GDPR fun

One of the hardest bits is implementing the right to be deleted alongside keeping backups. If someone wants to be deleted you don't have to delete them from all of your existing backups, you just have to make sure you delete the data of those individuals should you ever restore a backup.

This means you end up having to keep a list of identifiers (and not one that can identify an individual otherwise you're back to square one) and have a process to apply that deletion after a backup restore.

And hopefully the backups that do contain their personal data will eventually be deleted (replaced by backups that no longer contain that data). Eternal backups are a bad thing.

And £6k spent on very good lawyers for the Privacy Policy and Terms of Use.

They remain accurate enough (they don't over claim anything nor under claim to the point of being too restrictive and to have left me exposed).

I only keep backups for 1 week.

Pure disaster recovery of the database and nothing else. Stored on TarSnap.

I do not have any data stored about you, only your email (which you can view on your profile page) and the content that you have then provided/created on the forum which is fully accessible via the search link demonstrated in the first post.

I do not store any additional data anywhere, the Shopify shop was deleted, the server logs (which used to have debug info like "sent email asdf5456a4sdf6sadf to email@example.com") have been deleted and disabled, the web server logs (storage of IP address to request) have been deleted and disabled... there is nothing now beyond the content you provide.

If you make a GDPR request, this will be the answer I give... I'll adjust the link in the first post and give it back to you and you can view the data you have created and your email and the only things missing from that link are the things / people you are ignoring, which is this: https://www.lfgss.com/ignored/ and the things you are following https://www.lfgss.com/updates/ .

You are free to inspect the code on github, and view the database structure there too. You can verify for yourself that the software does what I claim it does.

From making subject access requests at Uni, I had to prove my identity by responding through my Uni email address, or, by going in person with ID to match what they have on file. I then had to phone them and answer security questions.

If you don't have that ID on file then you can only go by ownership of the email address used on the account, which if the person making the request no longer has access to, cannot be proven to be their data.

Your approach seems pretty watertight relative to existing SAR provisions is what i'm trying to say-it's for the applicant to prove ownership of the data, not you.

Presumably most of that was the Terms of Use? The Privacy Policy looks like adjusted boilerplate from the ICO.

No I’m not saying you’re lying or anything, frankly I’m not fussed what data you keep on me because I know I haven’t disclosed anything personal that I’d not want kept.
I was just wondering if you had to actively tell people you’re only keeping their user names or email addresses or whatever else.
Deleting it all is great but you need to have written somewhere other than this thread, a list of whatever data you keep on people and what you use it for, even if you barely keep any data. No?

I don’t mean a list of data as in the links you provided.
I mean the privacy policy which says for each user, we will keep only your username and email address, this will be used for blah blah blah. Etc

All covered in the privacy policy and ToU - no?

Probably. I haven’t read it in a while

How about a retention policy. How long is a user’s data - however little, stored if they become inactive for example?

define inactive? Some people on here come back after a hiatus of years at a time.

Exactly, still have to have one though.
It’d be up to David to decide how long is long enough but you still have to delete everything you have on a person if after a set period of time, they have had no interaction with an organisation.
Forgive me if I’m wrong on any points, I’ve read very little about gdpr

Not if whatever data you have is in line with being used for what its original purpose was.

i.e mailing lists.

If you signed up and gave permission for an organisation to contact you with events and news indefinitely, they can continue to do so as long as you give them a clear understanding of their right to opt-out and they're not using your data or sharing it beyond that. i.e in the arts its quite common for cunts you've never heard of to beg, borrow or steal mailing lists from pals/orgs they work for and start spamming you with whatever drivel they're putting on with no way to stop it other than the spam button. GPDR would make that comprehensively illegal as I understand that as you never gave consent for that data to be shared or used.

Most of the sense of GPDR seems to be trying to let people understand what data is being kept , what it's used for and how to access it-seems to me that David could sign everyone out the site, and create a pop-up detailing what data kept etc with a check box for consent or a no for deletion, and that would both give explicit consent/information on their next log in and that would satisfy all these criteria as he's not sharing or using the data for nefarious ends.

It's all there.
"Timeframe: your personal information will be kept by us for as long as your account remains active. If you deactivate your account your personal information will be kept for a reasonable period of time after this so that we can complete any activities it is being used for. Your comments on the forum will be associated with your account as long as your account remains active. If you deactivate your account, your comments will be kept (as they form part of the discussions on the forum) but will no longer be associated with your account."

What you’re saying is right only you cannot keep anyone’s data indefinitely now. If someone is inactive, you must delete their data after a reasonable timeframe. Indefinitely is not reasonable

Seems I’ve only succeeded in wasting everyone’s time haha. Good work David

Define:data.

Because the content you've granted a permanent publishing right over.

And the only data I hold that isn't content is the email. And it is permitted to keep some records for a system to be functional and to implement things like fraud / spam / impersonation systems. So I can keep email indefinitely for those purposes.

The email is the only data that is really in question, and if I delete it I deprive you of the ability to access your content in the future, and I break the ability to perform spam detection, etc.

You can request for your account to be deleted, and that process remains unchanged... I hard delete your profile and associate the content already granted right to publish to the @deleted profile and it will forever by visible but uneditable and unassociated with an identity.

Your email address only truly gets deleted if the account you have asked to be deleted is the last such account on any forum on the Microcosm platform. So if you are on LFGSS and Brixton Cycles... and ask for deletion from LFGSS, then I as the owner of the platform still have your email. This is much like private message deletion... only when all parties to the message have deleted is it truly deleted from the servers.

The only exception to that is if I've banned you. Bans permanently store an email and are permitted to do so as again they are exempt from the parts of the GDPR that you can request deletion for... as the GDPR does permit companies and entities to store data indefinitely providing there is a purpose behind it, a justified reason to do so.

It seems to me that you need to read up on the GDPR because it isn't carte blanche to request anything and demand deletion of everything. It's that for everything beyond what is needed for a service to be provided... and by that, not just provided to you but provided to others too.

It seems to me that you need to read up on the GDPR

I'll be first to admit this. I have no need to know about such things for work or personal life which is why I have only skim read a few articles.
I was just curious about the steps you've taken. Wasn't pointing a finger or anything

here's an example of one org that I know took legal advice and sent this out:

Privacy Statement

As many of you will be aware, new regulations regarding data
protection have come into force this month.

Organisation takes our responsibility for protecting data seriously
and have reviewed our practices to ensure we work in accordance with
the General Data Protection Regulation (GDPR) which is designed to
improve data security and privacy of European citizens.

Over the last two months we have been assessing the way we gather and
store information in respect to this new legislation. We would like to
give some keys points about this to you so you know that you are in
control:

Your data (for example your name and email address) will be kept
securely by us and will not be passed onto any third party. You can
update your preferences and unsubscribe at any time by clicking the
link at the base of every email we send you (this is organised through
email service iContact). You can also ask for your information to be
changed or removed by contacting us directly by emailing
info@organisation.org.uk. Your information is used solely for the
purpose of sending you updates which we think will be of interest to
you in respect to our programme and activities.

If you feel at this stage that you would like to unsubscribe from our
mailing list please click the word 'unsubscribe' at the base of this
email. This is tailored specifically for you as the addressee of the
email.

Pretty comprehensive, doesn't have any clauses about indefinite/time limited.

(edit) Velocio's already covered this. doh.

I should stop commenting because as we've established, I don't know enough on the subject but as far as I was aware you don't have to actually tell the user about your retention policy, you just have to have one.

Will this be the first major test of GDPR and the ICO: https://www.bbc.co.uk/news/business-44465331

Although not sure if it can be applied retrospectively.

gdpr question
if you don't want a company / website following you

on the screen that pops up do you click off / reject all / disable all

will that stop them taking your soul / data

@Velocio do you store IP addresses or does that come under the "don't store anything ever" policy as well? I was wondering whether this impacts your ability to identify aliases/sock-puppets/etc., which may or may not be a problem in certain threads

(of course the benefit of being able to identify aliases is not worth the risk of violating GDPR)

Edit: oh, re-reading the first post I can see that you're not logging them. Ignore me then.

I log nothing :)

But that doesn't stop me from banning things... it turns out there are other ways and those do not require storage of data.