What's new

FAQ GDPR compliance

thomas

Unswerving cyclist
Admin
14 Mar 2002
15,970
9,208
749
The GDPR, the European Union's new General Data Protection Regulation, comes into force on May 25th 2018. It has been the hottest topic among webmasters and website administrators for many weeks. So, what is it? And how does it apply to you and our website?

What is the GDPR?

The GDPR is a European Union (EU) regulation that has been designed to protect the data and privacy of EU residents. It strengthens and replaces existing data protection acts/directives and becomes enforceable from 25th May 2018. The primary aim is to give control to EU residents over their personal data and unify regulation within the EU. Any organisation that handles visitors or customers from inside the EU is required to adhere to the GDPR, which aims to protect the personal data of EU residents, with the threat of penalties for non-compliance.

Individual rights

Right to erasure

Under Article 17 of the GDPR individuals have the right to have personal data erased. This is also known as the 'right to be forgotten'. The right is not absolute and only applies in certain circumstances.

The right to erasure relates to the inevitability that at some point, a member may want to leave the forum and in doing so, may want to have their personal data removed. This is also known as the "right to be forgotten". Users have no the option to have their data deleted and their name changed before deleting them.

Note: having their data deleted does not mean that members are entitled to have their content (threads, posts, articles, etc.) removed unless it contains personally identifiable information.

Right to data portability

The right to data portability gives individuals the right to receive personal data they have provided to a controller in a structured, commonly used and machine readable format. It also gives them the right to request that a controller transmits this data directly to another controller.

Technically, under certain laws in certain countries, the right for a user to request a copy of any personal information held by a data controller has always been necessary. The main difference now is that the information should be provided to the data subject in a machine readable format. Users will now be able to generate an XML file containing their personal information, including those entered in custom user fields.

Right to be informed
  • You must provide individuals with information including: your purposes for processing their personal data, your retention periods for that personal data, and who it will be shared with. We call this 'privacy information'.
  • You must provide privacy information to individuals at the time you collect their personal data from them.
  • You must regularly review, and where necessary, update your privacy information. You must bring any new uses of an individual's personal data to their attention before you start the processing.
Lawful basis for processing

Consent
  • Consent means offering individuals real choice and control. Genuine consent should put individuals in charge, build trust and engagement, and enhance your reputation.
  • Consent requires a positive opt-in. Don't use pre-ticked boxes or any other method of default consent.
  • Keep evidence of consent – who, when, how, and what you told people.

On a similar subject to the previous "Right to be informed" section, consent must apply to things such as the privacy policy and terms and rules. To enable us to keep evidence of consent, we will log the consent date for acceptance of the terms and rules and privacy policy. We will also log if a user chooses explicitly opt in to receiving emails.

Cookies

The rules on cookies are in regulation 6. The basic rule is that you must:
  • tell people the cookies are there;
  • explain what the cookies are doing and why; and
  • get the person's consent to store a cookie on their device.
JREF has, for many years, shown a notice to users on their first visit explaining that cookies will be set. This notice was only shown on the very first page load before it disappeared. This should be fine, in most cases, though we shall make the usage of cookies more clear, and require the notice to be dismissed. This notice will appear at the very bottom of the website in full width.

We are trying to implement the most significant of these changes until tomorrow, but expect a lot of updates and notices asking for your consent within the next few days and weeks. We are sorry to bother you with additional pop-ups asking you to consent with our cookie and privacy policies.

We shall keep this thread updated with further details on GDPR compliance.
 
We have just updated to the latest version of the software which introduces a few new features that aim at achieving GDPR compliance:

  • guests will now have to accept our cookie AND privacy policy
  • existing members will have to accept our privacy policy whenever its updated (expect a few updates in the coming days and weeks as we have to detail every cookie our website is feeding to its users)
Stay connected for further updates.
 
Definitely a step in the right direction, but a nuisance for admins to implement.

Just a heads-up: we are aware that the 'Accept Cookie Policy' button cannot be dismissed without logging in. We are working on it.
 
Back
Top Bottom