Go Back   Forums @ The Digital Fix > Gadgets and Gizmos > Computing Forum

Notices

Reply
 
Thread Tools Display Modes
Old 04-03-2018, 08:25   #1
douglasb
Suedehead.
 
douglasb's Avatar
 
Join Date: Feb 2001
Location: Exiled in England
Posts: 10,851
Thanks: 142
Thanked 832 Times in 501 Posts
GDPR for Amateurs

Anyone have doings with this? What are the implications for - as an example - a site like this with forums? What about a forum that requires registration with real names?
douglasb is offline   Reply With Quote
Old 04-03-2018, 08:55   #2
DeadYankee
.
 
Join Date: Jan 2001
Posts: 33,760
Thanks: 950
Thanked 1,871 Times in 1,009 Posts
I wouldn’t get too concerned. If the site is compliant with the current set up then GDPR shouldn’t cause real headaches. The site isn’t a public body or of sufficient scale to require a named gdpr officer. The key things to be concerned about are data security,as a data breach would be potentially damaging, and the rights of an individual to be expunged from history. It is the latter that I imagine will be most problematic for a forum.

I suppose it would be good practice and provide a degree of protection to do 3 things now.
  • Draw up a basic risk register and undertake an audit of data security measures
  • Establish data policy and describe and document some key data processes with flow charts
  • Email all members asking them to confirm their details and informing them of key data processes such as records retention/deletion schedule. Maybe post links to policy and processes for transparency

None of this needs to result in reams of paperwork. I’d keep it light touch. Ask yourselves some basic questions - ie if a member wanted to be completely erased could you do that now? If not what needs to change in your processes? Is your data stored in a ‘safe’ country? Where are the host servers? What is the likelihood of a data breach? Do you need to reduce the likelihood? If so, how? Etc

Last edited by DeadYankee; 04-03-2018 at 08:59.
DeadYankee is offline   Reply With Quote
Thanked 2 times by:
Chris Locke (05-03-2018), douglasb (04-03-2018)
Old 04-03-2018, 10:54   #3
DeadYankee
.
 
Join Date: Jan 2001
Posts: 33,760
Thanks: 950
Thanked 1,871 Times in 1,009 Posts
Also worth remembering that, unless you are holding potentially sensitive personal data, the risks are inherently low.
DeadYankee is offline   Reply With Quote
Old 04-03-2018, 14:02   #4
douglasb
Suedehead.
 
douglasb's Avatar
 
Join Date: Feb 2001
Location: Exiled in England
Posts: 10,851
Thanks: 142
Thanked 832 Times in 501 Posts
Cheers. It's one of those things - a lot of hype (and thus a lot of folk trying to earn consultancy fees) but it's hard to judge in real world terms.

The prisons aren't full of carpet fitters because their slightly amateur websites aren't cookie compliant, so it seems unlikely the local angling club is going to made an example of because their membership list is kept on a USB drive in Fred's unlocked office drawer.
douglasb is offline   Reply With Quote
Thanked once by:
driver8 (05-04-2018)
Old 04-03-2018, 18:23   #5
Anthony.S
XBL - AnthonyS UK
 
Join Date: Jul 2000
Location: Alton, Hants
Posts: 3,475
Thanks: 9
Thanked 184 Times in 176 Posts
When people join they are generally consenting to certain conditions regarding their personal data. Ensure that the legal side is satisfactory to cover you and if the site is stored outside of the EU then ensure the location has an agreement in place to comply to EU standards.
Anthony.S is offline   Reply With Quote
Old 04-03-2018, 21:08   #6
AndyWilson
--------old-geek
 
Join Date: Jun 2000
Posts: 11,565
Thanks: 61
Thanked 159 Times in 108 Posts
The main thing is that you need explicit , positive consent from individuals to store and process their data, and those individuals have to be informed of all things the data will be used for.

Implicit consent - or something like just a tick box - isn't good enough.
AndyWilson is offline   Reply With Quote
Old 04-03-2018, 21:33   #7
DeadYankee
.
 
Join Date: Jan 2001
Posts: 33,760
Thanks: 950
Thanked 1,871 Times in 1,009 Posts
Tick box is fine, afaik, as long as it is defaulted to un-ticked and explained in plain English.

I really wouldn’t sweat it if the only personal data collected is a real name. Maybe to be safe get all members to reconfirm registration details and add the info about how data is used. The OIA is going to be interested in major data processors using sensitive data. It’d take a complaint for any interest to be shown in a website and even then you are only looking at fines as a last resort following failure to comply.
DeadYankee is offline   Reply With Quote
Old 05-03-2018, 09:31   #8
Chris Locke
Making a 1% improvement
 
Join Date: Sep 2000
Location: Essex, UK
Posts: 7,047
Thanks: 407
Thanked 1,509 Times in 475 Posts
> and thus a lot of folk trying to earn consultancy fees

And thus a lot of folk throwing a lot of scare stories around. We've had 'consultants' in saying our office printers need to be GPRFTFDRPDR compliant. "If someone prints some confidential information and leaves it somewhere, you need to prove you've taken reasonable steps to trace where that paper came from". The ******** meter pinged to 'Overload' and nearly fell off the wall.
Chris Locke is offline   Reply With Quote
Old 05-03-2018, 14:07   #9
Anthony.S
XBL - AnthonyS UK
 
Join Date: Jul 2000
Location: Alton, Hants
Posts: 3,475
Thanks: 9
Thanked 184 Times in 176 Posts
Quote:
Originally Posted by Chris Locke View Post
> and thus a lot of folk trying to earn consultancy fees

And thus a lot of folk throwing a lot of scare stories around. We've had 'consultants' in saying our office printers need to be GPRFTFDRPDR compliant. "If someone prints some confidential information and leaves it somewhere, you need to prove you've taken reasonable steps to trace where that paper came from". The ******** meter pinged to 'Overload' and nearly fell off the wall.
I suppose it depends on what you print.
If your company handles any personal data and someone did print it where someone who was not authorised to access it then it would be classed as a breach which you are legally required to report. The chances of anyone finding out are quite small but I wouldn't want any 'disgruntled staff' to make a complaint after they are sacked

This video is quite useful for the very basics of GDPR without a lot of BS.
5 key points in 3 mins.

https://www.youtube.com/watch?v=6fITStJ-4Es

Last edited by Anthony.S; 05-03-2018 at 14:08.
Anthony.S is offline   Reply With Quote
Thanked once by:
Chris Locke (05-03-2018)
Old 12-03-2018, 16:57   #10
AdamBrunt
Trusted User
 
Join Date: Sep 2000
Location: UK
Posts: 23,997
Thanks: 110
Thanked 215 Times in 140 Posts
As far as a website with contact forms on it goes ... as well as the addition of some check boxes to the forms which need to be ticked, etc is there anything specific about the use of cookies (under this new legislation) that a web developer should be aware of?
AdamBrunt is offline   Reply With Quote
Old 12-03-2018, 17:31   #11
Chris Locke
Making a 1% improvement
 
Join Date: Sep 2000
Location: Essex, UK
Posts: 7,047
Thanks: 407
Thanked 1,509 Times in 475 Posts
Quote:
In short: when cookies can identify an individual via their device, it is considered personal data.

This supports Recital 26, which states that any data that can be used to identify an individual either directly or indirectly (whether on its own or in conjunction with other information) is personal data.

What it means
Not all cookies are used in a way that could identify users, but the majority are and will be subject to the GDPR. This includes cookies for analytics, advertising and functional services, such as survey and chat tools.

To become compliant, organisations will need to either stop collecting the offending cookies or find a lawful ground to collect and process that data. Most organisations rely on consent (either implied or opt-out), but the GDPR’s strengthened requirements mean it will be much harder to obtain legal consent.
https://www.itgovernance.eu/blog/en/...okie-policies/
Chris Locke is offline   Reply With Quote
Old 12-03-2018, 19:06   #12
AdamBrunt
Trusted User
 
Join Date: Sep 2000
Location: UK
Posts: 23,997
Thanks: 110
Thanked 215 Times in 140 Posts
Quote:
Originally Posted by Chris Locke View Post
Thanks Chris, very interesting.

I am not sure what legal ground exists for continuing with GA cookies but I also don't see how the same functionality (from the website owner's perspective) can be achieved without them. Although - presumably - once you have the legal consent then you can carry on using them.

My concern is that we use ColdFusion to serve the website which requires cookies to maintain session state whilst a user is navigating/logged in to the site. This is done by the generation of a unique GUID which is stored as a cookie on the user's machine & in a database table on the server side and is default Coldfusion functionality What happens if the user no longer consents to cookies ? Would such cookies be exempt ? Presumably if the EU reckon it is possible to identify a user form a GA cookie [ not sure how though TBH from what I know about GA cookies ] then they also consider Coldfusion's session management cookies can also identify a user.

Last edited by AdamBrunt; 12-03-2018 at 19:07.
AdamBrunt is offline   Reply With Quote
Old 12-03-2018, 19:21   #13
DeadYankee
.
 
Join Date: Jan 2001
Posts: 33,760
Thanks: 950
Thanked 1,871 Times in 1,009 Posts
You need to have an opt out option that can be invoked at any time.
DeadYankee is offline   Reply With Quote
Old 12-03-2018, 19:45   #14
AdamBrunt
Trusted User
 
Join Date: Sep 2000
Location: UK
Posts: 23,997
Thanks: 110
Thanked 215 Times in 140 Posts
Quote:
Originally Posted by DeadYankee View Post
You need to have an opt out option that can be invoked at any time.
That is what it certainly looks like.

I just need to work out now how we maintain session whilst potentially not being able to use cookies.

Last edited by AdamBrunt; 12-03-2018 at 23:12.
AdamBrunt is offline   Reply With Quote
Old 12-03-2018, 20:03   #15
Xeon007
Trusted User
 
Xeon007's Avatar
 
Join Date: May 2001
Location: East Northants
Posts: 3,591
Thanks: 43
Thanked 50 Times in 31 Posts
Quote:
Originally Posted by AdamBrunt View Post
That is what it certainly looks like.

I just need to work out now how we maintain session whilst potentially not being able to user cookies.
ASP.NET used to (not sure if it still does) do cookieless sessions by putting the id in the query string if it helps...
Xeon007 is offline   Reply With Quote
Old 12-03-2018, 20:20   #16
AdamBrunt
Trusted User
 
Join Date: Sep 2000
Location: UK
Posts: 23,997
Thanks: 110
Thanked 215 Times in 140 Posts
Quote:
Originally Posted by Xeon007 View Post
ASP.NET used to (not sure if it still does) do cookieless sessions by putting the id in the query string if it helps...
Yeah, Coldfusion does the same - but it is damn ugly
AdamBrunt is offline   Reply With Quote
Old 05-04-2018, 15:36   #17
driver8
eviscerate your memory
 
driver8's Avatar
 
Join Date: Jan 2003
Location: Malé, Maldives
Posts: 10,414
Thanks: 1,746
Thanked 1,972 Times in 823 Posts
I'm looking into this for my few simple wordpress sites.

CookieBot (a Danish company) seems the best for 1 small site (1 site per email address) free for <100 pages, although there are recurrent fees for bigger sites ($10+/month). Try their free scanner.

Cookie Notice by dFactory looks to be a good plugin (from a decent developer) and should get an update before the deadline (I think, to add the option to re-show the AGREE alert).

This German website offers an online form to auto-generate a custom Privacy Policy.
driver8 is online now   Reply With Quote
Old 24-05-2018, 17:14   #18
driver8
eviscerate your memory
 
driver8's Avatar
 
Join Date: Jan 2003
Location: Malé, Maldives
Posts: 10,414
Thanks: 1,746
Thanked 1,972 Times in 823 Posts
Also: MailChimp links



Last edited by driver8; 24-05-2018 at 18:12. Reason: added mailchimp link
driver8 is online now   Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is On

Forum Jump

All times are GMT. The time now is 14:08.


Powered by vBulletin® Version 3.8.9
Copyright ©2000 - 2019, vBulletin Solutions, Inc.
Copyright ©2000 - 2018 Poisonous Monkey Ltd. Part of The Digital Fix Network