Jump to content

General Data Protection Regulation (GDPR)


Peejay

Recommended Posts

Are there already European developers implementing GDPR in their websites ?  The European regulation will be obliged by 28/05/2018.

What is it?

 

Quote

Scope

The regulation applies if the data controller (organization that collects data from EU residents) or processor (organization that processes data on behalf of data controller e.g. cloud service providers) or the data subject (person) is based in the EU. Furthermore the regulation also applies to organizations based outside the European Union if they collect or process personal data of EU residents. According to the European Commission "personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.

 

Quote

Pseudonymisation

The GDPR refers to pseudonymisation as a process that transforms personal data in such a way that the resulting data cannot be attributed to a specific data subject without the use of additional information. An example of pseudonymisation is encryption, which renders the original data unintelligible and the process cannot be reversed without access to the correct decryption key. The GDPR requires that this additional information (such as the decryption key) be kept separately from the pseudonymised data. Pseudonymisation is recommended to reduce the risks to the concerned data subjects and also help controllers and processors to meet their data-protection obligations (Recital 28).

Although the GDPR encourages the use of pseudonymisation to "reduce risks to the data subjects," (Recital 28) pseudonymised data is still considered personal data (Recital 26) and therefore remains covered by the GDPR.

 

It will be obliged to encrypt all personal data fields (name, email, phone, address, ... ) from users, and communicate about it. 

It would be interesting to implement an encryption setting for fields, just like the password field. That way all data in a database will be useless, unless you have a decryption key. 

I Think it's some stuff to think about, too meet the European regulation and to make Processwire even more secure.

 

 

  • Like 3
Link to comment
Share on other sites

Encryption for fields just because? This is insane... What about images?

4 hours ago, Peejay said:

"personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo

Say you build a website for your local sports club with avatars and people upload their photos. Also, why would I encrypt their names in the database when they are displayed publicly on the "Our Team" page?

4 hours ago, Peejay said:

computer’s IP address

How can one encrypt the apache logs, for example?

Not even the governments will be able to comply.

Link to comment
Share on other sites

5 hours ago, Peejay said:

It will be obliged to encrypt all personal data fields (name, email, phone, address, ... ) from users, and communicate about it.

I think this is totally justified. The amount of data that is being stolen these days is just crazy, and it has real impacts on real people. One of the worst incidents to date is the Equifax hack: https://en.wikipedia.org/wiki/Equifax#May.E2.80.93July_2017_data_breach
John Oliver did a good piece on it: 

Automatic encryption just has to become the new normal, and I'm confident it won't be that big a deal to implement once the code wizards out there turn their minds to the challenge.

  • Like 3
Link to comment
Share on other sites

  • 2 months later...
On 11/23/2017 at 4:48 PM, Peejay said:

It will be obliged to encrypt all personal data fields (name, email, phone, address, ... ) from users, and communicate about it. 

"GDPR: Encryption is NOT Mandatory!" https://www.linkedin.com/pulse/gdpr-encryption-mandatory-gary-hibberd

"Although under the GDPR encryption is not mandatory,..." AND "Before doing so let’s be clear: GDPR compliance, as we wrote before is a business strategy challenge and encrypting personal data STRICTLY SPEAKING is not mandatory."https://www.i-scoop.eu/gdpr-encryption/

  • Like 1
Link to comment
Share on other sites

How can GDPR not be mandatory yet still have the right to impose huge fines for non-compliance? :huh:

Interested to know how this impacts storing user profile information in the PW db and/or front-end user form data saved to the DB (eg FormBuilder entry and to-page options). Your thoughts?

 

  • Like 1
Link to comment
Share on other sites

49 minutes ago, psy said:

How can GDPR not be mandatory

GDPR itself is mandatory, but there was a confusion about storing personal data in an encrypted way only as it was supposed to be necessary to comply.

Being a European developer, I will spend a considerable amount of time to help my clients out with GDPR and I'm still learning the details... However, this encryption issue seemed to be a huge technical problem if it is mandatory. Since it is not, now I can concentrate on the other issues GDPR generates. I think this confusion about encryption was the biggest issue so I though I would post some links to show that is in a non-issue after all.

There are good resources about GDPR about there, but here is a brief introduction to check out first:

http://ec.europa.eu/justice/smedataprotect/index_en.htm

Also note that:

"Where does GDPR apply?
If you sell any products to customers based in the EU, or have EU visitors to your site, you’ll need to make sure your site complies with GDPR. It applies to all 28 EU member states and to entities and organisations outside the EU when processing the data of citizens within it.

IMPORTANT to note: Google Analytics and others ARE personal data collectors too! Eg: Statistics apps like cPanel apps, similar CMS plugins, custom solutions like Piwik", etc. And this means not European websites should also consider complying to avoid yet to be seen possible legal issues.

The good thing is that the silly automatic cookie consent does not seem to apply anymore, as setting cookies is not data collection in itself. In GDPR there is only one sentence where cookies are mentioned: https://gdpr-info.eu/recitals/no-30/  And it is just about listing a few technical possibilities of possible personal profile building. However, if there is no profile building – meaning there is no data collection this way – then cookies are non-issues. I still need to read up on this one, but this is my current understanding. Of course, if cookies are used for profiling then it is a different story and they must be considered when dealing with GDPR.

There is a lot to consider regarding GDPR. As you can imagine, complying is a time consuming process, a real PITA :-[

Edited by szabesz
typo
  • Like 6
Link to comment
Share on other sites

Thanks @szabesz clear as mud :lol:

I'm based in Oz and working on a site that will have a UK clientele as well as Aussies, and possibly EU clients as well. The site needs to collect lots of personal & medical info and want to get this GDPR stuff right from the word go.

6 minutes ago, szabesz said:

a real PITA :-[

 

  • Like 1
Link to comment
Share on other sites

8 minutes ago, psy said:

The site needs to collect lots of personal & medical info and want to get this GDPR stuff right from the word go.

For such a site it must be taken seriously as GDPR tries to differentiate the "level of security measures and the fine to pay in the absence of proper compliance" – so to speak –, meaning that security measures applied to data collection and handling must align with the amount of data and its sensitivity. I guess your client will need a "GDPR professional" to make it right. The websites I deal with require less work to comply but it is sill something what will add up to lots of ours of work on my end.

  • Like 3
Link to comment
Share on other sites

1 hour ago, szabesz said:

In GDPR there is only one sentence where cookies are mentioned:

This is probably because cookie handling is supposed to be regulared by the eprivacy law, which will be obliged at the same time as the gdpr, but is a separate regulation. Sadly this one still doesn't seem to be finalized and it's getting far less attention.

  • Like 4
Link to comment
Share on other sites

On 12.2.2018 at 2:37 PM, LostKobrakai said:

This is probably because cookie handling is supposed to be regulared by the eprivacy law, which will be obliged at the same time as the gdpr, but is a separate regulation. Sadly this one still doesn't seem to be finalized and it's getting far less attention.

ePrivacy was planned to be obliged at the same time, but now is considered to be obliged not before 2019!

  • Like 1
Link to comment
Share on other sites

  • 2 months later...

I also did some research the last days about GDPR and want to share some notes on that. 
Most of the information is taken off official sources, but is without engagement.

To add one thing to @szabesz note:

On 2/12/2018 at 12:51 PM, szabesz said:

The good thing is that the silly automatic cookie consent does not seem to apply anymore, as setting cookies is not data collection in itself. In GDPR there is only one sentence where cookies are mentioned: https://gdpr-info.eu/recitals/no-30/  And it is just about listing a few technical possibilities of possible personal profile building. However, if there is no profile building – meaning there is no data collection this way – then cookies are non-issues. I still need to read up on this one, but this is my current understanding. Of course, if cookies are used for profiling then it is a different story and they must be considered when dealing with GDPR.

Beginning with GDPR in May 18 the state will be that you are allowed to set cookies without any further approval from the user, if they (the cookies) are necessary so that you site or service works. Usually that are session cookies, or cookies that store the user's language. 

Every other cookie (to track or analyse user data) needs permission to be set (the so called "opt-in"). In this case you are not allowed to set the cookie without user permission.


In general (and in most situations enough) you need some things in order to be compliant with GDPR: 

  • a up-to-date data protection policy on the website frontend
  • a GDPR compliant data processing contract with all companies that handle  personal user data according to your order (like the hosting provider, or e.g. Google Analytics, or whatever..)
  • a documentation of technical and organisational measures
  • a list of all data processing activities

That does not take into account if you handle very sensitive personal data (e.g. race or relegion). 

So of course, not all is related to ProcessWire, but only implementing technical measures is not enough to get compliant. 

At the end the note, that a very important part is also to document all things related to data privacy (regulations). We - as the data processors - have to burden of proof. 

  • Like 3
Link to comment
Share on other sites

  • 3 weeks later...

GDPR question. If we're using GA with IP Anonymisation and without any advertising features thus it's not tracking personal data... do we still need to implement the old school 'This site uses cookies blah blah'? There's no need for opt in/out so I'm curious...

On 4/24/2018 at 3:22 PM, androbey said:

Beginning with GDPR in May 18 the state will be that you are allowed to set cookies without any further approval from the user, if they (the cookies) are necessary so that you site or service works. Usually that are session cookies, or cookies that store the user's language. 

 Every other cookie (to track or analyse user data) needs permission to be set (the so called "opt-in"). In this case you are not allowed to set the cookie withoud user permission.

 

Link to comment
Share on other sites

1 minute ago, wbmnfktr said:

Ask a lawyer, please.

This exact question can be answered in different ways.
Even lawyers may answer this totally different.

Ah I love it when a law isn't clear.

  • Like 1
Link to comment
Share on other sites

Fun fact: In Austria the authority for the GDPR regulations has <30 employees, while we have >300.000 companies. I guess those 30 employees will have other priorities than my website's cookies... And I guess this will not be very different in other countries.

Not saying that we should not care about GDPR at all, but imho GDPR is really not meant to ruin every small business...

Link to comment
Share on other sites

11 hours ago, LostKobrakai said:
11 hours ago, bernhard said:

but imho GDPR is really not meant to ruin every small business...

Considering this it might be true in austria: https://euobserver.com/justice/141746

Not sure if you are serious, but that's not what I meant. That's a different topic and I don't think that what we are doing here is good. I also think/hope that is is not legal and will change in the future... But I've no idea about law and politics ?

Link to comment
Share on other sites

  • 4 weeks later...
×
×
  • Create New...