General Data Protection Regulation (GDPR) - changes

Shaun

Founder
Moderator
Generally speaking I have never requested personally identifiable information from members on registration and you have always been able to use the site with just a username (pseudonym) and email address (generic if you so choose) – allowing you to use the site anonymously.

I don’t operate any mailing lists or carry out any external marketing; don’t share any of your user account data with any outside parties; don’t require you to complete your user profile fields; don’t make your email address public; and don’t force you to reveal anything about yourself on the site if you don’t want to - essentially the site operates on the least amount of personal information possible to provide the service.

Much of what the GDPR covers is already part of the day-to-day operation of the site and has been for a long time, however there are a few things that are new and I have to account for:


Right to erasure

ICO said: Under Article 17 of the GDPR individuals have the right to have personal data erased. This is also known as the ‘right to be forgotten’. The right is not absolute and only applies in certain circumstances.

You can now ask for your personal data to be deleted. This is the personal data you provide to the site and the data I collect in order to provide you with the service (the data I control). It is not the content you choose to post and make public on the site or anything you share with others in personal messages.

When you choose to erase your data you are effectively withdrawing consent for me to use your data to provide the service, so I will initially close your account. I will then anonymise your username, post and quote attributes, and user call-outs to help avoid your content being linked to other identifiable information you may have posted on other web sites under the same or a similar username. This is a destructive process which cannot be reversed. If you’d prefer to take a break you can request that your account is closed instead.

As has always been the case, if you have revealed personally identifiable information on the public part of the site (information that can be used to specifically identify you, such as your full name, full postal address, specific workplace, phone number, or pictures of yourself, etc.) and you would like it deleted, simply report the content or get in touch to tell me what it is and the web page address where it is.

Right to data portability

ICO said: The right to data portability gives individuals the right to receive personal data they have provided to a controller in a structured, commonly used and machine readable format. It also gives them the right to request that a controller transmits this data directly to another controller.

I have upgraded the software so that I can now provide you with this information. Please get in touch if you want to request a copy of the information or want it providing to another controller.

Right to be informed

ICO said: You must provide individuals with information including: your purposes for processing their personal data, your retention periods for that personal data, and who it will be shared with. We call this ‘privacy information’. You must provide privacy information to individuals at the time you collect their personal data from them. You must regularly review, and where necessary, update your privacy information. You must bring any new uses of an individual’s personal data to their attention before you start the processing.

I have updated the privacy policy and will ask new members to accept it upon registration and existing members to re-accept it over the coming days.

Lawful basis for processing

ICO said: Consent requires a positive opt-in. Don’t use pre-ticked boxes or any other method of default consent. Keep evidence of consent – who, when, how, and what you told people.

The registration form has been changed and now displays links to the site terms and privacy policy with an unticked acceptance field so consent is no longer assumed and you have to opt-in. On registration a record will be made in your user account to log the date of your acceptance. I will also ask registered members to accept the new terms and privacy policy so that I have a record for everyone who is logging in to use the site.

Cookies

ICO said: The rules on cookies are in regulation 6. The basic rule is that you must: tell people the cookies are there; explain what the cookies are doing and why; and get the person’s consent to store a cookie on their device.

Previously the cookie notice only appeared on the first page load. This was sufficient to notify visitors but has now been replaced with a more informative and persistent cookie notice at the bottom of the page that links to the site cookie information page and only disappears after you have clicked to accept.


User Account Privacy Options

It is probably timely to remind everyone of the software options in your user account that allow you to edit or remove what personal information guests and members can see, and how to opt-in or opt-out of some communications:
  • Personal Details - here you can set or unset your Status Message (displayed on your user card and profile page); avatar; custom user title (where available); gender; date of birth (and whether it is visible); location; occupation; home page; and the About you text block.

  • Signature (where available) - allows you to add, edit or remove the signature text that appears under all of your posts.

  • Contact Details - here you can change your email address and password, and set your messaging preferences and opt in or out of receiving notification emails.

  • Privacy - here you can set whether your online status is visible to others and whether you current activity is shown in your user card; whether you want to receive site emails, such as announcements and updates; set your date of birth privacy; and set who can or cannot see your profile and news feed, and who you want to allow to contact you.

  • Preference - here you can set whether you want to receive emails for notifications; show people’s signatures with their messages or not; and whether you automatically watch threads you post in.

  • Alert Preferences - choose what you are alerted about

For further information on the GDPR please see the ICO website: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/


Ultimately, I'm not going to be collecting any more information from you than I did yesterday; not going to be sharing any of your personal data with any third-parties (I want you all to myself); and you shouldn't be approached by any marketing companies tomorrow morning asking about your preferences for Haribo's, Fray Bentos or Beer on account of data I've shared with them. :smile:

Should anything change with regards to the GDPR or I receive communication from the ICO to do things differently, I'll let you know.

Cheers,
Shaun :okay:
 
Top Bottom