Okay, so here it is in plain writing. A lot of what we've been talking about, particularly when it comes to data ownership, is now becoming law in Europe. any sites that serve Europe on the internet, serve this law thus it also applies world wide. Ning is based in Europe so as a result, operates under European Juristiction.
Ning has to do something about this, or peoples entire data may become illegal.
Here's what one platform said about this, and it's not enough! ning isn't even addressing this problem.
GDPR stands for General Data Protection Regulation and is the EC regulation which also has an extraterritorial effect - it applies to every organization doing business with EU residents.
We received a number of requests to clarify what we plan to do about making Dolphin platform GDPR-compliant. After much research and consultation, here is our statement:
There is no such thing as GDPR-compliant software.
Unfortunately, neither downloadable software nor software-as-a-service can be GDPR compliant. GDPR is a regulation for organizations that deal with the individual’s PII (Personally Identifiable Information), which includes all data that could potentially be used to identify an individual. Organizations must enforce GDPR compliance, including the new principles for user consent; the right to be forgotten; and many other. GDPR also states that software which is used to handle PII must follow the principles of Security by Design (SbD) and Privacy by Design (PbD). Both are rather broad and theoretical principles, not formally defined yet.
Thus, a software vendor could be following the SbD and PbD principles, but that does not make them GDPR compliant. It just helps their customers to become GDPR compliant.
An organization dealing with PII can be GDPR compliant.
A service provider that acts as “data processor” in the context of GDPR can be GDPR compliant.
A website operator should not think that they just need to install certain software or turn the key of a turnkey SaaS solution and they are done. GDPR compliance is a matter of a combination of the organisational practices, legal practices, information availability and software configuration.
Using Dolphin platform does not guarantee GDPR-compliance.
Dolphin is a 100% open-source, highly-configurable platform. Website operator assumes full control and full responsibility for their website practices and any compliance requirements. It is possible to configure Dolphin to meet the requirements of a GDPR-compliant organisation. It is also possible to configure Dolphin to be in breach of such requirements. It is also conceivable that some organisations do not need their Dolphin-powered websites to be configured in-line with GDPR requirements.
Boonex Pty Ltd does not have control over or responsibility for GDPR-related practices of organisations using Dolphin platform.
How can Boonex assist in making your organisation GDPR-compliant?
Our goal is to gradually introduce functionality that helps to establish GDPR-compliant website configuration. Some of the requirements are already catered for; some require more time and some are still too fuzzy or impossible to process. The general advice is to consult with your legal professionals to ensure your policies, website disclaimers and internal process is in alignment with the current state of the GDPR situation.
We will be addressing the following main aspects of this law in the following way:
- Tell the user: who you are, why you collect the data, for how long and who receives it.
- Get a clear consent, before collecting any data.
- Let users access their data, and take it with them.
This is by far the most controversial and unclear requirement. While users can be easily given a "Facebook-style" download-package of their data, GDPR postulates broader requirements that include the ability to use that data elsewhere (on another platform). In the absence of an industry-wide standard for data-portability, this requirement is downright impossible to implement. We would be most happy to see such standard developed and applied, as it would mean that users would be finally able to take their Facebook/Twitter/Linkedin data and port it to, say, a Dolphin-powered site. We are actively supporting such projects and currently work on our own blockchain-based specification for the same. Until such standard is available, we will be offering a module that allows users to download their posts/comments in most generic format. The first version of this module will be available before the 25 May 2018. Further development and updates will follow.
- Let users delete their data
Account deletion feature in Dolphin already supports the full removal of the user data and posted content. Content that has been "shared" or "quoted" does not constitute the user content and therefore can not be deleted.
It is important to note, that this requirement supposedly covers data backups, which for all practical purposes cannot be "edited" to remove specific user-data. The backup policy of your organisation may be changed to only maintain backups for no more than 72 hours and purge all the older backups. This is beyond the scope of Dolphin platform control and must be addressed by the site operator and their hosting operator.
- Let users know if data breaches occur
And the biggest question of all here is the data-protection. GDPR encourages Pseudonymisation, Anonymisation and Encryption of any data that can identify a user. While Dolphin supports full-site SSL to process client-to-server and server-to-client data transmission, this requirement is much broader and more complicated.
In theory, you are required to obfuscate/hash/anonymise/etc datasets like names, aliases, addresses, etc. This includes access to the data by site administrators and hosting operators, etc. - so it can not be solved simply by visibility permissions. Moreover, depending on your chosen site settings you may start collecting personal data via custom form fields, which the platform would not identify as PII, and would not obfuscate in any way. Therefore, it has to be a combined effort of the site operators and the implementation team to ensure that the data that needs to be tokenized is collected and handled in a correct way. Some websites may have to change their policies and some websites may have to explicitly state that for the purpose of their service provision some of the data (like Names) has to remain public (which may or may not be GDPR-compliant).
At this stage, there is no clear path to how we can accommodate for this requirement in a generic, customisable way. We seek and encourage any feedback on what may be the best option.
Watch The Space
All-in-all the situation is incredibly uncertain. GDPR regulation, as it stands, effectively makes all current popular social networks and community sites, including Facebook, Twitter and Linkedin non-compliant. It also makes all Wordpress-powered, Joomla-powered, Drupal-powered and just about any CMS-powered websites non-compliant. In other words, 90% of the Internet is currently in breach of the GDPR law and it will take decades before that drops down to even 50%. Nobody really knows what to do about it exactly and there are plenty of services that should supposedly help with some parts of the puzzle, but none offer a full-scope guarantee. We will be observing the situation and will be providing whatever tools we possibly can to help Dolphin-powered website operators.