Forum updates (GDPR)
- Myles
- Admin
- Posts: 2412
General Data Protection Regulation (GDPR) - Part 1 Personal Data
A simple interpretation of this legislation is that it makes companies treat your personally identifiable data like it is your credit card data.
Personally identifiable data is any data that can identify you.
The legislation states your personally identifiable data on this website is your email address, your IP Address and anything that you put in your profile or post publicly on the forum that can personally identify you.
Private messages are stored in the database in BLOB form, which is a large collection of binary data stored as a single entity, this saves space when backing up datasets and keeps the forum functioning faster. This form is not readable to me but it can be transformed to readable plain text so it would come under the legislation. PM's can't be encrypted because then the recipient wouldn't be able to read the sender's message without knowing the key to de-crypt the message.
Your password can't identify you because it's hashed, which is a form of cryptography designed to be a one-way function (infeasible to invert).
Your username is a pseudonym, pseudonymised data is personal data under the legislation.
Irreversibly and effectively anonymised data is not personal data under the legislation. This means your username can be anonymised to keep your posts, but still any posts that contain personal data will be deleted.
As of now, posting personally identifiable data is not allowed on the public forum, you can still post personal data in your profile or private message because if you withdraw consent for your data at a later date those datasets will be deleted anyway, leaving only anonymised posts in the public forum.
Part 2 Consent, will be posted tomorrow.
A simple interpretation of this legislation is that it makes companies treat your personally identifiable data like it is your credit card data.
Personally identifiable data is any data that can identify you.
The legislation states your personally identifiable data on this website is your email address, your IP Address and anything that you put in your profile or post publicly on the forum that can personally identify you.
Private messages are stored in the database in BLOB form, which is a large collection of binary data stored as a single entity, this saves space when backing up datasets and keeps the forum functioning faster. This form is not readable to me but it can be transformed to readable plain text so it would come under the legislation. PM's can't be encrypted because then the recipient wouldn't be able to read the sender's message without knowing the key to de-crypt the message.
Your password can't identify you because it's hashed, which is a form of cryptography designed to be a one-way function (infeasible to invert).
Your username is a pseudonym, pseudonymised data is personal data under the legislation.
Irreversibly and effectively anonymised data is not personal data under the legislation. This means your username can be anonymised to keep your posts, but still any posts that contain personal data will be deleted.
As of now, posting personally identifiable data is not allowed on the public forum, you can still post personal data in your profile or private message because if you withdraw consent for your data at a later date those datasets will be deleted anyway, leaving only anonymised posts in the public forum.
Part 2 Consent, will be posted tomorrow.
Signature test
- Lupo Pazzesco
- First Team
- Posts: 3467
Thanks Myles. Anyway it makes more sense than most of the emails I've received regarding this issue.... 
No Al Calcio Moderno.
- Myles
- Admin
- Posts: 2412
General Data Protection Regulation (GDPR) - Part 2 Consent
The GDPR focuses on protecting the individual, giving you direct control over the usage, retention and movement of your personal data. This includes the right to erasure, also known as the right to be forgotten, and also the right to portability (move the data to another forum).
Under GDPR, you must give the forum consent by a statement or by a clear affirmative action, which must be an unambiguous opt-in style, additionally, opting out and removing consent should be made very simple. I have to show proof of how and when consent was given so a forced action will be live soon which will require you all to accept in order to keep using the forum, it will also happen at registration for new members before they submit their email (so before activation).
Some consent that was valid pre-GDPR will not be valid anymore, so pre-ticked boxes and legitimate Interest are no longer valid forms of consent. Legitimate interest is a term in the legislation that basically meant; you signing up to an italian football forum, to talk about italian football. Previously Legitimate Interest gave me consent to hold your personal data i.e. email address, IP address and other personal data. Now someone signing up doesn't give me a right to hold their personal data, unless i get consent by a clear affirmative unambiguous opt-in style action.
You have the right to have your personal data removed, without undue delay, if;
GDPR allows for countries to decide on the digital age of consent, being between the ages of 13 and 16, with the default being 16. Previously Ireland, and now the UK have chosen this to be 13. When a child turns 18 they can have all their previous data deleted on the forum and start again.
WTF are all these emails i'm getting?!
Most of the GDPR related emails you have been receiving lately are called re-permissioning emails.
If a company previously got your consent with a pre-ticked box, and which clearly defined the tick meant holding your personal data, it was valid pre-GDPR but not valid post-GDPR, however they are allowed to send you an email asking for a post-GDPR valid form of consent (clear affirmative unambiguous opt-in style action), like a button to click. These re-permissioning emails are not allowed from Friday 25th May onwards, so they should stop on Friday.
I won't be sending a re-permissioning email because I didn't have a pre-ticked box form of consent to begin with as it was not a legal requirement, but i'm not allowed to send a re-permissioning email without the pre-ticked box.
So in short, for your consent to be valid in the GDPR for the forum, you have to actively DO something to indicate your consent. Silence or inactivity can’t be counted as consent.
A request for your action will be rolled out soon and it will force you to give consent in order to continue using the forum. In the meantime the forum can continue 'as is', this is non-compliant but i'll have the rollout done to resolve this asap.
The old forum consent and the mailing list soft opt-in (used for the annual August 'newsletter') do not comply with GDPR so will have their data deleted. The mailing list will be deleted today(tomorrow) Thursday 24th May and the old forum will have all data (posts and accounts) deleted on Sunday.
If you wanted to get something from the old forum it is here > https://www.tapatalk.com/groups/footbal ... -forum-f1/
Part 3, Exporting, data breaches, data on backups, will be posted tomorrow.
The GDPR focuses on protecting the individual, giving you direct control over the usage, retention and movement of your personal data. This includes the right to erasure, also known as the right to be forgotten, and also the right to portability (move the data to another forum).
Under GDPR, you must give the forum consent by a statement or by a clear affirmative action, which must be an unambiguous opt-in style, additionally, opting out and removing consent should be made very simple. I have to show proof of how and when consent was given so a forced action will be live soon which will require you all to accept in order to keep using the forum, it will also happen at registration for new members before they submit their email (so before activation).
Some consent that was valid pre-GDPR will not be valid anymore, so pre-ticked boxes and legitimate Interest are no longer valid forms of consent. Legitimate interest is a term in the legislation that basically meant; you signing up to an italian football forum, to talk about italian football. Previously Legitimate Interest gave me consent to hold your personal data i.e. email address, IP address and other personal data. Now someone signing up doesn't give me a right to hold their personal data, unless i get consent by a clear affirmative unambiguous opt-in style action.
You have the right to have your personal data removed, without undue delay, if;
- the website doesn't need the data anymore
- you withdraw consent
GDPR allows for countries to decide on the digital age of consent, being between the ages of 13 and 16, with the default being 16. Previously Ireland, and now the UK have chosen this to be 13. When a child turns 18 they can have all their previous data deleted on the forum and start again.
WTF are all these emails i'm getting?!
Most of the GDPR related emails you have been receiving lately are called re-permissioning emails.
If a company previously got your consent with a pre-ticked box, and which clearly defined the tick meant holding your personal data, it was valid pre-GDPR but not valid post-GDPR, however they are allowed to send you an email asking for a post-GDPR valid form of consent (clear affirmative unambiguous opt-in style action), like a button to click. These re-permissioning emails are not allowed from Friday 25th May onwards, so they should stop on Friday.
I won't be sending a re-permissioning email because I didn't have a pre-ticked box form of consent to begin with as it was not a legal requirement, but i'm not allowed to send a re-permissioning email without the pre-ticked box.
So in short, for your consent to be valid in the GDPR for the forum, you have to actively DO something to indicate your consent. Silence or inactivity can’t be counted as consent.
A request for your action will be rolled out soon and it will force you to give consent in order to continue using the forum. In the meantime the forum can continue 'as is', this is non-compliant but i'll have the rollout done to resolve this asap.
The old forum consent and the mailing list soft opt-in (used for the annual August 'newsletter') do not comply with GDPR so will have their data deleted. The mailing list will be deleted today(tomorrow) Thursday 24th May and the old forum will have all data (posts and accounts) deleted on Sunday.
If you wanted to get something from the old forum it is here > https://www.tapatalk.com/groups/footbal ... -forum-f1/
Part 3, Exporting, data breaches, data on backups, will be posted tomorrow.
Signature test
- Myles
- Admin
- Posts: 2412
Some emails i've received are purposely not trying to simplify the understanding, either to hide something or just being smartasses.Lupo Pazzesco wrote: ↑23-05-18 09:15Thanks Myles. Anyway it makes more sense than most of the emails I've received regarding this issue....
Some shouldn't be sending the emails at all as they didn't have a pre-ticked box consent. Actually Honda were done for this or something similar apparently and i've read Wetherspoons thought about it but then binned their mailing list of 650k emails rather than make the same mistake as Honda.
Signature test
- Myles
- Admin
- Posts: 2412
Yeah any company or website that holds personal data.
IP addresses sometimes are and sometimes aren't personal, depending on what machine you are using and/or the Internet Service Provider.
I think the principles are good, and soon enough it might become norm to expect GDPR compliance. Some companies outside the EU who think they can get away with doing nothing might start losing B2B clients from companies who are GDPR compliant and expect their suppliers/vendors/partners to be compliant as well. For instance, if company A has personal data consent and uses another company B's datacenter then they both get in trouble if company B doesn't have consent.
Signature test
- Myles
- Admin
- Posts: 2412
This has been done now.
The mailing lists and all the data collected from the newsletters has been deleted.
I've also deleted my account on Mailchimp.
If mailing lists are created for marketing in the future you will have to opt-in, newsletters or anything that advertises the service is marketing.
Signature test
- Myles
- Admin
- Posts: 2412
General Data Protection Regulation (GDPR) - Part 3, Exporting your data, data breaches and data on backups
Exporting your data
A function will be available soon that will make it so you can download your personal data from the website or else that I will be able to email it to you. This will mean you can move your data to another forum if you want to move to a competitor. This export will be in csv format as per the GDPR that it has to be machine readable.
Data breaches
If your private personal data is lost, stolen or exposed in any way, I have 72 hours (from the point of detection) in which to notify the "supervising authority", for this website that is the Office of the Data Protection Commissioner (ODPC), in Ireland. The hosting company is Blacknight who are also based in Ireland so have the same "supervising authority". Private personal data is your email address and IP address. Personal data in your profile or posted on the forum is not private, so if you do post something personal in public it is not a breach, but it will be deleted by me so I don't have to delete all posts from a user if consent of personal data is withdrawn in future.
If your data is breached i have to tell you as well.
Data on backups
Some personal data sets are impossible (or infeasible) to edit to remove individual records, e.g. a server backup. These are out-of-scope for erasure editing procedures.
So in a scenario where consent is withdrawn and the forum is restored to a backup date prior to the withdrawn consent and so the data is still on the restore. Then the restore is done on an offline platform, data belonging to the withdrawn consent is deleted and only then do I transfer the edited backup to the live platform. This isn't as difficult as it might sound, i already have an offline environment which i use to edit the site and test before i replicate it on the live site.
A log is kept of what data is deleted, such that if a backup is restored I can quickly make the deletions on the restored system before it goes live.
In any case this scenario would be rare as a full restore would normally only be done in a Disaster Recovery (DR) situation AND a consent withdrawn occurs after the DR, AND the forum hadn't been restored before the consent withdraw. Rare but possible.
Part 4 General info and anything else i forgot will be posted before or on Sunday
Exporting your data
A function will be available soon that will make it so you can download your personal data from the website or else that I will be able to email it to you. This will mean you can move your data to another forum if you want to move to a competitor. This export will be in csv format as per the GDPR that it has to be machine readable.
Data breaches
If your private personal data is lost, stolen or exposed in any way, I have 72 hours (from the point of detection) in which to notify the "supervising authority", for this website that is the Office of the Data Protection Commissioner (ODPC), in Ireland. The hosting company is Blacknight who are also based in Ireland so have the same "supervising authority". Private personal data is your email address and IP address. Personal data in your profile or posted on the forum is not private, so if you do post something personal in public it is not a breach, but it will be deleted by me so I don't have to delete all posts from a user if consent of personal data is withdrawn in future.
If your data is breached i have to tell you as well.
Data on backups
Some personal data sets are impossible (or infeasible) to edit to remove individual records, e.g. a server backup. These are out-of-scope for erasure editing procedures.
So in a scenario where consent is withdrawn and the forum is restored to a backup date prior to the withdrawn consent and so the data is still on the restore. Then the restore is done on an offline platform, data belonging to the withdrawn consent is deleted and only then do I transfer the edited backup to the live platform. This isn't as difficult as it might sound, i already have an offline environment which i use to edit the site and test before i replicate it on the live site.
A log is kept of what data is deleted, such that if a backup is restored I can quickly make the deletions on the restored system before it goes live.
In any case this scenario would be rare as a full restore would normally only be done in a Disaster Recovery (DR) situation AND a consent withdrawn occurs after the DR, AND the forum hadn't been restored before the consent withdraw. Rare but possible.
Part 4 General info and anything else i forgot will be posted before or on Sunday
Signature test
- Myles
- Admin
- Posts: 2412
Actually i'll post now because i can't think of anything else that is left anyway.
Part 4 General info and anything else i forgot
General info
The term “Regulation” means that once the GDPR was published in May 2016, it instantly became law in all 28 EU member states, with a lead-in period of two years. This differs from an EU “Directive” which each country interprets into its own law.
This law is about doing the best to give back the ownership of the data to the individual and not the company holding the data.
The Principles of GDPR should keep the holder of the data focused on best serving the rights of the individual as much as possible.
The UK will be exiting the EU in 2019 but nothing will change for UK companies as the UK are just replacing the words EU with UK in the GDPR, so on Brexit day the regulation will remain the same in the UK, at least initially anyway.
It's expected that the EU will come down hard initially on a few big companies to set a precedent.
The fines are up to 4% of revenue or €20m, this is a much bigger deterrent than previous fines, for instance previously in the UK it was £500k.
Government authorities are exempt from fines, as the fines go to the country's government where the non-compliance occurred, so doesn't make sense that they'd be paying their fines to themselves. There's been calls for other penalties to replace fines for government bodies, such as sackings, or criminal charges, so government bodies are accountable in some form.
Anything else i forgot
When obtaining consent i will need third party consent for storing the data on Blacknight's server's and backup media, the consent will be specific for Blacknight, not generally for any third parties. 'Media' is a term in IT that means 'tapes', like actual black ribbon tapes, like in the 80's except usually bigger than your average music tape. Offline backups are still stored this way.
Office of the Data Protection Commissioner (ODPC) contact details are on their website > https://www.dataprotection.ie
The hosting company is Blacknight Internet Solutions Limited > https://www.blacknight.com
That's it, i'm done explaining it, must implement it now.
Part 4 General info and anything else i forgot
General info
The term “Regulation” means that once the GDPR was published in May 2016, it instantly became law in all 28 EU member states, with a lead-in period of two years. This differs from an EU “Directive” which each country interprets into its own law.
This law is about doing the best to give back the ownership of the data to the individual and not the company holding the data.
The Principles of GDPR should keep the holder of the data focused on best serving the rights of the individual as much as possible.
The UK will be exiting the EU in 2019 but nothing will change for UK companies as the UK are just replacing the words EU with UK in the GDPR, so on Brexit day the regulation will remain the same in the UK, at least initially anyway.
It's expected that the EU will come down hard initially on a few big companies to set a precedent.
The fines are up to 4% of revenue or €20m, this is a much bigger deterrent than previous fines, for instance previously in the UK it was £500k.
Government authorities are exempt from fines, as the fines go to the country's government where the non-compliance occurred, so doesn't make sense that they'd be paying their fines to themselves. There's been calls for other penalties to replace fines for government bodies, such as sackings, or criminal charges, so government bodies are accountable in some form.
Anything else i forgot
When obtaining consent i will need third party consent for storing the data on Blacknight's server's and backup media, the consent will be specific for Blacknight, not generally for any third parties. 'Media' is a term in IT that means 'tapes', like actual black ribbon tapes, like in the 80's except usually bigger than your average music tape. Offline backups are still stored this way.
Office of the Data Protection Commissioner (ODPC) contact details are on their website > https://www.dataprotection.ie
The hosting company is Blacknight Internet Solutions Limited > https://www.blacknight.com
That's it, i'm done explaining it, must implement it now.
Signature test
- Myles
- Admin
- Posts: 2412
I had to click a few buttons on the yahoo account in order to keep using it. First though they gave the options to disable sharing with their partners.
If ever having issues on a widely used service just google the issue, chances are someone has made a tutorial with screenshots.
If ever having issues on a widely used service just google the issue, chances are someone has made a tutorial with screenshots.
Signature test