locked Re: EU General Data Protection Regulation

Jeremy H

Yes, something we all should be aware of - a quote I have come across (at https://lizhendersondata.wordpress.com/2016/12/24/gdpr-are-you-aware/ ):
“The directive will affect every single business that holds data on customers in Europe, whether or not the business is located in Europe or is part of the EU.”
Arguing that a group is not a 'business', or 'organisation' (word used elsewhere) is likely to turn into a lawyer enrichment exercise!  
And another from the Irish Data Protection Commissioner (at https://www.dataprotection.ie/docs/Are-you-a-Data-Controller/y/43.htm )
In essence, you are a data controller if you can answer YES to the following question:
  • Do you keep or process any information about living people?
Which I interpret as including Groups.io, Inc., and any group that includes a member (I suspect one is enough!) in the EU, and applying to Mark and the Owner of any such group.

On Sat, Apr 7, 2018 at 03:56 am, Chris Jones wrote:
Victoria has raised an important issue; the Groups of which I am a member do not store (in any form) anything beyond members' Display Names and email addresses, and of course that storage is actually at Groups.io.
Also stored is anything that members post...
IANAL so I am not in a position to speculate on how much responsibility rests with individual Owners and how much with Groups.io as a corporate entity.
Nor am I - but I would hazard a guess at both, at their different levels (owners for groups, and group.io for the overall service).

That said, to a large extent, the GDPR are essentially a reiteration, and standardisation across the EU, of what is widely in place, and a codification of what we should be doing anyway as 'good practice' (the biggest thing for many will be the need for this to to documented).

There are guides to the GDPR (overkill for most groups! - the quick 12 step versions are probably more than enough for  most) from the UK ICO (at https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/ ) and the Irish DPC (at http://gdprandyou.ie/ ), and doubtless their equivalents in the other EU countries. Any group run in conjunction, or for, a 'real life' (i.e. non-email/non-internet) group (of whatever sort) needs consider how the two - and their policies - interact.

Mark should probably be reviewing the groups.io (his!) practices , Terms of Service and Privacy Policy in light of GDPR. 

For MOST (not necessarily all) groups, where the only personal data collected is (Display) Name and e-mail address, and anything they choose to post or otherwise upload (in file or database) - you probably need to think if you're asking for more, or have any expectation of it including anything 'sensitive', e.g. health data, I would think (IANAL) a simple statement, on the following lines, would be adequate if made available (as file or part of wiki):

We collect data <as above> on the basis of 'Legitimate Interests' [see https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/legitimate-interests/  - as it is required or implicit for  the functioning of the group]; this data is stored by groups.io in the USA, see their ToS and Privacy Policy, and that it is or may be available to any current or future member (or publicly if group archives, etc. are 'public'!), as part of the normal functioning of the group. While Group Owner and Moderators will not disclose this information to third parties [if - as I would hope - this is the case: otherwise state position], we cannot guarantee that other members will not do so. In the event of any issues, please contact Group Owner <give e-mail address>.        

Anther thing to beware of is ensuring that any downloaded data (member list? back up of archives? files?) is kept secure (who can do this? and do they).

For those with more interest, other links I have come across which may of use include 

https://lizhendersondata.wordpress.com/2016/12/24/gdpr-are-you-aware/ ; https://lizhendersondata.wordpress.com/2017/01/25/gdpr-initial-steps-whats-next/ ;https://lizhendersondata.wordpress.com/2017/03/27/gdpr-privacy-notice/ ; https://lizhendersondata.wordpress.com/2017/05/24/gdpr-plan-do-you-have-yours/ ; https://lizhendersondata.wordpress.com/2017/06/21/now-gdpr-next-more-data-legislation/ ; and https://www.theguardian.com/technology/askjack/2018/mar/29/gdpr-email-data-protection-regulations-secure .


Join main@beta.groups.io to automatically receive all group messages.