Preparing for the GDPR (EU Privacy Regulations)

 

As you may (or may not) be aware, the EU last year passed a strong set of guidelines aimed at protecting individual data privacy rights.

Those guidelines are called “GDPR,” or General Data Protection Regulation, and they apply to any entity who collects or processes identifiable data from EU citizens (in short, almost everyone).

There are a few primary principles:

  1. Users must be notified specifically whenever data is being collected from them.
  2. Users have the right to delete or export the data you’ve collected in a “portable” format.
  3. Users have the right to revoke permission to collect data as easily as they give it.


Here is a link to the more detailed guidelines: https://ec.europa.eu/commissio...-protection-rules_en.

Here is what is considered “personal data” under the GDPR:

  • a name and surname;
  • a home address;
  • an email address such as [email protected];
  • an identification card number;
  • location data (for example the location data function on a mobile phone);
  • an Internet Protocol (IP) address;
  • a cookie ID;
  • the advertising identifier of a phone;
  • data held by a hospital or doctor, which could be a symbol that uniquely identifies a person


Obviously, anyone using a modern community platform is collecting much of this data, either passively (cookies and IP address) or proactively (profile information). Therefore, Social Strata has been working to ensure that we provide the tools so that our customers can comply with GDPR.

We strongly recommend that you do your own internal audit and legal review of GDPR and how it might relate to your organization and community. Our goal is to make it easy for you to follow through on the privacy strategy you’ve chosen.

So what are we doing?

  1. We have already implemented an update that allows hoop.la members to delete themselves (their profile account) from a community. (https://www.socialstrata.com/b...deactivation-release). Our current approach is to leave the posted content in-place when a user takes this action; leaving only “guest” as the author.
  2. We will be implementing a tool that allows members to download/export their own personal profile data and content (in csv format, for portability).
  3. We will be providing a mechanism for members to request deletion of all of their content by the admin (Right to be Forgotten). There will be an additional option for Admins to allow users to delete all of their content when deleting their own account.
  4. We will be making the affirmation/agreement to the TOS in your community discoverable (and revokable) after the member registers, via their profile settings. We will also provide options for the admin to enforce a ban if a member chooses to withdraw consent to your TOS, and for the member to delete themselves in this same process.
  5. Social Strata is part of the EU-US Privacy Shield framework.


We will be updating our own privacy policy in the coming months to ensure that we’re following the guidelines ourselves as well. Look for some additional blog posts here, to help you consider what you might need to tweak in your community’s TOS (for example, you’ll want to alert your members that their data is being processed by Social Strata, and for what purpose; you may want to include a link to our privacy policy as well).

We are committed to offering the updates described above prior to the May 25, 2018 deadline for compliance.

If you're interested in learning more about global privacy initiatives/regulations, this is another great resource: https://www.dlapiperdataprotection.com/

Stay tuned for additional updates!



Title image: Photo by Dayne Topkin on Unsplash

Add Comment

Comments (3)

Newest · Oldest · Popular
neil posted:

#3  "request deletion of all of their content by the admin" is a problem for message threads where a user's content is critical to the rest of the user's messages in that thread. They should not have the right to ruin other people's contributions if their post is important or replied to.

What I would suggest is that they have the right to remove their NAME from posted content, not the content itself, in order to make their content anonymous.

At our 'lesson' content site, we view all posts as a "donation" and say so in our TOS.  Our TOS gives them the right to not see their content used without attribution. But we also reserve the right to take over "abandoned" content (if they leave the community), and to modify donated content for the purposes of clarification and improvement.  

That item is a "request" by the member for the admin to delete their content. You can refuse to delete their content, if you feel it's within your rights. We're just providing the mechanism that will support compliance with GDPR; what you choose to do with it is your decision as the owner/admin. 

Unfortunately, when technological solutions are legislated, they don't always think of the consequences for all scenarios. Sadly, online communities were not really given deep consideration when these guidelines were adopted. I think there will be additional clarification forthcoming as people realize the impact this could have on conversations across the board.

#3  "request deletion of all of their content by the admin" is a problem for message threads where a user's content is critical to the rest of the user's messages in that thread. They should not have the right to ruin other people's contributions if their post is important or replied to.

What I would suggest is that they have the right to remove their NAME from posted content, not the content itself, in order to make their content anonymous.

At our 'lesson' content site, we view all posts as a "donation" and say so in our TOS.  Our TOS gives them the right to not see their content used without attribution. But we also reserve the right to take over "abandoned" content (if they leave the community), and to modify donated content for the purposes of clarification and improvement.  

×
×
×
×