hoorrr-rrray, was it a hacker, an user, intentionnaly, by accident, was it a rus?
No, yes, no, yes, no.
I've been updating the encryption of email addresses & phone numbers in the database, my first attempt at re-encrypting the data using the new code went a little bit wrong.
The second attempt was successful though.
Not really, I periodically update the encryption/hashing code as updates mature.
But since you mention it...
For those that don't know (& I didn't until this week) the GDPR is the General Data Protection Regulation. It affects all services that serve EU citizens & comes into force on the 25th of May 2018.
It has 7 core features. My understanding of them & what I need to do between now & May are listed below:
Breach Notification
If we have a security breach & your personal data is exposed I have to tell you.
I have always intended this to be the case so no change here. We've never had a breach & easily 90%+ of the work I put into the Edge is ensuring that we never will. I have several automated processes monitoring for problems. I will know if something has gone wrong within 24 hours at the very longest.
Consent
Consent to use your data must be clear & unambiguous.
The important bits of personal information that are used on the Edge are:
Your Email address.
The timezone you set on your settings page used to be used to format times on forum posts, but is now only used to set a default location when you visit map pages. I'm probably going to do away with this altogether.
If you have selected the 'clubs near me' option for your home page we store some coordinates (which of course you haven't used to exactly pin point your house). As the page says: "This location is not publicly displayed and is not shared with other users."
When posting to the forum it does state that your posts are thrown to the mercy of the public. I need to put this message everywhere.
Right to Access
You have the right to access all the data that relates to you.
You pretty much already have this. All your private information is visible on your settings pages, all your public information is accessible via your profile page. I do need to make more of this downloadable though for the Data Portability bit of the regulation.
Stuff that you may not know about:
This is all closely related to...
Data Portability
You should be able to download your data in a machine readable format so you can move to another service.
The only other service that you could move to is https://juggling-records.com & we've had that in place for years! This is related to the Right to Access above, pretty much there. I just need to make it easier & all in one place.
Right to be Forgotten
You have the right to have all your data deleted.
Pretty much already have this. At the bottom of your settings page is a link to disable your account which will delete almost all of your data. To comply with the new legislation I will also need to purge forum posts (gah! but easy enough) & record data (not quite so easy as someone else can post a passing record that involves you so exactly whose data am I deleting?).
Privacy by Design
This section reads like the vague spiel of a consultancy firm. Basically I need to design the system to use as little data as possible & expose that data as little as possible. I think I've already done this. You don't need an account to browse the Edge there are no members only sections. To create an account you need all of three bits of information: username, password & email address. I've also pretty much persuaded myself to make the password reset function optional, in which case I won't even need your email address.
Data Protection Officers
Organisations need to appoint a DPO to oversee compliance with the GDPR & be available to the public & the powers that be (which is the ICO for the UK) to deal with any issues.
I'm not a company or a public authority so this doesn't really apply. Regardless I'm doing my best & the contact form is always open!
Subscribe to this forum via RSS
1 article per branch
1 article per post