How we are preparing for GDPR

Related products: CC Others

The EU General Data Protection Regulation (GDPR) will set a new standard for how companies use and protect EU citizens’ data. It will take effect from May 2018.





At inSided, we are working hard to prepare for GDPR, to ensure that we fulfil its obligations and maintain our transparency about data protection, i.e. information privacy citizen rights.





Our first step towards GDPR compliance was to create a new role for Rens van Dongen as Privacy Officer, in addition to his responsibilities as Information Security Officer.





I am working closely with Rens to figure out how to convert GDPR legal provisions into tangible actions. We’ve been asking lots of questions, and our customers have been asking us questions.





These tangible actions will first be focussed mainly on the right to erasure, also referred to as the right to be forgotten.





The Regulation describes erasure as the process by which information is rendered inaccessible and unusable for all relevant parties. Personal data can be erased in a number of ways, including by masking the relevant personal information, so long as the erasure is irreversible, even by the institution carrying out the erasure process. That is also known as anonymization of personal data records.





Erasing posts from a specific user from a community, so removing his profile and posts, would drastically affect the integrity and consistency of community conversations and render them unusable to transfer knowledge and help other customers. To avoid this, we will be using true anonymization to make sure we don’t have to remove public community content, while ensuring that personal data in fact will be removed where needed.





Here’s an overview of the two initiatives we we are planning to provide in our platform by May 25, 2018, the moment the regulation will be enforced by the supervising authorities.





First, we will provide the ability to ‘erase’ a user from your community. This feature will become available for moderators and community managers in Control, and will be available as a REST API. The feature will fully anonymize the user profile, by replacing the username with a random text and delete all other profile data, such as email address, avatar and custom fields that have been set by yourself. While any posts from this user will still be available, it won’t possible able to link them back to the identity of the user. We will make sure that we will anonymize this user in all the data stores of our platform that can contain personal data.





Second, we have a process in place, that will assure the removal of all community and personal data from inSided customers, within 30 days after their contract has ended and we stopped providing our services.





If you have any questions or remarks on how GDPR will impact our platform, please don’t hesitate to comment below or reach out to me. For other questions related to our Data Protection program, you can always get in touch with Rens, our Privacy Officer, by mailing privacy@insided.com.
Hi @Ditte,





Could you please share the new privacy statement? I am currently working with the legal department in order to review ours terms and conditions and yours may help us 😇
Hi @Ditte,





Could you please share the new privacy statement? I am currently working with the legal department in order to review ours terms and conditions and yours may help us 😇






I would if I could, @tomasmouton ! :D


I'm talking about the overall Sonos corporate privacy statement, though. 🙂


We don't currently have anything in the works to change the T&C for the community, but thanks for the reminder!


Maybe InSided has some inspiration for us?





Best,


Ditte
I totally understand you! We are also reviewing all the privacy statement (we already have a landing page taliking about 8 points of the new regulation).





Regarding the terms and conditions, our legal staff is making the adjustments needed!





Yes, it would be great to have some advices from Insided 🤓
@Ditte I hope to share with you by the end of this month the documentation of the API. Expect that we will deliver API by mid May.
Thanks @christophrooms


And if we have a user that want to be forgotten in the meantime, will there be a work-around?





Best,


Ditte
What happens if a banned user asks to be forgotten?


If we 'forget' all the information about this user, will he be able to join again with a new username?
Hi,





What concrete design specs will you develop for the right for users to delete their data? Will there be a special functionality introduced, such as when you report a message, where the admin would receive an email and delete the data ? Or are you just expecting us to delete the data on user request simply if the user mentions it in any topic ? For my company it would be easier to manage a 'forget' button from users.
For some reason, I can't post this in a new ideation topic. So I'm just going to leave this here.





GDPR: (semi)automate username removal from other’s posts





Yet another idea regarding GDPR





It’s easy to piece together someone’s identity if a user has had a username featuring their real name. What you’ll see is that their posts are quoted and they’re addressed by their unanonimized username. Today I saw a topic where someone's old username is featured in their request to anonimize about four times. Both super users and moderators were answering their question and they were quoting them answering to that answer again...





How to address the challenge of potentially having to sift through hundreds and hundreds of posts, looking for someone's old username in a quote?
@Jurgen We experience this issue as well. When a user wants his name changed we have to look through lots of messages. Because often they sign their post with their username. And others start their post with Hi Jurgen (like i did) I don't think this can be prevented. Or maybe some kind of CTRL+H so you can remove the name everywhere at once 🙂
In addition to that, we experience that anonimized usernames are still part of google searchresults. Even 6 months after anonimizing you can still found the topics posted bij the user, bij searching on his old name.





I know this can't be solved by Insided, because it's Google cache that causes it. But I was wondering how other communities deal with this? Is there a way to make sure the results disappear sooner from google?
@Ditte I hope to share with you by the end of this month the documentation of the API. Expect that we will deliver API by mid May.





@christophrooms - Any news? 🙂 I'm being bombarded with questions on how InSided is going to handle this GDPR. At the moment I have nothing but a "InSided will provide an API".





With just about 10 days to go before reality hits, I'm starting to get a little nervous myself, that we're woefully underprepared. Having an API that hasn't been implemented yet, is worth nothing.


I don't have any bullet-proof work-arounds or any other means of reassuring our internal stakeholders that we've "got this".





Care to share your plans, and how reality is going to look for the average community manager / moderator after your API is ready?





Cheers,


Ditte
@Ditte The API is available as a dummy on staging at the moment, you can find the documentation on this API in the 1.1 API documentation. (https://community.insided.com/got-a-question-38/api-documentation-291).





It's a dummy API, so when you call it we don't remove the user yet. The reason why we offer it as a dummy, is to allow our customers to already start building the integration.





I expect we will release the production version of the API early next week.