research Cooperative (researchcooperative.org)
michael
@michael
6 years ago
7,746 posts
researchcooperative:..... unless email consent is necessary to complete that service......
* User gives email address
* email is sent.
* account is not active until user clicks the link to create the acccout

email is necessary.

Maybe put a line of text in that email if you wanted to be extra sure "By clicking this link you agree to receive emails from us. Various types of emails are sent, you can control which you wish to receive from your NOTIFICATIONS tab on your account or opt of all emails from there too."

Feels to me like this is a way to approve internet censorship by the EU.
researchcooperative
@researchcooperative
6 years ago
694 posts
michael:
Maybe put a line of text in that email if you wanted to be extra sure "By clicking this link you agree to receive emails from us. Various types of emails are sent, you can control which you wish to receive from your NOTIFICATIONS tab on your account or opt of all emails from there too."

This looks excellent to me... it creates an opt in at the first step, separate from other issues, and actively encourages new users to take control of their own account.

On the matter of when accounts should be deleted, after last login, I received feedback from several members on this question, and the average waiting time they suggest is 2-3 years. If the process can be automated to some extent, it can be explained in the Terms of Service. Probably best not to give yet more options for users already overloaded with options (contrary to my own suggestion above).


--
PJ Matthews, Kyoto
Migrated from Ning 2.0. Now at Jamroom 6 beta and using Jamroom Hosting for The Research Cooperative (researchcooperative.org)
Intro2Music
Intro2Music
@intro2music
6 years ago
121 posts
For detailed information about GDPR here is a vital url... http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32016R0679
I haven't got around to updating my JR sites to be GDPR friendly yet. I've been very busy these last few weeks helping clients with GDPR updates. If anyone is interested in seeing one of my GDPR privacy pages for a client's App, check out, https://studio.fullblownapps.com/application/privacypolicy?id=577d629f57578 I'm sure this can easily be adapted for my JR sites too.
SteveX
SteveX
@ultrajam
6 years ago
2,584 posts
These are good too:

https://medium.freecodecamp.org/gdpr-terminology-in-plain-english-6087535e6adf

https://techblog.bozho.net/gdpr-practical-guide-developers/


--
¯\_(ツ)_/¯ Education, learning resources, TEL, AR/VR/MR, CC licensed content, panoramas, interactive narrative, sectional modules (like jrDocs), lunch at Uni of Bristol. Get in touch if you share my current interests or can suggest better :)