The EU General Data Protection Regulation (GDPR) will set a new standard for how companies use and protect EU citizens’ data. It will take effect from May 2018.
At inSided, we are working hard to prepare for GDPR, to ensure that we fulfil its obligations and maintain our transparency about data protection, i.e. information privacy citizen rights.
Our first step towards GDPR compliance was to create a new role for Rens van Dongen as Privacy Officer, in addition to his responsibilities as Information Security Officer.
I am working closely with Rens to figure out how to convert GDPR legal provisions into tangible actions. We’ve been asking lots of questions, and our customers have been asking us questions.
These tangible actions will first be focussed mainly on the right to erasure, also referred to as the right to be forgotten.
The Regulation describes erasure as the process by which information is rendered inaccessible and unusable for all relevant parties. Personal data can be erased in a number of ways, including by masking the relevant personal information, so long as the erasure is irreversible, even by the institution carrying out the erasure process. That is also known as anonymization of personal data records.
Erasing posts from a specific user from a community, so removing his profile and posts, would drastically affect the integrity and consistency of community conversations and render them unusable to transfer knowledge and help other customers. To avoid this, we will be using true anonymization to make sure we don’t have to remove public community content, while ensuring that personal data in fact will be removed where needed.
Here’s an overview of the two initiatives we we are planning to provide in our platform by May 25, 2018, the moment the regulation will be enforced by the supervising authorities.
First, we will provide the ability to ‘erase’ a user from your community. This feature will become available for moderators and community managers in Control, and will be available as a REST API. The feature will fully anonymize the user profile, by replacing the username with a random text and delete all other profile data, such as email address, avatar and custom fields that have been set by yourself. While any posts from this user will still be available, it won’t possible able to link them back to the identity of the user. We will make sure that we will anonymize this user in all the data stores of our platform that can contain personal data.
Second, we have a process in place, that will assure the removal of all community and personal data from inSided customers, within 30 days after their contract has ended and we stopped providing our services.
If you have any questions or remarks on how GDPR will impact our platform, please don’t hesitate to comment below or reach out to me. For other questions related to our Data Protection program, you can always get in touch with Rens, our Privacy Officer, by mailing email@example.com.