Discussing General Data Protection Regulation (GDPR)

eva2000 · Apr 14, 2018

Folks my I noticed I added an extended privacy policy to the forums and part of the motivation is surrounding GDPR - General Data Protection Regulation which comes into effect on May 25, 2018. There's alot more to GDPR compliance, so thought it's about time I started a thread this forum for it and see what other web site owners are doing for GDPR.

GDPR Info Links

Home Page of EU GDPR

General Data Protection Regulation - Wikipedia

Guide to the General Data Protection Regulation (GDPR)

What is the GDPR and how will it affect your business - iubenda blog

GDPR Guide - Getting started - Privacy & Cookie Policy Generator | iubenda

How GDPR Will Change The Way You Develop

WTF is GDPR?

Cookies And Consent: How GDPR Impacts Online Tracking

13 Key GDPR Terms You Need to Know

What is GDPR? Everything you need to know about the new general data protection regulations | ZDNet

Hey, so Europe's GDPR privacy deadline for Whois? We're going to miss it ... by a year or so

GDPR Compliance Tools in WordPress

GDPR Data protection self assessment

GDPR Tool Kit | Shared Assessments

What is General Data Protections Regulation (GDPR)? - dummies

The Beginner’s Guide To General Data Protection Regulation (GDPR)

The Beginner’s Guide To The GDPR | AdProfs

Examples of how this will effect us

What does it mean for people?

Consumers can expect to see more privacy warnings and consent requests. These must be made separately, and cannot be bundled with general terms and conditions.

The rules mean that tech companies can no longer assume users want to hand over their data. Companies must now count on the opposite, and reflect that in their services and products.

For example: Rather than automatically signing a user up for a mailing list and later offering an unsubscribe option, companies now have to explicitly seek consent ahead of time. The default option when asking users if they want to subscribe must be "no."

Some brands are already asking consumers if they want to remain on email marketing lists.

Companies are also required to tell authorities about any data security breach within 72 hours of discovering it -- a rule that should eliminate big gaps between the business finding out and customers being informed.
Click to expand...

buik · Apr 14, 2018

eva2000 said: ↑

Folks my I noticed I added an extended privacy policy to the forums and part of the motivation is surrounding GDPR - General Data Protection Regulation which comes into effect on May 25, 2018. There's alot more to GDPR compliance, so thought it's about time I started a thread this forum for it and see what other web site owners are doing for GDPR.
Click to expand...

From your example:

Simply put, this means brands must explicitly educate users on how they plan to use their personal data, on an opt-in basis. More importantly, organizations can't restrict website usability or services based on whether or not consent was granted.
Click to expand...

However, if a cookie collects any personal data, which, under GDPR, includes IP addresses that are tied to users, this could be considered an infringement on regulation and subject to penalty.
Click to expand...

In short, if you want to comply with the GDPR, you must explicitly request permission to track users.
Only a policy is not enough.

GDPR example:

It is a lot of work to fully comply with GDPR. Because you're from Australia. I wonder if you should want this.

eva2000 · Apr 14, 2018

Yeah there's a lot more to do General Data Protection Regulation - Wikipedia

GDPR extends the scope of EU data protection law to all foreign companies processing data of EU residents.[4] It provides for a harmonization of the data protection regulations throughout the EU, thereby making it easier for non-European companies to comply with these regulations; however, this comes at the cost of a strict data protection compliance regime with severe penalties of up to 2% of worldwide turnover or €10 million, whichever is higher.[5]

The GDPR also brings a new set of "digital rights" for EU citizens in an age of an increase of the economic value of personal data in the digital economy.
Click to expand...

eva2000 · Apr 14, 2018

Nginx.com blog also covered some uses for Nginx nginScript for access logs utilising a 'Data Masking' approach nginScript Use Case: Data Masking for User Privacy. Centmin Mod Nginx server also optionally supports Nginx nginScript module too. Though probably not something a forum needs to do.

For many website owners, this presents challenges for archiving and analyzing log files if the data leaves the EU. For data moving into the US, the EU‑US Privacy Shield provides some protection but faces legal challenges by privacy groups and governments who do not believe the level of protection is adequate.

However, protecting personal data in log files is not just an EU problem. For organizations with security certifications like ISO/ICE 27001, moving log files outside of the security realm where they were generated, say from network ops to marketing, can compromise the scope and compliance of the certification.
Click to expand...

Simple Approaches Do Not Work
The simplest approach to personal data protection is to strip IP addresses from logs before they are exported. This is easy to achieve with standard Linux command line tools, but log analysis systems may expect log files in a standard format and fail to import logs that omit the IP address field. Even if logs are successfully imported, the value of log processing may be significantly reduced if the analysis system relies on IP addresses to track a user across a site.

Another potential approach, substituting fake or random values for real IP addresses, results in log files that look complete, but the quality of log analysis is compromised because each log entry appears to originate from a different randomly generated IP address.

Masking the Client IP Address
The most effective solution is to use a technique called data masking to transform the real IP address into one that does not identify the end user but still allows correlation of website activity for a particular user. Data masking algorithms always produce the same pseudorandom value for a given input value in a way that ensures it cannot be converted back to the original input value. Every occurrence of an IP address is always transformed to the same pseudorandom value.

You can implement IP address masking in NGINX and NGINX Plus with the nginScript module. nginScript is a unique JavaScript implementation for NGINX and NGINX Plus, designed specifically for server‑side use cases and per‑request processing. In this case we execute a small amount of JavaScript code to mask the client IP address as each request is logged.
Click to expand...

Jon Snow · Apr 14, 2018

What if the site is non-profit? What are they really going to do if you do not comply?

eva2000 · Apr 14, 2018

Jon Snow said: ↑

What if the site is non-profit? What are they really going to do if you do not comply?
Click to expand...

GDPR Compliance: Will GDPR Affect Your Nonprofit? | BoardEffect

Nonprofits Can’t Afford to Ignore GDPR

Nonprofits can’t afford to assume GPDR doesn’t apply to them. The stakes for noncompliance are high—penalties can be as high as 4 percent of annual global revenues—and the reality is that the regulation will impact many organizations. In addition to nonprofits with a physical presence in the EU, nonprofits with EU-based employees, donors, grantees, or service recipients are likely required to comply as well.

If you’re unsure whether your nonprofit is subject to GDPR, start by considering the following questions:

Does your organization offer goods or services to citizens in the EU, even if they are free?

Does your organization collect, process, view, or store EU personal data?

Does your nonprofit receive contributions from EU organizations or individuals?

Does your organization offer goods or services to children under the age of 16 in the EU?

Click to expand...

eva2000 · Apr 14, 2018

bassie said: ↑

It is a lot of work to fully comply with GDPR. Because you're from Australia. I wonder if you should want this.
Click to expand...

How GDPR Will Change The Way You Develop

Who Is Impacted By The Privacy Overhaul?
European data protection rules are, and always have been, extraterritorial. They apply to all personal data collected, processed, and retained about persons within the European Union regardless of citizenship or nationality.

That simply means that if you do business in Europe, or collect data on European users, you must protect their data in full accordance with the regulation as if you yourself were in Europe. If you are not prepared to meet that legal requirement, you should not do business in Europe. (Indeed, any developer collecting European data who is surprised to hear this news should explain what they have been doing with that data since 1995.)

GDPR applies to all businesses, organizations, sectors, situations, and scenarios, regardless of a business’s size, head count, or financial turnover. A small app studio is every bit as beholden to these rules as a large corporation.
Click to expand...

Revenge · Apr 14, 2018

bassie said: ↑

It is a lot of work to fully comply with GDPR. Because you're from Australia. I wonder if you should want this.
Click to expand...

But im from Europe, so he needs to comply if he want to serve European users.

Facebook is from United States, but if they don't comply, Europe can block Facebook access to European Countries. Simple as that.

In a year or 2 at most, United States will also have something similar to this.

buik · Apr 14, 2018

Revenge said: ↑

But im from Europe, so he needs to comply if he want to serve European users.
Click to expand...

@eva2000 does need nothing of course.
Good luck Europe blocking a relatively small forum like this.

Europe can force big company's who operate in Europe, with European offices on a legal basis.
They can't force a private person from Australia. Both not legally and not technically.
Viva la @eva2000

eva2000 · Apr 14, 2018

Revenge said: ↑

In a year or 2 at most, United States will also have something similar to this.
Click to expand...

Yeah other countries are follow in GDPR's footsteps so really is matter of when not if we (as web site owners)/I need to comply.

Was just thinking would be fairly easy for me to implement Nginx access log data masking nginScript Use Case: Data Masking for User Privacy out the box for Centmin Mod Nginx installs which Centmin Mod detects the server as having a geo location within Europe or use Nginx geoip location module to do stuff on a per continent basis i.e. EU continent

Revenge · Apr 14, 2018

bassie said: ↑

@eva2000 does need nothing of course.
Good luck Europe blocking a relatively small forum like this.

Europe can force big company's who operate in Europe, with European offices on a legal basis.
They can't force a private person from Australia. Both not legally and not technically.
Viva la @eva2000
Click to expand...

Offcourse they won't do that, because this is a small forum. But if they really wanted, they could simple block centminmod forum in Europe. Like China blocks Google in their country. Its nothing that hard to do.

But like i said, they won't care, especially if its a small site.

eva2000 · Apr 14, 2018

Revenge said: ↑

But like i said, they won't care, especially if its a small site.
Click to expand...

Yeah true, though no one starts a web site/forum with the intention of remaining 'small' forever

hmm What is the GDPR and how will it affect your business - iubenda blog

Consent (Articles 7&8):
Consent obtained from users must be explicit and verifiable (opt-in). In getting consent for data use, you may not use overly complicated or indecipherable terms/ wording —this includes legalese and unnecessary jargon. This means that privacy notices must be laid out legibly (see ours here) using understandable language and clauses so that users are clear on what they’re consenting to. Consent for children under 13 must be given by a legal guardian using verification measures (e.g, control questions) and in general, it must be as easy for users to withdraw consent as it is for them to give it.

Because consent is such an important issue under the GDPR, it is mandatory that you keep detailed records of consent. The records should contain details of when and how consent was obtained and exactly what the user was told at the time.
Click to expand...

Matt · Apr 14, 2018

It's a mine field! I'm paying someone to sort mine for me

eva2000 · Apr 14, 2018

Ah that would be alot easier I guess Slavik GDPR for XenForo 1 ?

with Data protection self assessment ?

eva2000 · Apr 14, 2018

Oooh GDPR Tool Kit | Shared Assessments

The GDPR: Data Processor Privacy Tool Kit provides preliminary guidance for both data controllers and data processors to effectively evaluate and manage third party processor risk under the European Union General Data Protection Regulation (GDPR) 2016/679 Article 28 “Processor” directives.
Click to expand...

eva2000 · Apr 14, 2018

self hosted cookie consent popup Cookie Consent by Insites - The most popular solution to the EU cookie law with opt-in demo Demos - Cookie Consent by Insites

opt in demo requires additional call back hook at Disabling cookies - Cookie Consent by Insites not sure if I have my javascript setup correctly though. But looks like the actual logic for disabling and enabling cookies is left up to your to code as per your app ? i.e. Disabled cookies · Issue #205 · insites/cookieconsent

HTML:

<link rel="stylesheet" type="text/css" href="https://cdnjs.cloudflare.com/ajax/libs/cookieconsent2/3.0.3/cookieconsent.min.css" />
<script src="https://cdnjs.cloudflare.com/ajax/libs/cookieconsent2/3.0.3/cookieconsent.min.js"></script>
<script>
window.addEventListener("load", function(){
window.cookieconsent.initialise({
  "palette": {
    "popup": {
      "background": "#e54b4d",
      "text": "#ffffff"
    },
    "button": {
      "background": "#43a6df",
      "text": "#ffffff"
    }
  },
  "theme": "edgeless",
  "type": "opt-in",
  "content": {
    "message": "By using this site you agree to our cookie usage policy",
    "dismiss": "Do Not Allow Cookies",
    "href": "https://community.centminmod.com/help/cookies"
  },
onInitialise: function (status) {
  var type = this.options.type;
  var didConsent = this.hasConsented();
  if (type == 'opt-in' && didConsent) {
    // enable cookies
  }
  if (type == 'opt-out' && !didConsent) {
    // disable cookies
  }
},
 
onStatusChange: function(status, chosenBefore) {
  var type = this.options.type;
  var didConsent = this.hasConsented();
  if (type == 'opt-in' && didConsent) {
    // enable cookies
  }
  if (type == 'opt-out' && !didConsent) {
    // disable cookies
  }
},
 
onRevokeChoice: function() {
  var type = this.options.type;
  if (type == 'opt-in') {
    // disable cookies
  }
  if (type == 'opt-out') {
    // enable cookies
  }
}
})
});
</script>

eva2000 · Apr 14, 2018

Also another script at Cookie Script - free EU cookie law solution

Matt · Apr 15, 2018

This is the one I was trying, but was buggy as hell

Cookie Control by CIVIC - GDPR Cookie Compliance Solution

Using an XF2 plugin currently, as I only have 2 cookies which are related to the site, as I don't runs ads or analytics.

eva2000 · Apr 15, 2018

Matt said: ↑

Using an XF2 plugin currently, as I only have 2 cookies which are related to the site, as I don't runs ads or analytics.
Click to expand...

Ah certainly makes things alot easier then

eva2000 · Apr 16, 2018

Playing with cookie popup notices for European and Oceania regions only on the forums https://community.centminmod.com/threads/forum-privacy-policy-added.14553/#post-62463

Log in / Register

Forums

Get the most out of your Centmin Mod LEMP stack

Discussing General Data Protection Regulation (GDPR)

eva2000 Administrator Staff Member

GDPR Info Links

buik “The best traveler is one without a camera.”

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

Jon Snow Active Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

Revenge Active Member

buik “The best traveler is one without a camera.”

eva2000 Administrator Staff Member

Revenge Active Member

eva2000 Administrator Staff Member

Matt Well-Known Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

Matt Well-Known Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

.

Log in / Register

Useful Searches

Get the most out of your Centmin Mod LEMP stack

Discussing General Data Protection Regulation (GDPR)

eva2000 Administrator Staff Member

GDPR Info Links

buik “The best traveler is one without a camera.”

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

Jon Snow Active Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

Revenge Active Member

buik “The best traveler is one without a camera.”

eva2000 Administrator Staff Member

Revenge Active Member

eva2000 Administrator Staff Member

Matt Well-Known Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

Matt Well-Known Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

.