Because it’s an awful lot of work as I have a lot of clients so it would be a fair chunk of my time.

And that’s where letsencrypt type services can come in. I’ve got a similar problem with the software I work on as it’s a pain for some customers to get a certificate and install it, often requiring hand holding for some who lack IT skills (or an IT department, or managers who are unwilling to use their IT department for some reason).

I’m planning on doing like many apps are now, and offer a simple button for letsencrypt which will use their API to get one, installs it and they’re good to go until it needs renewing (they only last 90 days) and then the software can renew it automatically I believe.

Whole idea of letsencrypt (non-profit org) is to make certificates available for the masses at no cost and push the web to HTTPS, which is what Google are pushing by flagging non-HTTP as insecure and ranking them lower in search results.

As I understand it the underlying premise is evidence, can you explain or demonstrate you have it for a reason and that has to be a good thing.

I’ve taken a view to document when people sign up to any list for years but then I’ve also had a view to encourage people to leave the list at every opportunity as whats the point in emailing people that don’t want to hear from you?

I would concur with a lot of the comments above that professionals (assumign they are!) are sometimes worth the money and in my case we had advice and legal involved to get fixed upa few months back.

It feels a bit millennium bug but talking to some of the big data processors I know they are already expecting someone to fall foul quite fast, a perceived list of victims already in hand at ICO post May and increased headcount at ICO to get people, fines and income for the government. Yikes.

James

As I understand it the underlying premise is evidence, can you explain or demonstrate you have it for a reason and that has to be a good thing.

This.

The ICO will use it against you, they’ll be on the hunt for some Big Names so they can prove a point of the regulation ..

If they’d hung on for Cambridge Analytics until passed the 25th I’m fairly sure they’d have more zest for any convictions.. and media output.

The ICO will be gunning for known entities on the 26th, the likes of Talk Talk who have a history of poor data protection.

*edit, The ICO is also self funded from the fines they generate, you can guess what that will mean.

I’m joining in here as we have a real GDPR quandry here at Singletrack and I think it would be useful to get your take on it. We are looking for legal advice right now for some clarity but here’s the crux of the issue for us, and you.

We’ve always run this forum on the basis that you need to think before you post and that once you have spoken your comments are published and there’s no taking them back. Stand by what you say, think before saying it and imagine first that you are saying it to the other person’s face. Which is all noble and well intentioned and I know it doesn’t always work, but as a guiding principle it’s a good one to follow I think. But I’m really worried that all this is going to be put at risk with GDPR due to technicalities in the legislation, classification of personal data and misunderstandings. Like I say, I’m going to run this through some proper legal expertise.

Some of my concerns then.

IP addresses are classed as personal data. As such we will be requested to remove this by users. But we use IP addresses to moderate and this is going to cause moderation to be more difficult.

We use IP lookups to detect if we suspect a user has more than one account. This is necessary in order to police things such as bans. Without this a banned user could simply re-register an account and they have circumvented the ban. I know this is not fool proof but it’s one tool we use to help moderate the forum. Taking that away is going to make things harder.

More seriously, we have been contacted on many occasions by legal authoriteis ie. the police with requests to help them track down a crime. This involves us disclosing IP addresses which they can use to help trace users. We only do this for legal authorities with a genuine reason for doing so. We have it laid down in our site T&Cs. No matter what you think about this one thing it does is attribute a level of accountability to what users post in here. One poor outcome of this is around hate speech and just general nastiness. If you know you can say anything on the forum and then request that your account be closed and all your personal data removed from our servers then anything you’ve said on the forum will be anonymised, including potentially your username, which is also classed as personal information as far as we can tell. I think that’s a bad situation that will not help us in our strive to keep the forum as a good place to visit. I think it will encourage poorer behaviour overall. But there’s more..

If we remove your username from your posts then you can effectively say anything you like with zero consequences and no way to be held to account for it, either in the real world or online – be that accountability legal or moral.

I would like to retain usernames and keep them connected to posts as the author so that everyone knows who said what. Usernames are personal info so that’s not entirely clear if we can or not. It may be we have a legitimate interest to do so but even if we do I foresee arguments and conflict around users claims. Our lives are not going to be made easier, that’s for sure.

Plus, I want to keep a record of usernames at least in order to protect those users. If we remove usernames from the database and ergo posts by those users are rendered anonymous, without a record of the usernames anyone else can then coma along and re-register that username and commence posting with it. I think that will be a very bad outcome for the forum and actually lead to identity issues at large. I would like to keep a record of all used usernames in order to prevent them ever being re-registered in the future, ironically for the benefit of the person who has asked to be removed from our database. certainly I think that would be best for the community at large too. Again, I’m hoping that under the legitimate interest clause we will be able to do that, but it’s not clear.

Next.. It has been suggested that under GDPR a user can not only demand their data be removed from our database but their posts be removed too. That would be a disaster for the forum if that were the case. It’s our claim/hope that this would fall under the freedom of speech clause. It’s actually why we currently have the shared copyright clause in our terms. ie. you post and we then have a shared right with you over the right to keep it there. If posts were removed it would render threads illegible, ruin the historical archive of the forum and lead to a wild west situation where users would feel free to say anything they like knowing they could just get us to delete it if they wanted to at any point in the future. ie. leading to the exact opposite of what we have always striven to create – a forum that is as respectful and well behaved (as far as possible).

So, I’m concerned about the impact that GDPR is going to have on forums like ours. I am certain it’s going to cause us a shitload of extra work after the 25th May no matter what the clarifications are. Do you really want a forum where there is literally no accountability for what any user says? Where identity of users becomes vague?

I don’t know yet the full ramifications of how the forum will look after the 25th but my worry is it’s going to be complicated and the community of this forum and indeed all forums is going to be changed dramatically, and not necessarily for the better.

Thoughts?

I think we’re in agreement Steve – regardless of anything else above, you need a comprehensive register in place – if you have that you’ll always be in a stronger position than without even if the worst happened.

Relying on consent – yes, not ideal but reflects reality for many companies where it’s not going to be realistic (economically) to go back and remove data outside of ‘need’ – as such, they would need to ensure it’s registered and they’re ready to erase/anonymise if a request comes in (or can show why it’s not reasonable to remove it but that the data is still beyond reach).

I agree we are broadly in agreement …

I think my interpretation though is if you can’t realistically and economically minimise it then come up with a reason in the Data Register that if possible isn’t consent.

As an example take billing data.

Many/Most companies will need to keep this for 7 years just to conform to legislation.  That is a very obvious legal basis.

However it is arguable that you may need to extend this … for dealing with customer queries or if legislation changes (such as anti money laundering) …  take say your electricity bill… its calculated on consumption but errors can and do occur… and it is used to forecast your next bill.  This falls into automated processing but still.. it’s a pretty defendable legitimate interest to keep the units used and costs.

You could of course give customers the chance to opt-in, ultimately with the caveat “we will just guess your next bill” but legislation say’s they have to forecast and advise clients on saving money and energy.

Of course this may <span style=”text-decoration: underline;”>at some point</span> be tested in court…. it’s <span style=”text-decoration: underline;”>possible</span> that this may be deemed non-legitimate but then at least you need to go back and delete/anonymise <span style=”text-decoration: underline;”>everyones</span> data consistently… if you rely on consent you’re then in a position of deleting what bits people decide they want deleting on a customer by customer basis… and if what you are claiming is reasonable then it’s not likely the court is going to ask you to specifically be unable to provide a service legislated by the relevant authorities.

At the same time even if the test was you needed to delete the data then your competitors will ALSO have to comply.

IF you leave it to opt-in consent however you’re dealing with this on a customer by customer basis … wheres a competitor may be relying on legitimate interest.

You could argue that if the test case goes with deletion/anomymisation then the company that has consent can still use the data… however its more likely that by then the data will be some patchwork of inconsistent data according to what individual customers have consented to.

At this point .. if you actually do action on the deletion/anonymisation (and you’d be pretty stupid to pretend) then that data is gone.  Come some over-riding legislation or a test case that it is legitimate you wrecked your billing and forecasting database for no good reason.

Obviously .. I just picked a certain type of data and certain company…. and in some specific contexts consent is the best option.  However the point I’m making is i<span style=”text-decoration: underline;”>t’s not usually the best option so long as you have others</span>.

Heres an interesting scenario.

Yesterday one of our employees visited a website for office furniture. He did not buy anything and did not enter any details.

This morning our purchasing department get a phone call from this company saying, “we see you visited our website, is there anything we can help you with?”

No consent, no sign up, but he company are able to identify which company visited their site and also identify the correct person to contact by searching linked in and possibly other networks to find a name for a purchasing employee.

They will still be able to do this after 25th, because you visited their site, so there is a reasonable expectation that you will be interested in their goods and services.

Makes you wonder what GDPR will actually change.

My inbox will change.

IP addresses are classed as personal data. As such we will be requested to remove this by users. But we use IP addresses to moderate and this is going to cause moderation to be more difficult.

We use IP lookups to detect if we suspect a user has more than one account. This is necessary in order to police things such as bans. Without this a banned user could simply re-register an account and they have circumvented the ban. I know this is not fool proof but it’s one tool we use to help moderate the forum. Taking that away is going to make things harder.

Those are legitimate interests

More seriously, we have been contacted on many occasions by legal authoriteis ie. the police with requests to help them track down a crime. This involves us disclosing IP addresses which they can use to help trace users. We only do this for legal authorities with a genuine reason for doing so.

Legal basis … (or if not legitimate interests)

The rest of this sounds very legitimate… but its also somewhat complex when it comes to deleting posts for a forum because posts can be quoted etc.

Assuming you don’t want to pay a huge amount ..

1/ You can go and check the T&C’s of other internet services.

Copy/Paste it all together and then see what “the big boys are doing” as they will have paid for the legal advice.

2/ Come May 25th (you can do it now but you’ll need to pay) you can personally (as in being a data subject) then issue a DSAR to said “big boys”.  Further you can exert your right to data portability and ask them to supply you with it.

3/ You can also copy what the ICO is doing for itself 😀

(They have to track complains and such)

Whatever you do though make sure your data register contains this and your reasons.

Make sure your privacy policy is up to date.

In many ways you are in a good position because you have the forum database and can use this to answer DSAR’s and you can automate a lot of that.

In most cases you are not meant to limit HOW someone issues a DSAR … (i.e. phone, mail etc.) but in light of this being a forum that is likely not hugely applicable to you!

Finally, justify your basis for keeping the database of users (document and put in Data Register) and then extend this to allow you to do some sort of case management that includes tracking GDPR requests.  This is obviously legitimate/legal basis because the GDPR states you must be able to do this!  (In a round about way)

Thanks Steve..

Very helpful.

As I understand it the underlying premise is evidence, can you explain or demonstrate you have it for a reason and that has to be a good thing.

I’ve taken a view to document when people sign up to any list for years but then I’ve also had a view to encourage people to leave the list at every opportunity as whats the point in emailing people that don’t want to hear from you?

A really simple view … the underlying premise is that personal data is the property of the “data subject”

You can use that data (like a public footpath across private farmland) if you have legitimate interest but you don’t OWN it you are just using it.

If you do use it and then SERIOUSLY mis-use it… (using the footpath access to dig some nice table tops and using weedkiller on the farmers crops to clear vegetation) your wilfully misusing it and your going to be screwed… you are causing obvious damage (this is important later)

If you slightly misuse it… like riding across the footpath when it’s not being used … and you have a reasonable reason your unlikely to be screwed but you may be told not to ride across it again.  Lets say your reason was the alternative was riding along a bypass …

If you hold my CC numbers, bank details etc. and you misuse these then obviously that is either direct criminal damage or indirect … and most importantly if you LOSE my bank details in a breach … you’re exposing me to damage.  (Hence you must notify ICO and me ASAP) .. if you lose my name and address.. yeah not great but I’m in a phone book and electoral register etc. and the damage is probably some spam mail.

It feels a bit millennium bug but talking to some of the big data processors I know they are already expecting someone to fall foul quite fast, a perceived list of victims already in hand at ICO post May and increased headcount at ICO to get people, fines and income for the government.

If you read Elizabeth Denham’s blog then this really doesn’t seem to be the case… (For contrast read the Irish ICO’s where some huge internet names are registered)

The ICO will use it against you, they’ll be on the hunt for some Big Names so they can prove a point of the regulation ..

If you believe lack of evidence will protect you then better to fold the company now.

Back to the bikes on the footpath over private land…

If you turn up in court or refuse to turn up even because “The law doesn’t apply to me and I don’t recognise your authority” you will be given indefinite accommodation at the tax payers expense.  Meanwhile you’ll be well and truly screwed over.

If however you have an operation on that day .. then you may well get some sympathy… but what will play out badly is just not responding.

I’m just looking at this again as I’m the membership secretary for a running club. There have been clarifications in the year or so since I last did so. We don’t hold much personal information, even before GDPR this was kept to a minimum and I’ve no reason to increase it. We don’t pass the information on to anyone. Even writing a simple privacy statement to this effect for the club website is fraught!

Mark: I think it’s reasonable to argue that usernames, IP addresses, etc serve a legitimate interest as you have shown: X posts a hate message then asks for their personal details to be deleted; Y takes offence at the message and decides to pursue it in court. But you’ve now taken positive steps to protect the hate poster and may well be seen as complicit in it. But just what do you do with the hate message itself? Leave it? Delete it? Replace with a message stating that it broke forum rules?

If you’ve written something then it’s no different to having said it and you can’t “un-say” something!

Mark: I think it’s reasonable to argue that usernames, IP addresses, etc serve a legitimate interest as you have shown: X posts a hate message then asks for their personal details to be deleted; Y takes offence at the message and decides to pursue it in court. But you’ve now taken positive steps to protect the hate poster and may well be seen as complicit in it. But just what do you do with the hate message itself? Leave it? Delete it? Replace with a message stating that it broke forum rules?

Remember this pertains to personal data, ie data that identifies an individual. So data subjects cannot make you delete all their forum posts. Not sure about what happens if they post the personal information of another individual though. My guess would be that they are responsible and liable for that posting, not you (so long as its backed up by your terms and conditions)

I could spend all day working through some of the misapprehensions on here, but I will stick to the big stuff:

The ICO is NOT SELF FUNDED BY FINES.  Fines go back to the Treasury.

Mark – the right to erasure is not absolute – if you have a contuning reason to process personal data that is linked to the purpose for which you collected it you may not have to,.  See the ICO guide https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-erasure/

You do stlil have to respond and explain this to the person, but you can get out ahead of that with a well written privacy notice, that details the purposes and legal basis for the processing, and some other info it is now a legal requirement to provide.

Requests from the Police for personal data – this was covered under Section 29 of the DPA and will be replicated in the Data Protection Bill (this is the vehicle UK Gov are using for the derogations/exemptions available to member states) which is still moving through the process.

In any case, this allows you to pass information to the Police if you want to.  You don’t have to, it is still the decision of the data controller to disclose information to enforcement bodies.

In my personal view – other views are available – you could make an argument that forum posts are not personal data, as you cannot identify an individual from the data.  Unless you know them.  Anyway thats worth considering.

I’d take a look at the Guardian’s Comment is Free T&Cs, they’ll have spent millions on legal advice with regard to deleting a user’s history….

I could spend all day working through some of the misapprehensions on here, but I will stick to the big stuff:

The ICO is NOT SELF FUNDED BY FINES.  Fines go back to the Treasury.

I think your pissing into the wind… people who are claiming that the ICO is funded by fines are going to go round in circular arguments basically … “well its the government innit,.”

In my personal view – other views are available – you could make an argument that forum posts are not personal data, as you cannot identify an individual from the data.  Unless you know them.  Anyway thats worth considering.

It’s a view I share … but there are a couple of complexities.

Mark – I think it’s much more likely you’ll fall foul of a  data breach like the “big hack” than encounter any financial penalty for arguing the points you made (legit interest, etc) and then being found to be wrong.  Your worst case scenario with erasure etc (assuming you behave sensibly, document properly, and respond to requests explaining your reasons) is that the ICO *might* interpret the law differently and write to you demanding you change.  It might seem daft but the lawyers will actually be far better placed to advise you on accepting or fighting a specific demand probably with the benefit of case law / experience than hypothetical problems.  At the moment most lawyers adopt a defensive approach which ignores the practicalities of running your business (most lawyers have never run a business other than a legal practice).

Next.. It has been suggested that under GDPR a user can not only demand their data be removed from our database but their posts be removed too. That would be a disaster for the forum if that were the case

This is one that I’m not so sure about.  I’m not so sure that I like the idea that posts live forever although I understand your problem.  I had a friend that wanted to become a politician (many years ago now) but he, as have most people, had posted stuff in many places on the internet before.  Back then it was easy to close your accounts and the stuff would largely disappear so we persuaded him to clean up his online presence before taking it any further.  What you are saying is that you don’t want that to be possible and I think that is partly what the GPDR is meant to address, it should actually be possible to clean up behind you.  When you are 30 you don’t want to be held to what you said and thought when you were 20.  The downside of digital is not that it is available, it is that it is so easily available.  I’m not sure what the solution is but I think I prefer that people can delete their history, especially on something like a bike forum.