Jump to content

Recommended Posts


Your GDPR questions answered

Individual Rights

The right to be informed
Invision Community has a built in privacy policy system that is presented to a new user, and existing users when it has been updated.

Terms1.png.3d027181ba57709cf44aee4d4062f371.thumb.png.13eeb5cea4329bbd61db410565627b49.png

 

What should your privacy policy contain? I personally like the look of SEQ Legal's framework which is available for free.

This policy covers the important points such as which cookies are collected, how personal information is used and so on.

There may be other services out there offering similar templates.

Right to erasure
I personally feel that everyone should listen to "A Little Respect" as it's not only a cracking tune, but also carries a wonderful message.

The GDPR document however relates to the individuals right to be forgotten.

Invision Community allows you to delete members. When deleting members, you can elect to remove their content too. There is an option to keep it as Guest content, thus removing the author as identifiable.

It's worth using the 'keep' option after researching the user's posts to make sure they haven't posted personal information such as where they live, etc.

Emailing and Consent
Invision Community has the correct opt-in for bulk emails on registration that is not pre-checked. If the user checks this option, this is recorded with the member's history. Likewise, if they retract this permission, that action is also recorded.

consent3.png.faf513cca718f5be919f0ba9b24076a6.thumb.png.18dd0b7272f5561e75a8428fc92eb1eb.png

 

When you edit the terms and conditions or privacy policy, all users are required to read it again and opt-in again.

Cookies
A lot of GDPR anxiety seems to revolve around these tiny little text files your browser stores. If you read the GDPR document (and who doesn't love a little light reading) then you'll see that very little has actually changed with cookies. It extends current data protection guidance a little to ensure that you are transparent about which cookies you store.

Invision Community has tools to create a floating cookie opt-in bar, and also a page showing which cookies are stored and why.

This is the page that you'd edit to add any cookies your installation sets (if you have enabled Facebook's Pixel, or Google Analytics for example).

Your GDPR Questions
Now let's look at some questions that have been asked on our community and I'll do my best to provide some guidance that should help you make decisions on how to configure your Invision Community to suit your needs.

300863890_Monosnap2018-05-1113-48-57.thumb.jpg.8e5bfdcf308f51274e1e731139224d5d.jpg

Alan!!

Is the soft opt-in cookie policy enough? What about the IP address stored in the session cookie?
Great question. There's conflicting advise out there about this. The GDPR document states:

  Quote

Natural persons may be associated with online identifiers…such as internet protocol addresses, cookie identifiers or other identifiers…. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.

The ICO states that session cookies stored for that session only (so they are deleted when the tab / window is closed) are OK as long as they are not used to profile users.

This is re-enforced by EUROPA:

  Quote

Cookies clearly exempt from consent according to the EU advisory body on data protection- WP29 include:

  • user‑input cookies (session-id) such as first‑party cookies to keep track of the user's input when filling online forms, shopping carts, etc., for the duration of a session or persistent cookies limited to a few hours in some cases
  • authentication cookies, to identify the user once he has logged in, for the duration of a session
  • user‑centric security cookies, used to detect authentication abuses, for a limited persistent duration
  • multimedia content player cookies, used to store technical data to play back video or audio content, for the duration of a session
  • load‑balancing cookies, for the duration of session
  • user‑interface customisation cookies such as language or font preferences, for the duration of a session (or slightly longer)
  • third‑party social plug‑in content‑sharing cookies, for logged‑in members of a social network.


My feeling is that GDPR isn't really out to stop you creating a functioning website, they are more interested in how you store and use this information.

Thus, I feel that storing a session cookie with an IP address is OK. The user is told what is being stored and instructions are given if they want to delete them.

Given the internet is very much driven by IP addresses, I fail to see how you can not collect an IP address in some form or another. They are collected in access logs deep in the server OS.

Finally, there is a strong legitimate interest in creating a session cookie. It's part and parcel of the website's function and the cookie is not used in any 'bad' way. It just allows guests and members to retain preferences and update "last seen" times to help deliver content.

Do I need to delete all the posts by a member if they ask me to?
We have many large clients in the EU with really impressive and expensive legal teams and they are all unanimous in telling us that there is no requirement to delete content when deleting a user's personal information. The analogy often given is with email: once someone sends you an email you are not obligated to delete that. The same is true with content posted by a user: once they post that content it's no longer "owned" by them and is now out in public.

Ultimately, the decision is yours but do not feel that you have to delete their content. This is not a GDPR requirement.

What about members who haven't validated? They're technically not members but we're still holding their data!
No problem. The system does delete un-validated users and incomplete users automatically for you. You can even set the time delay for deletion in the ACP.

1178220687_Monosnap2018-05-1115-17-41.thumb.jpg.a9098e7f8e737c9f57adcbad5279ccd3.jpg

 

What about RECAPTCHA? I use this, and it technically collects some data!
Just add that you use this service to your privacy policy, like so:

  Quote

Spam Protection
Google reCAPTCHA (Google Inc.)
Google reCAPTCHA is a SPAM protection service provided by Google Inc.
The use of reCAPTCHA is subject to the Google privacy policy and terms of use.

Personal Data collected: Cookies and Usage Data.

Place of processing: United States – Privacy Policy.

I see many companies emailing out asking for members to opt back in for bulk mail, do I need to do this?
Short answer: No.

Since Invision Community 4.0, you can only ever bulk email users that have opted in for bulk emails. There's no way around it, so there's nothing to ask them to opt-in for. They've already done it.

There is a tiny wrinkle in that pre 4.2.7, the opt-in was pre-checked as was the norm for most websites. Moving forward, GDPR asks for explicit consent, so this checkbox cannot be pre-ticked (and isn't in Invision Community 4.2.7 and later). However, the ICO is clear that if the email list has a legitimate interest, and was obtained with soft opt-in, then you don't need to ask again for permission.

What about notifications? They send emails!
Yes they do, but that's OK.

A notification is only ever sent after a user chooses to follow an item. This falls under legitimate interest.

There is also a clear way to stop receiving emails. The user can opt-in and opt-out of email as a notification device at their leisure.

prefs.thumb.jpg.aed1f25b83178c657408a9f17d16d17f.jpg

 

Do I need to stop blocking embeds and external images?
No. The internet is based on cross-linking of things and sharing information. At a very fundamental level, it's going to be incredibly hard to prevent it from happening. Removing these engaging and enriching tools are only going to make your community suffer.

There's no harm in adding a few lines in your privacy policy explaining that the site may feature videos from Vimeo and Youtube as part of user contributions but you do not need to be worried. As stated earlier, GDPR isn't about sucking the fun out of the internet, it's about being responsible and transparent.

Phew.
Hopefully you've got a better understanding about how Invision Community can assist your GDPR compliance efforts.

The best bit of advice is to not panic. If you have any questions, we'd love to hear them. Drop us a line below.

Edited  by Matt

 

GDPR updates for Invision Community 4.3.3

Unless you've been living under a rock, or forgot to opt-in to the memo, GDPR is just around the corner.

Last week we wrote a blog answering your questions on becoming GDPR compliant with Invision Community.

We took away a few good points from that discussion and have the following updates coming up for Invision Community 4.3.3 due early next week.

Downloading Personal Data
Invision Community already has a method of downloading member data via the member export feature that produces a CSV.

However, we wanted Invision Community to be more helpful, so we've added a feature that downloads personal data (such as name, email address, known IP addresses, known devices, opt in details and customer data from Nexus if you're using that) in a handy XML format which is very portable and machine readable.

 

downloadPI.thumb.jpg.8b640409f0a61c4845fafe752ce300cc.jpg

You can access this feature via the ACP member view

The download itself is in a standard XML format.

pi.thumb.jpg.63811c7d7342de02bbc87f45036457fd.jpg

A sample export

Pruning IP Addresses
While there is much debate about whether IP addresses are personal information or not, a good number of our customers requested a way to remove IP addresses from older content.

There are legitimate reasons to store IP addresses for purchase transactions (so fraud can be detected), for security logs (to prevent hackers gaining access) and to prevent spammers registering. However, under the bullet point of not storing information for longer than is required, we have added this feature to remove IP addresses from posted content (reviews, comments, posts, personal messages, etc) after a threshold.

The default is 'Never', so don't worry. Post upgrade you won't see IP addresses removed unless you enter a value.

remove_ips.thumb.jpg.1aedba9f682760d54a8a2774d5f8050a.jpg

This new setting is under Posting

Deleting Members
Invision Community has always had a way to delete a member and retain their content under a "Guest" name.
We've cleaned this up in 4.3.3. When you delete a member, but want to retain their content, you are offered an option to anonymise this. Choosing this option attributes all posted content to 'Guest' and removes any stored IP addresses.

delete.thumb.jpg.3e76c4995f6306994947e491f79ae444.jpg

Deleting a member

Privacy Policy
We've added a neat little feature to automatically list third parties you use on your privacy policy. If you enable Google Analytics, or Facebook Pixel, etc, these are added for you.

privacy_acp.thumb.jpg.119f445df2f2d910521cb53006454422.jpg

The new setting

privacy_public.thumb.jpg.37618baa7c9ab9762d10393fd7a659c6.jpg

 

Finding Settings Easily
To make life a little easier, we've added "GDPR" as a live search keyword for the ACP. Simply tap that into the large search bar and Invision Community will list the relevant settings you may want to change.

gdpr.thumb.jpg.9c0cbf0abaa716061e07846d3f01ba14.jpg

 

These changes show our ongoing commitment to helping you with your GDPR compliance. We'll be watching how GDPR in practise unfolds next month and will continue to adapt where required.

 

Share this post


Link to post
Share on other sites

×