Boonex Dolphin and GDPR

Andrew Boon posted 22nd of March 2018 in Dolphin.pro News. 17 comments.

GDPR stands for General Data Protection Regulation and is the EC regulation which also has an extraterritorial effect - it applies to every organization doing business with EU residents. 

We received a number of requests to clarify what we plan to do about making Dolphin platform GDPR-compliant. After much research and consultation, here is our statement: 

There is no such thing as GDPR-compliant software.

Unfortunately, neither downloadable software nor software-as-a-service can be GDPR compliant. GDPR is a regulation for organizations that deal with the individual’s PII (Personally Identifiable Information), which includes all data that could potentially be used to identify an individual. Organizations must enforce GDPR compliance, including the new principles for user consent; the right to be forgotten; and many other. GDPR also states that software which is used to handle PII must follow the principles of Security by Design (SbD) and Privacy by Design (PbD). Both are rather broad and theoretical principles, not formally defined yet.

Thus, a software vendor could be following the SbD and PbD principles, but that does not make them GDPR compliant. It just helps their customers to become GDPR compliant.

An organization dealing with PII can be GDPR compliant.

A service provider that acts as “data processor” in the context of GDPR can be GDPR compliant. 

A website operator should not think that they just need to install certain software or turn the key of a turnkey SaaS solution and they are done. GDPR compliance is a matter of a combination of the organisational practices, legal practices, information availability and software configuration.

Using Dolphin platform does not guarantee GDPR-compliance.

Dolphin is a 100% open-source, highly-configurable platform. Website operator assumes full control and full responsibility for their website practices and any compliance requirements. It is possible to configure Dolphin to meet the requirements of a GDPR-compliant organisation. It is also possible to configure Dolphin to be in breach of such requirements. It is also conceivable that some organisations do not need their Dolphin-powered websites to be configured in-line with GDPR requirements. 

Boonex Pty Ltd does not have control over or responsibility for GDPR-related practices of organisations using Dolphin platform. 

How can Boonex assist in making your organisation GDPR-compliant?

Our goal is to gradually introduce functionality that helps to establish GDPR-compliant website configuration. Some of the requirements are already catered for; some require more time and some are still too fuzzy or impossible to process. The general advice is to consult with your legal professionals to ensure your policies, website disclaimers and internal process is in alignment with the current state of the GDPR situation.

 

We will be addressing the following main aspects of this law in the following way:

  • Tell the user: who you are, why you collect the data, for how long and who receives it.
This requirement includes and goes beyond the old "European cookie law". We plan to include a site announcement feature (pop-up and link on registration) briefly explaining that the site is collecting personal data and that the details are listed on the Terms and About pages. The content of both these pages are under the site operator control, but we will include a basic template for declaring the reasons for collecting data, types of data collected, time and access information. Site operators will need to review those templates and extend them according to the specific site setup information. 
  • Get a clear consent, before collecting any data.
The GDPR-notice setting, when activated, will prevent registrations without consent. 
  • Let users access their data, and take it with them.

This is by far the most controversial and unclear requirement. While users can be easily given a "Facebook-style" download-package of their data, GDPR postulates broader requirements that include the ability to use that data elsewhere (on another platform). In the absence of an industry-wide standard for data-portability, this requirement is downright impossible to implement. We would be most happy to see such standard developed and applied, as it would mean that users would be finally able to take their Facebook/Twitter/Linkedin data and port it to, say, a Dolphin-powered site. We are actively supporting such projects and currently work on our own blockchain-based specification for the same. Until such standard is available, we will be offering a module that allows users to download their posts/comments in most generic format. The first version of this module will be available before the 25 May 2018. Further development and updates will follow.

  • Let users delete their data

Account deletion feature in Dolphin already supports the full removal of the user data and posted content. Content that has been "shared" or "quoted" does not constitute the user content and therefore can not be deleted. 

It is important to note, that this requirement supposedly covers data backups, which for all practical purposes cannot be "edited" to remove specific user-data. The backup policy of your organisation may be changed to only maintain backups for no more than 72 hours and purge all the older backups. This is beyond the scope of Dolphin platform control and must be addressed by the site operator and their hosting operator. 

  • Let users know if data breaches occur
Boonex is not in control of the Dolphin-based websites and does not receive any information about data-breach. Moreover, data-breach may occur outside of the scope of the Dolphin platform (on hosting server level, in backend CRM system, at backups level, etc). Therefore we can only commit to ensuring that we always advise website operators about any vulnerabilities or known widespread data-breach occurrences to help with preventing or assessing data-breaches. It is the site operator responsibility to ensure that end-users are informed in a timely manner. 

Data Protection

And the biggest question of all here is the data-protection. GDPR encourages Pseudonymisation,  Anonymisation and Encryption of any data that can identify a user. While Dolphin supports full-site SSL to process client-to-server and server-to-client data transmission, this requirement is much broader and more complicated.

In theory, you are required to obfuscate/hash/anonymise/etc datasets like names, aliases, addresses, etc. This includes access to the data by site administrators and hosting operators, etc. - so it can not be solved simply by visibility permissions. Moreover, depending on your chosen site settings you may start collecting personal data via custom form fields, which the platform would not identify as PII, and would not obfuscate in any way. Therefore, it has to be a combined effort of the site operators and the implementation team to ensure that the data that needs to be tokenized is collected and handled in a correct way. Some websites may have to change their policies and some websites may have to explicitly state that for the purpose of their service provision some of the data (like Names) has to remain public (which may or may not be GDPR-compliant). 

At this stage, there is no clear path to how we can accommodate for this requirement in a generic, customisable way. We seek and encourage any feedback on what may be the best option. 

Watch The Space

All-in-all the situation is incredibly uncertain. GDPR regulation, as it stands, effectively makes all current popular social networks and community sites, including Facebook, Twitter and Linkedin non-compliant. It also makes all Wordpress-powered, Joomla-powered, Drupal-powered and just about any CMS-powered websites non-compliant. In other words, 90% of the Internet is currently in breach of the GDPR law and it will take decades before that drops down to even 50%. Nobody really knows what to do about it exactly and there are plenty of services that should supposedly help with some parts of the puzzle, but none offer a full-scope guarantee. We will be observing the situation and will be providing whatever tools we possibly can to help Dolphin-powered website operators. 

 
Recommended by
 
 
Comments
·Oldest
·Top
Please login to post a comment.
paansystems
This topic is a really pain in the a** here in the EU. The biggest problem is that no one really knows what to do. Anyway, thanks for diving into this red tape jungle ;)
Andrew Boon
Quite right. It’s a complete mess. But then, it will shake everything a bit and we will see some privacy related improvements.
geek_girl
My take on this is that the EU can go F themselves. Hopefully the EU will soon collapse; the UK is leaving and Poland gave the EU the two finger salute recently. FaceBook and Twitter should have told Germany to go F themselves; the solution would have been to simply shut down in Germany and the outcry from the public over loosing access to post stupidity to FaceSucks and Twitter would should have fix the problem.
Andrew Boon
It is one of those situations when a regulation is presented as an "in your own interest" measure and is widely supported by target market (electorate constituents). I think most networks will have to cave to some extent. Surely it will be hard for them to collect fines, but they certainly can create a service disruption (forcing ISPs to blacklist non-compliant services).
Corey
This whole thing is a huge nightmare. Sad part is that visitors could easily disable whatever cookies they don't like in their browsers, use a VPN, and simply NOT ENTER PERSONAL DATA if they are that paranoid about it all.

These regulations exist for a few reasons, only.
1. To make the E.U. a ton of money.
2. To inflate the egos of those in charge.
3. To protect users from themselves when they already can do it.

I'm probably going to block all E.U. nations outright, and put something see more in my T.O.S. that their business is not welcome. There is a limit to the amount of abuse business owners should have to put up with. Especially from foreign countries. I'm in the USA. I have no say, no recourse, nothing.

Up theirs.
riddick
Completely off-topic, but hey. USA wants to rule the world at gunpoint, EU wants to rule by legislation. I sleep better in the EU.
theguypc
Only the nuts, my friend. There are plenty of us fighting that kind of mentality. Sadly, we are losing.

FTR, it all starts with greed and by wanting to rule the world. Don't let slightly more humble beginnings fool you.
I want to start with a comment about the opening statement. "GDPR ... applies to every organization doing business with EU residents." ... I want to challenge that premise. Unless a foreign nation has a treaty on this topic, nothing the EU wants to do is binding on non-EU nations... unless you accept the premise that the EU now has authority over the sovereign laws of other countries. Having said that, SbD and PbD are all good things... I just object to the fact that the EU think they rule see more the world...
Dear Boonex, to date we have not yet been able to install the new regulation and structure appropriate to the GDPR where even in America you are forced to absolutely have to put the regulation in place. Please note that starting from today we will not assume any responsibility for problems arising from your lack of interest in wanting to standardize the platform to the new regulation. This lack of interest will cause us to close the site. Please speed up the update process to avoid unpleasant surprises. see more Sure of a feedback on this, we offer distinct greetings.
Profesize
Hello. Has this module been created? If so, do you have a link to it please?

"Until such standard is available, we will be offering a module that allows users to download their posts/comments in most generic format. The first version of this module will be available before the 25 May 2018. Further development and updates will follow."
is this module available yet ??
Profesize
The GDPR deadline has come and gone and there is no sign of it so far.
yes this is why i am concerned are they going to release
Profesize
Well if they were going to release it then they can't be taking it too seriously since the 25th May has now passed.
mika_p
I'm taking my site offline until this is half resolved :(
mika_p
Any updates with progress implementing these features? Thanks,
 
 
Below is the legacy version of the Boonex site, maintained for Dolphin.Pro 7.x support.
The new Dolphin solution is powered by UNA Community Management System.
PET:0.15361094474792