We collect a lot of information on users when (s)he signs up and uses d.o and given the (EU) law, we need to have a policy around this data collection soon!
It is d.o but also all the subsites (groups, assoc, drupalcons) where we collect data, share data with other third parties and let the user change the data and add new data.
The impact is going to be huge. IN 68 days (https://howmanydaystill.com/its/gdpr) we need to give the user the option
* to extract alle data (s)he created and was being added about him/her by for example the association as well as data about using the site (access logs that are bound to a user for example) in a computer readable format
* to delete *partial* data on request
* to make sure this is done on data on all places (hint backups, crm, mailinglists) unless a higher law requires them to keep
* to make clear what data we have been sharing with whom (think cookies, cdn, ads, selling mailing data if this was done)
* Google analytics
* etc etc.
Despite being hosted in the USA, we are targetting EU users and thereby have to comply.
Dont say "there is work underway on making a module for this" because *** this isnt about "modules" but about procedures *** (ooo, and by the way d.o d7)
(I couldnt find an issue about this for d.o itself, if dup, please close)
Comments
Comment #2
bertboerland commentedComment #3
attiks commentedComment #4
attiks commentedComment #5
attiks commentedComment #6
lizzjoyThanks for posting this issue, Bert. It's an important one for any organization/company doing any business with citizens of the EU.
We're taking steps to ensure Drupal.org is GDPR ready. You are correct that this isn't about a module, it's about making sure we're complying with the requirements such as...
A. Breach notification
B. Right to access
C. Right to be forgotten
D. Data portability
E. Privacy by design/data minimization, access only by those who need it to do their jobs.
Fortunately, we have some features already in place (such as the Delete Account option) and we're reviewing that we can meet the other requirements. We'll be updating our privacy policy/terms of service and communicating what we've done to review our good practices and any GDPR-related changes we've made.
Comment #7
bertboerland commentedfully trust you are on it, just could find a public ticket here.
therefor closing this one, no action needed here
Comment #8
attiks commented#6 This might be of interest to determine what is needed, https://www.linkedin.com/pulse/nightmare-letter-subject-access-request-u...
Comment #9
bertboerland commentedyes, I did bookmark that. for other uses :-)
Comment #10
mgiffordI had opened this issue in Core #2848974: Privacy Concerns as GDPR Compliance but have linked to some of the D7 & D8 modules that are helping frame this in code.
I do think that with the recent interest in Facebook, Cambridge Analytica & privacy, it might make sense to be a bit more public about this.
I'm moving this back to active as I do think it is important for the DA to talk about best practices in public. We are not only users, but also implementers. Many of us are interested & willing to help.
Comment #11
mgiffordThere's a richer discussion over in this team about general implications. https://www.drupal.org/project/drupal_gdpr_team
Also somewhat relevant is this note from Dries:
https://dri.es/the-data-protection-challenges-of-a-decentralized-social-web
And this tweet from August 2017:
https://twitter.com/dries/status/900007936734486528
Comment #12
hestenetJust to keep everyone in the loop:
Hopefully you'll see all that very soon.
Comment #13
gisleAny news about this?
Comment #14
hestenetOh gosh, yes - we got all the updated material published last year. I forgot to close the loop in this thread.
Here's the post that describes all the changes to those materials described above:
https://www.drupal.org/drupalorg/blog/drupalorgs-gdpr-compliance-statement
Comment #15
avpaderno