Current status of the Ning Platform is always available on the Ning Status Blog.

Okay, so here it is in plain writing. A lot of what we've been talking about, particularly when it comes to data ownership, is now becoming law in Europe. any sites that serve Europe on the internet, serve this law thus it also applies world wide. Ning is based in Europe so as a result, operates under European Juristiction.

Ning has to do something about this, or peoples entire data may become illegal.

Here's what one platform said about this, and it's not enough! ning isn't even addressing this problem.

GDPR stands for General Data Protection Regulation and is the EC regulation which also has an extraterritorial effect - it applies to every organization doing business with EU residents. 

We received a number of requests to clarify what we plan to do about making Dolphin platform GDPR-compliant. After much research and consultation, here is our statement: 

There is no such thing as GDPR-compliant software.

Unfortunately, neither downloadable software nor software-as-a-service can be GDPR compliant. GDPR is a regulation for organizations that deal with the individual’s PII (Personally Identifiable Information), which includes all data that could potentially be used to identify an individual. Organizations must enforce GDPR compliance, including the new principles for user consent; the right to be forgotten; and many other. GDPR also states that software which is used to handle PII must follow the principles of Security by Design (SbD) and Privacy by Design (PbD). Both are rather broad and theoretical principles, not formally defined yet.

Thus, a software vendor could be following the SbD and PbD principles, but that does not make them GDPR compliant. It just helps their customers to become GDPR compliant.

An organization dealing with PII can be GDPR compliant.

A service provider that acts as “data processor” in the context of GDPR can be GDPR compliant. 

A website operator should not think that they just need to install certain software or turn the key of a turnkey SaaS solution and they are done. GDPR compliance is a matter of a combination of the organisational practices, legal practices, information availability and software configuration.

Using Dolphin platform does not guarantee GDPR-compliance.

Dolphin is a 100% open-source, highly-configurable platform. Website operator assumes full control and full responsibility for their website practices and any compliance requirements. It is possible to configure Dolphin to meet the requirements of a GDPR-compliant organisation. It is also possible to configure Dolphin to be in breach of such requirements. It is also conceivable that some organisations do not need their Dolphin-powered websites to be configured in-line with GDPR requirements. 

Boonex Pty Ltd does not have control over or responsibility for GDPR-related practices of organisations using Dolphin platform. 

How can Boonex assist in making your organisation GDPR-compliant?

Our goal is to gradually introduce functionality that helps to establish GDPR-compliant website configuration. Some of the requirements are already catered for; some require more time and some are still too fuzzy or impossible to process. The general advice is to consult with your legal professionals to ensure your policies, website disclaimers and internal process is in alignment with the current state of the GDPR situation.

 

We will be addressing the following main aspects of this law in the following way:

  • Tell the user: who you are, why you collect the data, for how long and who receives it.
This requirement includes and goes beyond the old "European cookie law". We plan to include a site announcement feature (pop-up and link on registration) briefly explaining that the site is collecting personal data and that the details are listed on the Terms and About pages. The content of both these pages are under the site operator control, but we will include a basic template for declaring the reasons for collecting data, types of data collected, time and access information. Site operators will need to review those templates and extend them according to the specific site setup information. 
  • Get a clear consent, before collecting any data.
The GDPR-notice setting, when activated, will prevent registrations without consent. 
  • Let users access their data, and take it with them.

This is by far the most controversial and unclear requirement. While users can be easily given a "Facebook-style" download-package of their data, GDPR postulates broader requirements that include the ability to use that data elsewhere (on another platform). In the absence of an industry-wide standard for data-portability, this requirement is downright impossible to implement. We would be most happy to see such standard developed and applied, as it would mean that users would be finally able to take their Facebook/Twitter/Linkedin data and port it to, say, a Dolphin-powered site. We are actively supporting such projects and currently work on our own blockchain-based specification for the same. Until such standard is available, we will be offering a module that allows users to download their posts/comments in most generic format. The first version of this module will be available before the 25 May 2018. Further development and updates will follow.

  • Let users delete their data

Account deletion feature in Dolphin already supports the full removal of the user data and posted content. Content that has been "shared" or "quoted" does not constitute the user content and therefore can not be deleted. 

It is important to note, that this requirement supposedly covers data backups, which for all practical purposes cannot be "edited" to remove specific user-data. The backup policy of your organisation may be changed to only maintain backups for no more than 72 hours and purge all the older backups. This is beyond the scope of Dolphin platform control and must be addressed by the site operator and their hosting operator. 

  • Let users know if data breaches occur
Boonex is not in control of the Dolphin-based websites and does not receive any information about data-breach. Moreover, data-breach may occur outside of the scope of the Dolphin platform (on hosting server level, in backend CRM system, at backups level, etc). Therefore we can only commit to ensuring that we always advise website operators about any vulnerabilities or known widespread data-breach occurrences to help with preventing or assessing data-breaches. It is the site operator responsibility to ensure that end-users are informed in a timely manner. 

Data Protection

And the biggest question of all here is the data-protection. GDPR encourages Pseudonymisation,  Anonymisation and Encryption of any data that can identify a user. While Dolphin supports full-site SSL to process client-to-server and server-to-client data transmission, this requirement is much broader and more complicated.

In theory, you are required to obfuscate/hash/anonymise/etc datasets like names, aliases, addresses, etc. This includes access to the data by site administrators and hosting operators, etc. - so it can not be solved simply by visibility permissions. Moreover, depending on your chosen site settings you may start collecting personal data via custom form fields, which the platform would not identify as PII, and would not obfuscate in any way. Therefore, it has to be a combined effort of the site operators and the implementation team to ensure that the data that needs to be tokenized is collected and handled in a correct way. Some websites may have to change their policies and some websites may have to explicitly state that for the purpose of their service provision some of the data (like Names) has to remain public (which may or may not be GDPR-compliant). 

At this stage, there is no clear path to how we can accommodate for this requirement in a generic, customisable way. We seek and encourage any feedback on what may be the best option. 

Watch The Space

All-in-all the situation is incredibly uncertain. GDPR regulation, as it stands, effectively makes all current popular social networks and community sites, including Facebook, Twitter and Linkedin non-compliant. It also makes all Wordpress-powered, Joomla-powered, Drupal-powered and just about any CMS-powered websites non-compliant. In other words, 90% of the Internet is currently in breach of the GDPR law and it will take decades before that drops down to even 50%. Nobody really knows what to do about it exactly and there are plenty of services that should supposedly help with some parts of the puzzle, but none offer a full-scope guarantee. We will be observing the situation and will be providing whatever tools we possibly can to help Dolphin-powered website operators. 

You need to be a member of Ning Creators Social Network to add comments!

Join Ning Creators Social Network

Votes: 0
Email me when people reply –

Replies

  • Yeah this freaks me out reading this. I never even knew a GDPR law even existed until that message. For all I know, it's already in effect.

  • does the GDPR even think it's going to get anywhere? This is an attempt at power and control. It's also an attempt at censorship. And here's why.

    Your domain, your rules. You are already agreeing to become a part of something, if you give out your information it's your responsibility to ensure it's safe. nobody elses. Only you can control what you give out. Now if a site was proven to be hacked, or even using peoples data for malicious purposes. Such as identity theft, or personal harm, then I can see the point. But the only so called websites operating on such a scope, are banks. And yet, what isn't personally collected about people. You've got names, emails, phone numbers and other administrative data about what they like, what they hate, all at your fingertips. What specifically wouldn't allow data like that to get in to some hackers hands, especially considering it's all found in one place, on many servers. It would be very convenient for a said hacker to get away with hacking as a result, because this law would prove the website is responsible for complying to security laws, not the hacker. Charging the innocent just because it could be proven the website platform itself is in danger, and is also, a danger.

    I say this is about censorship because any website that can't proven it has taken measures to enforce this law, if found out, or getting into trouble with the powers that be, all be they a bloody mismanaged dictatorship at that, could lead to other websites also being in jeopardy of the same. Because they are found on the same IP address. The one in question of hosting the content or data of others. therefore it immediately becomes a platform wide issue.

    In one change of law, peoples data could be already facing critical attention by law makers in the European Union by association itself. I don't want anyone to have to go through trumped up charges beyond their control. We can prevent this if we all work together, so this isn't an issue. We'd be one of the first platforms implementing such a change on a global scale, and will assure anyone wanting to get involved with social communities, that this won't ever happen. It's almost worth paying twice the price of a historical Ning site just to have this assurance.

    I don't agree with this law. I don't like it's looming implementation over all of us. But damn it, I have the right to free speech. So I'm not worried about the outcome of my opinions, although I dare not use a disclaimer to justify them.

    I have got half a mind to tell the European Union to get stuffed, stop your inventions in affairs outside your juristiction! A part of me just wants to embrace it, keep my head down and see what comes of it. A part of me is scared, confused and unsure of whether or not this will or won't effect us. A part of me thinks this is a turning point in the internet's history, and that it's going to just get worse. I don't know what to think or believe. I know I am tired of being represented by people who are all too trigger happy it seems, to let peoples power be ruled by others. We need to have one another's backs, not fight over who gets to tell each other what to do. this is ridiculous and I sure as hell want to get out of the line of fire so to speak if a legal war ensues. I won't have something taken from me because of a technicality deemed an oversight or a misunderstanding.

    We have at the time of this writing, a little under a month to get this sorted out. I can't ignore this, it's too manipulative. I hate the manipulation going on and I think laws being what they are today, more than half of them deserve a recall. End of story. It all starts with that oaf for a president in the United States. If he never came in to office, we wouldn't be in this situation. I am mad at the world, at the media, at politics, at global censorship and yet I feel as though we have missed the point entirely. This can still be prevented, it's never too late. We're being led by force, and this is not right. I am all for the freedom of the people, but at the will of the hands of the same people who request it individually. If you don't put in the work to request something individually, no European law or any other can save you or will save you. It's nobody elses responsibility to hold your hand while you accept a nanny state all around you. It's time for a real good long talk about what constitutes the right to be compliant. It's to the point where we don't get a say in what laws get past, and that doesn't sit right with me. It shouldn't be this complicated at the cost of someone's misunderstanding. Even if I'm missing the point entirely, whose to say I don't have a point?

    The folks over at the UN are sure loving the chance to regulate the sail of technology for the future. and they're getting their wish. Of that, I'm certain. It's up to us to accept it, or rebut it by any means necessary. I think the European Union has gone too far with their demands. Particularly because you can't enforce fairness and pretty language. It loses it's meaning, and since common sense seems to be leaving us day by day, we can't sit here and do nothing. this is just how I feel about the whole affair.

This reply was deleted.
 

Some interesting articles related to community management, digital marketing etc. could be found in our digest. Don't hesitate to leave a feedback so we would know that we should continue :-)

Latest Activity

⚡JFarrow⌁ replied to ⚡JFarrow⌁'s discussion
Ning3: How to Create a Combined Feed of All Forums Inside Groups
"i am glad you found it useful.  how is your migration coming along?  happy 4th buddy!"
13 hours ago
⚡JFarrow⌁ shared their discussion on Facebook
13 hours ago
⚡JFarrow⌁ replied to ⚡JFarrow⌁'s discussion
TIP: How to Automagically Change Text Locations into Maps
"How many of you are using this?"
13 hours ago
⚡JFarrow⌁ replied to ⚡JFarrow⌁'s discussion
Amazing Tool to Automate Your Content Discovery, RSS and Sharing Community Content
"Tons of new features added to RSSGround this week.. too many to list.."
13 hours ago
⚡JFarrow⌁ replied to David Shaw's discussion
Wiki
"Here's an idea which piggybacks on Alex's suggestion.   You could build a spreadsheet driven app us…"
13 hours ago
Kinga Incze replied to Anastasia_Ning_Support's discussion
Activity feed update
"It's great!
The Discussion group changes are not displayed in the feed, why it that?
 "
17 hours ago
David Shaw replied to David Shaw's discussion
Wiki
"Hi Alex,
Thanks for your reply. I considered the option you presented - a google sheet or google do…"
18 hours ago
Kathleen (SunKat) and Jonathan Peebles are now friends
18 hours ago
Oriel updated their profile photo
yesterday
Oriel updated their profile
yesterday
Oriel and Jonathan Peebles are now friends
yesterday
Jonathan Peebles and Tavolo Ornitologico are now friends
yesterday
More…

Meanwhile, you can check our social media channels