GDPR Compliance which come into effect on the 28th of May 2018?

May I ask what steps ATS is/ has taken with regard to GDPR Compliance which come into effect on the 28th of May 2018 relating to personal data?

The GDPR (General Data Protection Regulation) seeks to create a harmonised data protection law framework across the EU and aims to give citizens back the control of their personal data, whilst imposing strict rules on those hosting and 'processing' this data, anywhere in the world. The Regulation also introduces rules relating to the free movement of personal data within and outside the EU.

originally posted by: studio500
May I ask what steps ATS is/ has taken with regard to GDPR Compliance which come into effect on the 28th of May 2018 relating to personal data?

The GDPR (General Data Protection Regulation) seeks to create a harmonised data protection law framework across the EU and aims to give citizens back the control of their personal data, whilst imposing strict rules on those hosting and 'processing' this data, anywhere in the world. The Regulation also introduces rules relating to the free movement of personal data within and outside the EU.

Nothing... Different I may add...but ask Mr. SPRINGER.

a reply to: studio500

Why? What personal data? None is collected, stored or available here?

LINK

The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU).

Another thing to consider is you are on a site not in the EU?

a reply to: Blaine91555

Of course data is stored. User profile data and comments etc. They are all data.

There is also the right to be forgotten and many more aspects that need to be covered.

It does not matter if the site is not in the EU. If it serves members of the EU, (Which it does), it must still comply.
Failure to do so can result in huge fines.

That's probably one reason why Facebook and Google aren't too happy about it but they still must comply.

Here's just a little more information for those who may not be aware of the far reaching effects the GDPR may have both in the EU and the US.

Computer Weekly

This link may be more beneficial though.

www.primitivelogic.com... -questions-about-gdpr-compliance-for-every-us-company/

I'm sure there may be certain exclusions but from what I have been reading so far, there aren't many.

I hope the above helps shed a little more light on the subject.

I was a little surprised to find that it had not been discussed prior to this posting. It may or may not have far reaching consequences for ATS and millions of other companies, but steps still need to be taken to assess if ATS falls under the scope of this soon to be, new law.

I think the biggest problem so far, is that most US web entities think it has nothing to do with them but sadly, it does.

Below are a few lines gleaned directly from the EUGDRP website.

Who does the GDPR affect?

The GDPR not only applies to organisations located within the EU but it will also apply to organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects.
It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.

What are the penalties for non-compliance?

Organizations can be fined up to 4% of annual global turnover for breaching GDPR or €20 Million.

This is the maximum fine that can be imposed for the most serious infringements e.g.not having sufficient customer consent to process data or violating the core of Privacy by Design concepts. There is a tiered approach to fines e.g. a company can be fined 2% for not having their records in order (article 28), not notifying the supervising authority and data subject about a breach or not conducting impact assessment. It is important to note that these rules apply to both controllers and processors -- meaning 'clouds' will not be exempt from GDPR enforcement.

What constitutes personal data?

Any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.

What is the difference between a data processor and a data controller?

A controller is the entity that determines the purposes, conditions and means of the processing of personal data, while the processor is an entity which processes personal data on behalf of the controller.

Do data processors need 'explicit' or 'unambiguous' data subject consent - and what is the difference?

The conditions for consent have been strengthened, as companies will no longer be able to utilise long illegible terms and conditions full of legalese, as the request for consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent - meaning it must be unambiguous.

Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language.
It must be as easy to withdraw consent as it is to give it.​ Explicit consent is required only for processing sensitive personal data - in this context, nothing short of “opt in” will suffice. However, for non-sensitive data, “unambiguous” consent will suffice.

www.eugdpr.org...

a reply to: studio500
I'll have to do some more reading. I'd suspect personal data would be real names, addresses and the like. How that would apply to an anonymous board that has no such data is over my head.

How does the UK enforce it's laws worldwide?

Are they going to censor what you can access also?

a reply to: studio500

Isn't the biggest problem sovereignty? For EU to fine non EU companies it would have to have jurisdiction? It does not.

Any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person.

So personally identifiable information. That's exactly what I thought.

a reply to: studio500

It applies to any company that sells or markets goods or services in the EU... what is ATS selling or marketing? What money is changing hands between you and this site? None.

If the EU does their usual schtick of randomly interpreting and applying laws in manners which have neither sense nor logic, and they try to pull online forums into their madness, it will likely result in many non-EU centric web forums simply region blocking people from the EU from accessing their forums.

originally posted by: Blaine91555
a reply to: studio500

Isn't the biggest problem sovereignty? For EU to fine non EU companies it would have to have jurisdiction? It does not.

They have zero teeth to use against any entity which isn't registered and licensed to conduct business within the EU. In that case, the EU's only path forward would be blocking those sites from access within EU countries (AKA "censorship") If a company isn't licensed or conducting business for direct profit in the EU, the EU courts really have no ability to force any form of compliance or monetary penalty. This is a non issue, aside from an opportunity to chant USA while running around the room in patriotic smugness.

a reply to: Blaine91555

Blaine, I think many companies are in the same boat here asking exactly the same questions as you are now.

I know Wordpress core developers are having emergency meetings about this issue and part of the problem is clarity.

Much of it can be covered by a few tick boxes where the user is asked to give consent but others are far more difficult to sort.

I run my own large forum with thousands of users, yet if one sends me a right to be forgotten request, that means I must delete all data that I hold on my servers relating to him. But then I ask myself, does that mean all information, including every comment the user has made in every thread he has posted in over 9 years??????

I do not yet know the true answer but I'm hoping it will just mean identifiable information. But even that would mean that I must trawl through every post the user has ever made to ensure no personal information has been shared, including his/her user name!

Plus if I ever have any kind of data breach I MUST inform all my affected users within 24hrs. If I do not, I could get fined.

I'm in the UK, yes but from what I am reading, if a US entity serves EU citizens who use the the website, they must comply too.

What a massive headache this could turn out to be.

Essentially it was designed to give all users total control over what a website does with his/her personal data.
If it is sold or shared for example, you MUST have permission from your user first.

a reply to: burdman30ott6

You know, I really do hope that's the case.

On the face of it, it appears as though the EU is taking a huge liberty here trying to impose its laws on the rest of the world.

Primarily, I think it was created to control the Giants like Google and facebook, but in order to do so, they have made it a blanket law.

I would imagine that if those giants no longer had access to the entire EU, they wouldn't be best pleased.

Worst part is, the UK is leaving the EU but have agreed to adopt this law!

originally posted by: burdman30ott6
a reply to: studio500

It applies to any company that sells or markets goods or services in the EU... what is ATS selling or marketing? What money is changing hands between you and this site? None.

If the EU does their usual schtick of randomly interpreting and applying laws in manners which have neither sense nor logic, and they try to pull online forums into their madness, it will likely result in many non-EU centric web forums simply region blocking people from the EU from accessing their forums.

Or offers a service, i.e a forum that stores data belonging to EU residents.

That's my understanding at present, I may be and really do hope I'm wrong.

The GDPR not only applies to organisations within the EU, but also to those located outside of the EU if they process and hold the personal data of residents within the EU, regardless of the company’s location.

“If you think GDPR doesn’t apply to your organisation, think again,” said Eric Chiu, founder and president of HyTrust. “The survey results were surprising, revealing that many organisations are unprepared or have not perhaps taken the time to assess the impact GDPR requirements may place on their cloud infrastructure.

That's taken from the earlier posted CW link.

The EU can make all the laws they want but that doesn't mean any non-EU site has to comply. If you're from the EU and choose to come to ATS, you're SOL. It's like when you choose to travel to another country outside the EU, your EU laws no longer apply.

a reply to: studio500

I think you are misunderstanding what data they are talking about. No such data is asked for, stored or available here.

originally posted by: Blaine91555
a reply to: studio500

Isn't the biggest problem sovereignty? For EU to fine non EU companies it would have to have jurisdiction? It does not.

To be honest, I can't see how the EU could impose a fine on a non-EU country but I could see them restricting web access as Burdman suggested. I haven't heard anything about cross border agreements etc and don't forget that this technically applies to every country in the world, if they serve EU members.

I don't think for one minute that the EU would be able to enforce a fine upon any non-eu country, good luck to them, trying to get anything out of Russia or China.

But again, this draws us back to large companies who draw a lot of traffic from the EU and who potentially use or sell that data, be it for demographic analysis or sales purposes or marketing. If the EU internet plug is pulled on them, they will be forced to either pay up or lose that geographical base.

Anyhooo, as a webmaster myself, I don't like or agree with this one bit. However I , as an EU citizen must comply or close my site. I will make a choice once I know exactly what it entails 100%.

I just thought I should mention it to my favourite forum, just in case they weren't aware as obviously I have no idea what ATS do with their user data etc.

a reply to: studio500

I'm glad you posted your question. I was not aware of this and I find it interesting.