Preparing for the GDPR (EU Privacy Regulations)

 

As you may (or may not) be aware, the EU last year passed a strong set of guidelines aimed at protecting individual data privacy rights.

Those guidelines are called “GDPR,” or General Data Protection Regulation, and they apply to any entity who collects or processes identifiable data from EU citizens (in short, almost everyone).

There are a few primary principles:

  1. Users must be notified specifically whenever data is being collected from them.
  2. Users have the right to delete or export the data you’ve collected in a “portable” format.
  3. Users have the right to revoke permission to collect data as easily as they give it.


Here is a link to the more detailed guidelines: https://ec.europa.eu/commissio...-protection-rules_en.

Here is what is considered “personal data” under the GDPR:

  • a name and surname;
  • a home address;
  • an email address such as name.surname@company.com;
  • an identification card number;
  • location data (for example the location data function on a mobile phone);
  • an Internet Protocol (IP) address;
  • a cookie ID;
  • the advertising identifier of a phone;
  • data held by a hospital or doctor, which could be a symbol that uniquely identifies a person


Obviously, anyone using a modern community platform is collecting much of this data, either passively (cookies and IP address) or proactively (profile information). Therefore, Social Strata has been working to ensure that we provide the tools so that our customers can comply with GDPR.

We strongly recommend that you do your own internal audit and legal review of GDPR and how it might relate to your organization and community. Our goal is to make it easy for you to follow through on the privacy strategy you’ve chosen.

So what are we doing?

  1. We have already implemented an update that allows hoop.la members to delete themselves (their profile account) from a community. (https://www.socialstrata.com/b...deactivation-release). Our current approach is to leave the posted content in-place when a user takes this action; leaving only “guest” as the author.
  2. We will be implementing a tool that allows members to download/export their own personal profile data and content (in csv format, for portability).
  3. We will be providing a mechanism for members to request deletion of all of their content by the admin (Right to be Forgotten). There will be an additional option for Admins to allow users to delete all of their content when deleting their own account.
  4. We will be making the affirmation/agreement to the TOS in your community discoverable (and revokable) after the member registers, via their profile settings. We will also provide options for the admin to enforce a ban if a member chooses to withdraw consent to your TOS, and for the member to delete themselves in this same process.
  5. Social Strata is part of the EU-US Privacy Shield framework.


We will be updating our own privacy policy in the coming months to ensure that we’re following the guidelines ourselves as well. Look for some additional blog posts here, to help you consider what you might need to tweak in your community’s TOS (for example, you’ll want to alert your members that their data is being processed by Social Strata, and for what purpose; you may want to include a link to our privacy policy as well).

We are committed to offering the updates described above prior to the May 25, 2018 deadline for compliance.

If you're interested in learning more about global privacy initiatives/regulations, this is another great resource: https://www.dlapiperdataprotection.com/

Stay tuned for additional updates!



Title image: Photo by Dayne Topkin on Unsplash

Add Comment

Comments (9)

Newest · Oldest · Popular

I see, @Lynda. We currently don't have any plans to add such a tool, as we aren't aware of GDPR requirements relating to email communication. We can certainly discuss a possible customization if that's of interest to you. Perhaps we should take this conversation to our support channel so we can discuss options, customizations, etc. in private.

@Brian Lenz Actually GDPR is the exact opposite of CAN-SPAM; it's not related at all! 

We've been following CAN-spam using what you describe below as our guidepost but I've sat in on sessions with attorneys who are saying we need to get explicit opt-in from people in order to email them with GDPR if we are collecting their data.  

Our CRM has offered an automatic feature to comply with this requirement, that is why I am asking.  And it's due to the consent provision of GDPR. I can DM you the info if you want to take a look.

@Lynda, I don't see GDPR as being related to CAN-SPAM. GDPR deals with privacy and processing of personal data. Part of that is the consent provision you mentioned, but that's about consent to collection of personal data, not specifically related to communications/email. With the GDPR updates to Hoop.la, you will have the ability to put a description (optionally) on any profile field so that you can give clear purpose as to why each field is being collected.

You're right that there is no way out-of-the-box to require a separate opt-in for notifications at registration, but you could incorporate email communications into your Terms of Service if that's a concern.

Hi @Brian Lenz thanks for getting back to me so quickly. The issue I'm talking about is the consent provision. From what I understand, GDPR is the oppposite of CAN-SPAM - meaning people need to give a specific opt in (unless the use qualifies as legitimate use) rather than opt out. Right now on the registration form there's no specific way people can opt in to receive communications, is there?

Lynda posted:

Hi Rosemary, will Social Strata be adding a feature for people to opt-in to emails? Our CRM is adding this feature so we can be compliant with GDPR.  

 

 

Hi @Lynda! We aren't currently planning on making any changes to the notification system in Hoop.la as part of the upcoming GDPR changes. I'm not aware of any specific requirements in GDPR related to email delivery or opt-in. Here's the list of the key changes being introduced by GDPR:

https://www.eugdpr.org/key-changes.html

Hope that helps!

neil posted:

#3  "request deletion of all of their content by the admin" is a problem for message threads where a user's content is critical to the rest of the user's messages in that thread. They should not have the right to ruin other people's contributions if their post is important or replied to.

What I would suggest is that they have the right to remove their NAME from posted content, not the content itself, in order to make their content anonymous.

At our 'lesson' content site, we view all posts as a "donation" and say so in our TOS.  Our TOS gives them the right to not see their content used without attribution. But we also reserve the right to take over "abandoned" content (if they leave the community), and to modify donated content for the purposes of clarification and improvement.  

That item is a "request" by the member for the admin to delete their content. You can refuse to delete their content, if you feel it's within your rights. We're just providing the mechanism that will support compliance with GDPR; what you choose to do with it is your decision as the owner/admin. 

Unfortunately, when technological solutions are legislated, they don't always think of the consequences for all scenarios. Sadly, online communities were not really given deep consideration when these guidelines were adopted. I think there will be additional clarification forthcoming as people realize the impact this could have on conversations across the board.

#3  "request deletion of all of their content by the admin" is a problem for message threads where a user's content is critical to the rest of the user's messages in that thread. They should not have the right to ruin other people's contributions if their post is important or replied to.

What I would suggest is that they have the right to remove their NAME from posted content, not the content itself, in order to make their content anonymous.

At our 'lesson' content site, we view all posts as a "donation" and say so in our TOS.  Our TOS gives them the right to not see their content used without attribution. But we also reserve the right to take over "abandoned" content (if they leave the community), and to modify donated content for the purposes of clarification and improvement.  

×
×
×
×