You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Jul 6, 2021. It is now read-only.
What do we have to change in Openki so it can be operated in accordance with the GDPR? It is clear we're both a "data controller" and a "data processor" offering services to EU-residents. I've had a short discussion with @lu40 and we agree that not only must we implement this anyway, it's also a good thing to have for all users.
I see a few points where we have to adapt:
Consent: We're not currently getting complete consent from our users
Deletion: Not all relevant entries have an easily accessed deletion option
Data access: There is no way for "data subjects" to get a machine-readable "data-package"
In detail:
We need to get consent from our users. I think for some things we're already getting consent by virtue of having well-labeled buttons. By renaming "Save" to "Publish" I assume the forms would be getting explicit consent. We don't plan on doing anything besides using the data for the purpose of the site which in my understanding is well-communicated.
On the other hand, we're using analytics to track user behaviour which is not at all obvious. We don't have consent under the GDPR for this tracking. Matomo themselves are unsure under what circumstances we'll be allowed to collect analytics data: https://matomo.org/blog/2017/09/gdpr-potential-consequences-piwik/ I'd say we can either get explicit consent or we heavily curtail or disable tracking. If it is possible to collect relevant statistics while avoiding collecting personal data, we should do that. But that probably means not having a tracking-cookie and not sending user-id. We could get permission on signup for this. Answering the questions around tracking is non-critical because we can just disable tracking at any time without affecting operations.
Since most actions can easily be reversed, deletion will be rather easy to achieve I think. I'm unsure whether we need to offer an all-in-one "nuke" button which we don't have at current. Account deletion will not delete your comments for example.
We'll need something similar to the already exisiting JSON-API so we can offer data access.
The text was updated successfully, but these errors were encountered:
What do we have to change in Openki so it can be operated in accordance with the GDPR? It is clear we're both a "data controller" and a "data processor" offering services to EU-residents. I've had a short discussion with @lu40 and we agree that not only must we implement this anyway, it's also a good thing to have for all users.
I see a few points where we have to adapt:
In detail:
We need to get consent from our users. I think for some things we're already getting consent by virtue of having well-labeled buttons. By renaming "Save" to "Publish" I assume the forms would be getting explicit consent. We don't plan on doing anything besides using the data for the purpose of the site which in my understanding is well-communicated.
On the other hand, we're using analytics to track user behaviour which is not at all obvious. We don't have consent under the GDPR for this tracking. Matomo themselves are unsure under what circumstances we'll be allowed to collect analytics data: https://matomo.org/blog/2017/09/gdpr-potential-consequences-piwik/ I'd say we can either get explicit consent or we heavily curtail or disable tracking. If it is possible to collect relevant statistics while avoiding collecting personal data, we should do that. But that probably means not having a tracking-cookie and not sending user-id. We could get permission on signup for this. Answering the questions around tracking is non-critical because we can just disable tracking at any time without affecting operations.
Since most actions can easily be reversed, deletion will be rather easy to achieve I think. I'm unsure whether we need to offer an all-in-one "nuke" button which we don't have at current. Account deletion will not delete your comments for example.
We'll need something similar to the already exisiting JSON-API so we can offer data access.
The text was updated successfully, but these errors were encountered: