locked Re: EU General Data Protection Regulation
Yes, something we all should be aware of - a quote I have come across (at https://lizhendersondata.wordpress.com/2016/12/24/gdpr-are-you-aware/ ):
“The directive will affect every single business that holds data on customers in Europe, whether or not the business is located in Europe or is part of the EU.”
Arguing that a group is not a 'business', or 'organisation' (word used elsewhere) is likely to turn into a lawyer enrichment exercise!
And another from the Irish Data Protection Commissioner (at https://www.dataprotection.ie/docs/Are-you-a-Data-Controller/y/43.htm )
In essence, you are a data controller if you can answer YES to the following question:Which I interpret as including Groups.io, Inc., and any group that includes a member (I suspect one is enough!) in the EU, and applying to Mark and the Owner of any such group.
On Sat, Apr 7, 2018 at 03:56 am, Chris Jones wrote:
Victoria has raised an important issue; the Groups of which I am a member do not store (in any form) anything beyond members' Display Names and email addresses, and of course that storage is actually at Groups.io.Also stored is anything that members post...
IANAL so I am not in a position to speculate on how much responsibility rests with individual Owners and how much with Groups.io as a corporate entity.Nor am I - but I would hazard a guess at both, at their different levels (owners for groups, and group.io for the overall service).
That said, to a large extent, the GDPR are essentially a reiteration, and standardisation across the EU, of what is widely in place, and a codification of what we should be doing anyway as 'good practice' (the biggest thing for many will be the need for this to to documented).
There are guides to the GDPR (overkill for most groups! - the quick 12 step versions are probably more than enough for most) from the UK ICO (at https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/ ) and the Irish DPC (at http://gdprandyou.ie/ ), and doubtless their equivalents in the other EU countries. Any group run in conjunction, or for, a 'real life' (i.e. non-email/non-internet) group (of whatever sort) needs consider how the two - and their policies - interact.
For MOST (not necessarily all) groups, where the only personal data collected is (Display) Name and e-mail address, and anything they choose to post or otherwise upload (in file or database) - you probably need to think if you're asking for more, or have any expectation of it including anything 'sensitive', e.g. health data, I would think (IANAL) a simple statement, on the following lines, would be adequate if made available (as file or part of wiki):
Anther thing to beware of is ensuring that any downloaded data (member list? back up of archives? files?) is kept secure (who can do this? and do they).
For those with more interest, other links I have come across which may of use include
https://lizhendersondata.wordpress.com/2016/12/24/gdpr-are-you-aware/ ; https://lizhendersondata.wordpress.com/2017/01/25/gdpr-initial-steps-whats-next/ ;https://lizhendersondata.wordpress.com/2017/03/27/gdpr-privacy-notice/ ; https://lizhendersondata.wordpress.com/2017/05/24/gdpr-plan-do-you-have-yours/ ; https://lizhendersondata.wordpress.com/2017/06/21/now-gdpr-next-more-data-legislation/ ; and https://www.theguardian.com/technology/askjack/2018/mar/29/gdpr-email-data-protection-regulations-secure .