Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Analysis of improvements, if needed, for compliance with GDPR #2615

Open
rzido opened this issue May 2, 2018 · 2 comments
Open

Analysis of improvements, if needed, for compliance with GDPR #2615

rzido opened this issue May 2, 2018 · 2 comments

Comments

@rzido
Copy link

rzido commented May 2, 2018
edited

Background

General Data Protection Regulation (GDPR) (EU) 2016/679 is EU regulation on data protection and privacy for all individuals within the European Union. It becomes enforceable on 25 May 2018.

What we need

It would be appropiated an analysis in order to detect if CONSUL needs improvements for compliance with the European Union (EU’s) General Data Protection Regulation (GDPR) and also with forthcoming Spanish Data Protection Law (currently in draft phase).
@clairezed clairezed mentioned this issue May 9, 2018
Open
8 tasks
@atzorvas
Copy link
Collaborator

Some points that I'm thinking are:

  • Identify Personal data
  • Identify Sensitive personal data
  • Retention period of personal data & sensitive personal data
  • Ability to unsubscribe from anything
  • Ability to "delete" a user either by removing all relevant resources either by masking related attributes/records
  • Ensure that there is explicit consent for newsletters, etc

@rzido
Copy link
Author

rzido commented May 24, 2018
edited

@atzorvas I'd add several items to check

Explicit consent -> GDPR Article 7, Article 16 and Article 4.11

Register/Sign up

  • Traditional Registration. explicit consent of terms and conditions of use in register form and additional consent verification (double opt-in).
    There is currently a checkbox (unchecked by default) to check in order to agree with terms and conditions of use and there is another explicit consent with e-mail account verification

  • Registration with social login. explicit consent of terms and conditions of use and additional consent (double opt-in)
    When you sign up with social login there is not a previous information and agreement action related to consul's terms and conditions of use; once you sign up you are redirected later to the terms and conditions of use
    It could be appropiated to add a checkbox (unchecked by default): one related to "I agree with terms and conditions of use (social)" and disable register with social login buttons or show a pop-up message until terms are accepted

  • Explicit consent for communications (newsletters, contact by phone, etc.,,,) during the register/sign up process
    It could be aproppiated to request explicit consent for communications during the register/sign up process or at least information related to this and the possibility of modify consent on "My account" (there is currently the ability to unsubscribe to newsletters, notifications on comments, direct messages, ... on My account)
    _It could be appropiated to add another checkbox (unchecked by default and below "I agree with terms and conditions of use" - traditional registration/social login): "I agree to recieve communications" (more info)

Consent traceability
A register in order to demostrate that the data subject has consented the processing of personal data must exist. historical and time information on consents?. See GDPR Article 7.1

Terms and conditions of use/Privacy Policy

  • Each deployment needs to adjust this text to GDPR, national laws and its organization.
    General _See GDPR Article 12. Transparent information, communication and modalities for the exercise of the rights of the data subject. (12.1, 12.7) and Article 13. Information to be provided where personal data are collected from the data subject
    Privacy Policy must be clearly differentiated from another information on terms and conditions of use. Standard icons must be used to explain end users the data collection and processing.
    Traditional Registration. See GDPR. Article 13. Information to be provided where personal data are collected from the data subject
    Social login?. See GDPR. Article 14. Information to be provided where personal data have not been obtained from the data subject

Newsletters

  • Newsletters sent only to users with enabled newsletter .
    This is currently implemented
  • Links in e-mails (system e-mails, newsletters,...) to unsubscribe/stop recieving communications/link to "My account" settings and personal data protection info

Security of personal data and sensitive personal data

  • Encryption of personal data. See GDPR Article 32.1 (a) related to security ofer personal data and data processing
    This is not currently implemented at code level, only password is encrypted. PosgreSQL allows encryption for specific columns at database level
  • Pseudonymisation See GDPR Article 4.5 and Article 32.1 (a) (security of personal data and data processing)
    This is not currently implemented. When storing personal data on database this is stored on table USERS. Maybe this table should be split on another two: USERS -ID, email, document number, date of birth, phone number... and USERS PROFILE INFORMATION (sign in, erased, email_digest,...). USERS table must be encrypted and/or isolated/protected to prevent data breaches or unauthorized access or data misuse.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@atzorvas @rzido