KVR Audio

chipnix · Post by **chipnix** » Mon May 07, 2018 3:13 pm

I think there are many who are a little overwhelmed with it.
This thread is not intended to discuss how good or bad the GDPR is. It is also not intended for general political discussions, you can open another thread if somebody wants to discuss that.

https://en.wikipedia.org/wiki/General_D ... Regulation

This thread is intended to give practical tips, especially for small developers/one person companies how to handle the GPDR.

So what can you do to be GPDR compliant?

1. Don't Panic!

2. Make your Website HTTPS

3. Update your privacy policy

Whats your favourite resource for this?

4. Sign Data Processing Agreements

Google Analytics?
http://www.google.com/analytics/terms
(For some countries there are forms you can sign and send them to google)
http://www.google.com/analytics/terms/de.pdf

Mailchimp:
https://mailchimp.com/legal/forms/data- ... agreement/

What are your tips/suggestions?

Urs · Post by **Urs** » Mon May 07, 2018 3:31 pm

Minimize what you store about your customers, and for how long. Know where this information is stored, and who has access to it. Know what you store. Have that available in written form.

Each of us certainly need name, email address and license information to provide for customer support. It's common sense, I guess. So if anyone wants his records erased with us, we will request that he understands that license retrieval, license transfers and support are no longer possible. Alternatively, figure out what you accept as proof of purchase, should someone ask for support when his data was wiped. Maybe ask a lawyer.

If you travel abroad, wipe your laptop of any customer information.

Use locally hosted support/ticket systems.

If you have a database, keep it local. Consider hashing customer's email addresses. If a customer contacts you and you need to retrieve data, hash his email address and find a match. (the law encourages anonymization of data)

Delete backups you don't need anymore.

Say hi to your local data protection authority and let them know that you've taken all steps necessary to comply with GDPR.

quikquak · Post by **quikquak** » Mon May 07, 2018 10:44 pm

I’m allowed to keep share-it sales info that gets emailed and kept on my studio computer? It’ll be a massive pain if I can’t easily keep tabs on real purchase users. I guess I can just use Share-it’s records which is a little painful to use.

Urs · Post by **Urs** » Tue May 08, 2018 10:30 am

quikquak wrote:I’m allowed to keep share-it sales info that gets emailed and kept on my studio computer? It’ll be a massive pain if I can’t easily keep tabs on real purchase users. I guess I can just use Share-it’s records which is a little painful to use.

Of course you can keep them. You just need to document this and write that sheet which says who's handling those and what for.

I will probably delete them on a monthly schedule and keep nothing older than a quarter.

This whole thing is quite a bit about "if and once data is breached, have a really good reason why you had it in the first place". So if data isn't essential, remove it. If you can anonymize, do so. If someone handles the data (customer support, newsletter etc.), know what they do, and restrict it to the amount of information necessary.

Urs · Post by **Urs** » Sun May 13, 2018 8:40 am

Hmmm, I surfed around a bit and found that hardly anyone has prepared anything.

Anyone who sells his stuff to EU customers through his shop needs some kind of privacy policy from May 25th, i.e. a way to inform users what personal data they'll collect, process and store (name, email, day of purchase), what they need it for and on which legal grounds (e.g. fullfil a contract, give support), where they get if from (e.g. ShareIt), how long they'll store it, who they share it with (hopefully no-one).

As for MailChimp, we're biting the bullet and ask our subscribers to rejoin on a fresh list, using MailChimp's GDPR-compliant forms. Next week we'll upload our new privacy policy, set up a new sign-up procedure and we'll send that final newsletter before that date.

As for Google Analytics - we hardly ever used it. We're dropping it from our website next week as well. We'll check our logfile statistics to see if traffic goes up or down.

- U

stratum · Post by **stratum** » Sun May 13, 2018 9:23 am

Anyone who sells his stuff to EU customers through his shop needs some kind of privacy policy from May 25th, i.e. a way to inform users what personal data they'll collect, process and store (name, email, day of purchase), what they need it for and on which legal grounds (e.g. fullfil a contract, give support), where they get if from (e.g. ShareIt), how long they'll store it, who they share it with (hopefully no-one).

I wonder how this will actually be checked when the seller is outside E.U.

chipnix · Post by **chipnix** » Sun May 13, 2018 10:42 am

Maybe we could create a privacy policy, for share-it users or similar, as a community project.
This is not legal advice, here a start / a kind of blueprint for free use.

We use XYZ as our distribution platform. XYZ acts here as a reseller of our goods. When you place an order on this website, you will be redirected to server of XYZ.
The general terms and conditions of XYZ can be found on this website. (link)

After the purchase is successfully completed, we receive access to the general order data such as name, title, address, telephone number, order number, sales price.

(What do think is missing?)

FabienTDR · Post by **FabienTDR** » Sun May 13, 2018 5:08 pm

I find most stuff to follow the previous German regulations anyway (beside trivial details).

But I wonder about this, Urs, can you elaborate please?

Urs wrote:Say hi to your local data protection authority and let them know that you've taken all steps necessary to comply with GDPR.

Urs · Post by **Urs** » Mon May 14, 2018 7:37 am

FabienTDR wrote:I find most stuff to follow the previous German regulations anyway (beside trivial details).

But I wonder about this, Urs, can you elaborate please?

Urs wrote:Say hi to your local data protection authority and let them know that you've taken all steps necessary to comply with GDPR.

You need to announce the person responsible for privacy to the local data protection authority. I'm not sure if that accounts for all small businesses, but it is certainly necessary as soon as you have at least 1 employee whose pay checks and tax statements you handle.

Urs · Post by **Urs** » Mon May 14, 2018 7:40 am

Also, because we need a data security officer, we hired an external company to fill in our sheets and take over that role. But that's because we have more than 10 people handling data.

FabienTDR · Post by **FabienTDR** » Mon May 14, 2018 2:33 pm

Ah thank you, I understand. Yes, we're smaller and should be able to ignore it.

Richard_Synapse · Post by **Richard_Synapse** » Tue May 15, 2018 10:01 am

Urs wrote:
quikquak wrote:I’m allowed to keep share-it sales info that gets emailed and kept on my studio computer? It’ll be a massive pain if I can’t easily keep tabs on real purchase users. I guess I can just use Share-it’s records which is a little painful to use.
Of course you can keep them. You just need to document this and write that sheet which says who's handling those and what for.

I will probably delete them on a monthly schedule and keep nothing older than a quarter.

This is what we do now too. There is really no reason to keep many records anyway, in particular not support emails and such stuff. Much easier to get rid of everything than having to document and explain why you store such data (probably there is no good reason to begin with).

Richard

Cyforce · Post by **Cyforce** » Tue May 15, 2018 6:02 pm

Even if the new GDPR has good intentions, from the viewpoint of a developer or shop it`s not good. Especially after the EU MOSS VAT (in cases you don`t using external services for the process like Shareit, Cleverbrigde etc).

For the most persons or smaller buisness it will be hard to fix it till 25th may, so many points you have to adjust and think about, from adversiting programms, youtube embedded (soundclould looks right now as not longer use-able as embedded audio player based on the GDPR), SSL, contact forms & coments, internal plugins in your website system... and right now many plugins just getting updates which are maybe essential for your website, for example if you use a website based on wordpress and using a security plugin like WordFence - right now it would violate the GDPR law, so in some ways/points it`s also kinda wait&hope that they will be fixed in time, next to the negative point that you probably have to giveaway many functions or possibilites in your current settings (especially on social network base).

Richard_Synapse · Post by **Richard_Synapse** » Tue May 15, 2018 9:00 pm

Cyforce wrote:Even if the new GDPR has good intentions, from the viewpoint of a developer or shop it`s not good. Especially after the EU MOSS VAT (in cases you don`t using external services for the process like Shareit, Cleverbrigde etc).

If this wasn't bad enough, there's the planned ePrivacy regulations, perhaps worse than both combined.

Anyway to stay on-topic, here's a generator for german/english privacy statements:
https://www.wbs-law.de/it-recht/datensc ... generator/

Obviously noone will guarantee its safety, and individual adjustments probably need to be made, but it's a starting point, and it is free of charge.

Richard

stratum · Post by **stratum** » Tue May 15, 2018 11:22 pm

Meanwhile our government guys are swift in copy paste technology and several companies recently started sending SMS messages regarding their compliance of new privacy laws in addition to their usual spam messages which by law they are not allowed to send either (the trick is to include some content that tells how to unsubscribe in spite of the fact that it's inconvenient to do so considering the fact that hyperlinks are not supported in SMS messages)

General Data Protection Regulation (GDPR) - useful/practical tips for small developers