General Data Protection Regulation (GDPR) - useful/practical tips for small developers
-
- KVRist
- Topic Starter
- 37 posts since 18 Sep, 2011
I think there are many who are a little overwhelmed with it.
This thread is not intended to discuss how good or bad the GDPR is. It is also not intended for general political discussions, you can open another thread if somebody wants to discuss that.
https://en.wikipedia.org/wiki/General_D ... Regulation
This thread is intended to give practical tips, especially for small developers/one person companies how to handle the GPDR.
So what can you do to be GPDR compliant?
1. Don't Panic!
2. Make your Website HTTPS
3. Update your privacy policy
Whats your favourite resource for this?
4. Sign Data Processing Agreements
Google Analytics?
http://www.google.com/analytics/terms
(For some countries there are forms you can sign and send them to google)
http://www.google.com/analytics/terms/de.pdf
Mailchimp:
https://mailchimp.com/legal/forms/data- ... agreement/
What are your tips/suggestions?
This thread is not intended to discuss how good or bad the GDPR is. It is also not intended for general political discussions, you can open another thread if somebody wants to discuss that.
https://en.wikipedia.org/wiki/General_D ... Regulation
This thread is intended to give practical tips, especially for small developers/one person companies how to handle the GPDR.
So what can you do to be GPDR compliant?
1. Don't Panic!
2. Make your Website HTTPS
3. Update your privacy policy
Whats your favourite resource for this?
4. Sign Data Processing Agreements
Google Analytics?
http://www.google.com/analytics/terms
(For some countries there are forms you can sign and send them to google)
http://www.google.com/analytics/terms/de.pdf
Mailchimp:
https://mailchimp.com/legal/forms/data- ... agreement/
What are your tips/suggestions?
- u-he
- 28063 posts since 8 Aug, 2002 from Berlin
Minimize what you store about your customers, and for how long. Know where this information is stored, and who has access to it. Know what you store. Have that available in written form.
Each of us certainly need name, email address and license information to provide for customer support. It's common sense, I guess. So if anyone wants his records erased with us, we will request that he understands that license retrieval, license transfers and support are no longer possible. Alternatively, figure out what you accept as proof of purchase, should someone ask for support when his data was wiped. Maybe ask a lawyer.
If you travel abroad, wipe your laptop of any customer information.
Use locally hosted support/ticket systems.
If you have a database, keep it local. Consider hashing customer's email addresses. If a customer contacts you and you need to retrieve data, hash his email address and find a match. (the law encourages anonymization of data)
Delete backups you don't need anymore.
Say hi to your local data protection authority and let them know that you've taken all steps necessary to comply with GDPR.
Each of us certainly need name, email address and license information to provide for customer support. It's common sense, I guess. So if anyone wants his records erased with us, we will request that he understands that license retrieval, license transfers and support are no longer possible. Alternatively, figure out what you accept as proof of purchase, should someone ask for support when his data was wiped. Maybe ask a lawyer.
If you travel abroad, wipe your laptop of any customer information.
Use locally hosted support/ticket systems.
If you have a database, keep it local. Consider hashing customer's email addresses. If a customer contacts you and you need to retrieve data, hash his email address and find a match. (the law encourages anonymization of data)
Delete backups you don't need anymore.
Say hi to your local data protection authority and let them know that you've taken all steps necessary to comply with GDPR.
- KVRian
- 872 posts since 6 Aug, 2005 from England
I’m allowed to keep share-it sales info that gets emailed and kept on my studio computer? It’ll be a massive pain if I can’t easily keep tabs on real purchase users. I guess I can just use Share-it’s records which is a little painful to use.
Dave Hoskins. http://www.quikquak.com
- u-he
- 28063 posts since 8 Aug, 2002 from Berlin
Of course you can keep them. You just need to document this and write that sheet which says who's handling those and what for.quikquak wrote:I’m allowed to keep share-it sales info that gets emailed and kept on my studio computer? It’ll be a massive pain if I can’t easily keep tabs on real purchase users. I guess I can just use Share-it’s records which is a little painful to use.
I will probably delete them on a monthly schedule and keep nothing older than a quarter.
This whole thing is quite a bit about "if and once data is breached, have a really good reason why you had it in the first place". So if data isn't essential, remove it. If you can anonymize, do so. If someone handles the data (customer support, newsletter etc.), know what they do, and restrict it to the amount of information necessary.
- u-he
- 28063 posts since 8 Aug, 2002 from Berlin
Hmmm, I surfed around a bit and found that hardly anyone has prepared anything.
Anyone who sells his stuff to EU customers through his shop needs some kind of privacy policy from May 25th, i.e. a way to inform users what personal data they'll collect, process and store (name, email, day of purchase), what they need it for and on which legal grounds (e.g. fullfil a contract, give support), where they get if from (e.g. ShareIt), how long they'll store it, who they share it with (hopefully no-one).
As for MailChimp, we're biting the bullet and ask our subscribers to rejoin on a fresh list, using MailChimp's GDPR-compliant forms. Next week we'll upload our new privacy policy, set up a new sign-up procedure and we'll send that final newsletter before that date.
As for Google Analytics - we hardly ever used it. We're dropping it from our website next week as well. We'll check our logfile statistics to see if traffic goes up or down.
- U
Anyone who sells his stuff to EU customers through his shop needs some kind of privacy policy from May 25th, i.e. a way to inform users what personal data they'll collect, process and store (name, email, day of purchase), what they need it for and on which legal grounds (e.g. fullfil a contract, give support), where they get if from (e.g. ShareIt), how long they'll store it, who they share it with (hopefully no-one).
As for MailChimp, we're biting the bullet and ask our subscribers to rejoin on a fresh list, using MailChimp's GDPR-compliant forms. Next week we'll upload our new privacy policy, set up a new sign-up procedure and we'll send that final newsletter before that date.
As for Google Analytics - we hardly ever used it. We're dropping it from our website next week as well. We'll check our logfile statistics to see if traffic goes up or down.
- U
-
- KVRAF
- 2256 posts since 29 May, 2012
I wonder how this will actually be checked when the seller is outside E.U.Anyone who sells his stuff to EU customers through his shop needs some kind of privacy policy from May 25th, i.e. a way to inform users what personal data they'll collect, process and store (name, email, day of purchase), what they need it for and on which legal grounds (e.g. fullfil a contract, give support), where they get if from (e.g. ShareIt), how long they'll store it, who they share it with (hopefully no-one).
~stratum~
-
- KVRist
- Topic Starter
- 37 posts since 18 Sep, 2011
Maybe we could create a privacy policy, for share-it users or similar, as a community project.
This is not legal advice, here a start / a kind of blueprint for free use.
We use XYZ as our distribution platform. XYZ acts here as a reseller of our goods. When you place an order on this website, you will be redirected to server of XYZ.
The general terms and conditions of XYZ can be found on this website. (link)
After the purchase is successfully completed, we receive access to the general order data such as name, title, address, telephone number, order number, sales price.
(What do think is missing?)
This is not legal advice, here a start / a kind of blueprint for free use.
We use XYZ as our distribution platform. XYZ acts here as a reseller of our goods. When you place an order on this website, you will be redirected to server of XYZ.
The general terms and conditions of XYZ can be found on this website. (link)
After the purchase is successfully completed, we receive access to the general order data such as name, title, address, telephone number, order number, sales price.
(What do think is missing?)
- KVRian
- 1169 posts since 24 Feb, 2012
I find most stuff to follow the previous German regulations anyway (beside trivial details).
But I wonder about this, Urs, can you elaborate please?
But I wonder about this, Urs, can you elaborate please?
Urs wrote:Say hi to your local data protection authority and let them know that you've taken all steps necessary to comply with GDPR.
Fabien from Tokyo Dawn Records
Check out my audio processors over at the Tokyo Dawn Labs!
Check out my audio processors over at the Tokyo Dawn Labs!
- u-he
- 28063 posts since 8 Aug, 2002 from Berlin
You need to announce the person responsible for privacy to the local data protection authority. I'm not sure if that accounts for all small businesses, but it is certainly necessary as soon as you have at least 1 employee whose pay checks and tax statements you handle.FabienTDR wrote:I find most stuff to follow the previous German regulations anyway (beside trivial details).
But I wonder about this, Urs, can you elaborate please?
Urs wrote:Say hi to your local data protection authority and let them know that you've taken all steps necessary to comply with GDPR.
- u-he
- 28063 posts since 8 Aug, 2002 from Berlin
Also, because we need a data security officer, we hired an external company to fill in our sheets and take over that role. But that's because we have more than 10 people handling data.
- KVRian
- 1169 posts since 24 Feb, 2012
Ah thank you, I understand. Yes, we're smaller and should be able to ignore it.
Fabien from Tokyo Dawn Records
Check out my audio processors over at the Tokyo Dawn Labs!
Check out my audio processors over at the Tokyo Dawn Labs!
-
Richard_Synapse Richard_Synapse https://www.kvraudio.com/forum/memberlist.php?mode=viewprofile&u=245936
- KVRian
- 1136 posts since 20 Dec, 2010
This is what we do now too. There is really no reason to keep many records anyway, in particular not support emails and such stuff. Much easier to get rid of everything than having to document and explain why you store such data (probably there is no good reason to begin with).Urs wrote:Of course you can keep them. You just need to document this and write that sheet which says who's handling those and what for.quikquak wrote:I’m allowed to keep share-it sales info that gets emailed and kept on my studio computer? It’ll be a massive pain if I can’t easily keep tabs on real purchase users. I guess I can just use Share-it’s records which is a little painful to use.
I will probably delete them on a monthly schedule and keep nothing older than a quarter.
Richard
Synapse Audio Software - www.synapse-audio.com
- KVRAF
- 2249 posts since 2 Feb, 2009 from Germany
Even if the new GDPR has good intentions, from the viewpoint of a developer or shop it`s not good. Especially after the EU MOSS VAT (in cases you don`t using external services for the process like Shareit, Cleverbrigde etc).
For the most persons or smaller buisness it will be hard to fix it till 25th may, so many points you have to adjust and think about, from adversiting programms, youtube embedded (soundclould looks right now as not longer use-able as embedded audio player based on the GDPR), SSL, contact forms & coments, internal plugins in your website system... and right now many plugins just getting updates which are maybe essential for your website, for example if you use a website based on wordpress and using a security plugin like WordFence - right now it would violate the GDPR law, so in some ways/points it`s also kinda wait&hope that they will be fixed in time, next to the negative point that you probably have to giveaway many functions or possibilites in your current settings (especially on social network base).
For the most persons or smaller buisness it will be hard to fix it till 25th may, so many points you have to adjust and think about, from adversiting programms, youtube embedded (soundclould looks right now as not longer use-able as embedded audio player based on the GDPR), SSL, contact forms & coments, internal plugins in your website system... and right now many plugins just getting updates which are maybe essential for your website, for example if you use a website based on wordpress and using a security plugin like WordFence - right now it would violate the GDPR law, so in some ways/points it`s also kinda wait&hope that they will be fixed in time, next to the negative point that you probably have to giveaway many functions or possibilites in your current settings (especially on social network base).
-
Richard_Synapse Richard_Synapse https://www.kvraudio.com/forum/memberlist.php?mode=viewprofile&u=245936
- KVRian
- 1136 posts since 20 Dec, 2010
If this wasn't bad enough, there's the planned ePrivacy regulations, perhaps worse than both combined.Cyforce wrote:Even if the new GDPR has good intentions, from the viewpoint of a developer or shop it`s not good. Especially after the EU MOSS VAT (in cases you don`t using external services for the process like Shareit, Cleverbrigde etc).
Anyway to stay on-topic, here's a generator for german/english privacy statements:
https://www.wbs-law.de/it-recht/datensc ... generator/
Obviously noone will guarantee its safety, and individual adjustments probably need to be made, but it's a starting point, and it is free of charge.
Richard
Synapse Audio Software - www.synapse-audio.com
-
- KVRAF
- 2256 posts since 29 May, 2012
Meanwhile our government guys are swift in copy paste technology and several companies recently started sending SMS messages regarding their compliance of new privacy laws in addition to their usual spam messages which by law they are not allowed to send either (the trick is to include some content that tells how to unsubscribe in spite of the fact that it's inconvenient to do so considering the fact that hyperlinks are not supported in SMS messages)
~stratum~