-
-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
General Data Protection Regulation(GDPR) Complaince #379
Comments
Yes, thank you for creating this issue. |
I will consult an expert in college regarding this and get back. |
These are some of the checks we need to do to be GDPR compliant.
I think for step 1 we are fine, apart from name and email we do not take any information at all. We are collecting usage statistics for gratia which is a research project. I think if we list it in the Privacy Policy, we are fine. @arkokoley can you send a PR with an update to the privacy. Step 2 and Step 7, we will need to implement it. We can have a boolean attribute privacyConsent in the users table and prompt the user to accept the privacy-policy after signing up. Step 3 - Apart from email ID, they have complete control of all data. Step 4 - We can give an option to the user to request a user data deletion (by email), that deletes all user data. Either way, we do not process user data in any way except for analytics like google analytics and metabase. I don't think this counts as "processing". I am not sure about Gratia though. Step 5 - read step 4 Step 6 - This might be a tricky one to implement. We can choose to delay this if necessary. |
As a sidenote I noticed that the password field in the database is called |
encrypted_password actually stores hashed password with salt, it is done using bcrypt algorithm |
Ok @tachyons that's fine, just checking |
Here in, CircuitVerse we don't get any terms and conditions or any consents filled before signing up. I think we should focus on having that. I think there are websites that help making terms for other websites. Also, do we even have any delete my account feature? |
There currently isn't a delete account feature on the production website |
I think for us to make people agree to the terms we need to give them this option. Also, we have to make sure that after deleting all their data is deleted. Do we plan on deleting their public circuits also? Is there some provision that some data is kept and other gets deleted and still it follows GDPR? |
I think we can keep some data as long as it isn't personally identifiable and more for analytics purposes (like how many users the platform has had, total number of circuits, etc.) but it's probably better off and safer just deleting their whole account. |
But then we have to decide that people who have replicated that circuit as in shared it on their account or like if the teacher deletes his account then students associated with the assignment, they shouldn't be left hanging. So the deletion process has a lot of details we should consider. Lets list all the pointers with solutions and various cases including above points that @tachyons has mentioned @JoshHeng . |
Forked circuits should just become independent circuits. For teachers, I think the assignments should just be set to be issued by a 'deleted user' (i.e. just have the user id on the database blank) |
Lets try to write all the points in one comment and look for best solutions from our side. So like pick the first point and research on net and come to a solution, suggest it. Lets discuss first if there is some confusion and then we can focus on making a full comment including everything. As of assignments, they are submitted after a deadline is reached so we can't keep that id blank. What we can do though is discard the assignment and notify students that its no longer available. Lets organize all points in one comment first. Otherwise we'll have 20-30 comments of random discusssion. Though if something is unclear we can obviously discuss that. Okay? I am reading all the points myself so if you get stuck we can discuss here/on the dashboard 😊 |
This is a issue need research which includes some legal help. If someone can do the research and list out the things to be done for GDPR compliance, that will be great |
Notes
Principles
I think that Google Analytics (and other analytics) don't need specific GDPR action/consent (apart from cookie notices) as they do not store personally identifiable data |
Its not just for EU , India has adopted these measures, so it'll work. As far as I know there is one issue which discusses that not all the fields are filled by the user when they register. So that can be
Articles 17 & 18 – Articles 17 and 18 of the GDPR give data subjects more control over personal data that is processed automatically. The result is that data subjects may transfer their personal data between service providers more easily (also called the “right to portability”). Article 35 – Article 35 requires that certain companies appoint data protection officers. Article 79 – Article 79 outlines the penalties for GDPR non-compliance, which can be up to 4% of the violating company’s global annual revenue depending on the nature of the violation. |
FYI there are no proper data protection laws in India |
Though strangely its not effective and fails to account various measures. India is trying to execute proper laws. Lets hope it happens soon @tachyons |
Under the GDPR, you must appoint a DPO if: I don't think we need a DPO |
Is this task added to GCI already ? |
Yes it was added long back, with aim of just researching and providing solutions |
No activity on this issue for a prolonged duration, will be closed if no further activities in next 7 days |
I think I should mention it here |
No activity on this issue for a prolonged duration, will be closed if no further activities in next 7 days |
@Aayush-05, how much is ready? |
Basically we require an export script for user's data and some changes to the Privacy Policy/TnC reflecting new additions. Rest all is covered. |
Is your feature request related to a problem? Please describe.
We need to make app comply with GDPR to legally enable this app in EU. We need to review user tracking, user details storage, deletion policy etc
Describe the solution you'd like
Need to evaluate to potential violations first.
Some possible violations:
Are you working on this? (Yes/No)
No
The text was updated successfully, but these errors were encountered: