GDPR:  Some questions answered

Doubtless you have been inundated by dozens of privacy related communications in the last few days, from a great many companies and organisations.

Since our launch in 2010, we’ve had a raft of policies in place, from our pernickety terms and conditions through to policies on spam, abuse and privacy, which have been amended from time to time. We have always taken these issues seriously as our aim has been to create a safe and secure family-friendly environment for all.

But things are changing in the regulatory environment, which means the Our Locality core policies are being reviewed, to strengthen and to clarify things and Sustaining Dunbar is publishing an organisational policy.

A key change, as we see it, is that our website members/owners, anyone who has an active account / website and who may have subscribers of their own, may well need to draft some privacy policies of their own. If you have a private account, which is not public facing, this doesn’t affect you (some users have setup a practice account, or kept an archive of older website).

What are you doing to facilitate this?

From today you will be able to quickly draft your own page with your website using a template (Settings > Privacy), if you want this enable. You will also need to pop a link somewhere in a menu sidebar or footer. We will also be able to export any personal data of any user, and then erase it (in the Tools menu). An email address is required to get the data subject to consent. We’re interested to know if you want these featured activated for you, if so drop us a line.

For a couple of years, you have been able to activate a cookie policy. This is effectively covered in the new privacy policy, so if you already activated Cooke Consent, you may need to revise the wording or better link straight to the new policy, suitably adapted to your circumstances.

Can you provide help drafting?

The template creator gives you the basics, but you’ll need to add some additional information, regarding any business or organisation specific practices regarding the handling of personal information, newsletter management, mailouts, data retention and more.

Unfortunately we can only vouch for what we do as a service provider. While we cannot provide legal advice we are more than happy to have a unqualified conversation with anyone for whom this is their very first time. Indeed if there’s  experts out there that want to help us provide support pro bono for first timers, we’d really appreciate it.

If the OurLocality platform is compliant my website is, no?

This is probably the wrong question to ask. Are you, as an organisation compliant, regardless of whether you’re unincorporated, a non profit or a business?

While OurLocality strives to be GDPR compliant, we cannot guarantee that your organisation complies, as your website may be just one component of your operation.

How we are aiming to comply:

A website hosted by us will be in part compliant because when we pass any information from a visitor on your site, we do so securely always using SSL, whether or not you have your own domain, but there is more.

Data may be stored on our server in any number of ways. Some of this you can control (feedback and contact forms, comments if they are enabled, if you use an smtp tool to communicate with your email rather than use the server, some analytics data which may contain personally identifiable info such as an IP address,  or you have a connection with a social  media company, using share buttons, etc).

In order to run an efficient effective and secure service our server will store information: in the core database, the 2 tiers of backups, in email logs (for webforms that do not use an external gateway), a variety of essential system logs, website logs and so on and so forth).

Most modern websites will also use cookies in some way. Ours do too, mainly though to assist a login ‘session’, not to track unsuspecting visitors.

We do use a wide range of software in the background and to offer the widest range of functionality to our website users and their audiences. Most of this is open source, but we have a small number of licensed products. We always make sure software is up to date, because we’re very alert to the fact that such software can open a back door to our systems. Our monitoring regime is geared around understanding overall system performance and breaches, restricting or blocking suspicious logins and throttling traffic from unusual sources.

Our host is trustworthy and doesn’t have access to our virtual machines, unless we grant them it. We don’t hang onto data for longer than we think necessary and constantly review third party tools that we make available that could leak data in ways that might breach privacy, covertly or through bad design.

If you want a longer read about the implications and some of the myths, drafted by UK’s Information Commissioner Office ( ICO ), you can read more here.

Where does OurLocality store data?

Hosting: Customer websites are all hosted in the UK, on virtual machines in Manchester and York. Backups are on separate physical archive grade disks.

Email: We don’t provide email services directly. We have setup a small number of customers with GSuite, a Google product. With the latter, you are governed by the agreement with Google, broadly speaking GDPR compliant – as far as we can evaluate. You will will need to sign this.

Office 365: If you use Office 365, then data is stored by Microsoft. We don’t offer this. Please see this guide on the Microsoft website for more information.

Backups: See hosting above.

Business data: We run the whole show from a home office, which has a small network of computers.

We don’t let anyone on these machines, without tight supervision.

No one can install new software.

We don’t use social login techniques for anything (such as login with facebook).

We use 2 factor authentication for email.

We do use whatsapp. That means that if you use it too and we have exchanged calls, we are automatically connected – we’re not sure whether this is a good idea.

We have never knowingly connected our email contacts list to anyone, not to linkedin nor a social network, though we know a great many people who have.

What are the legal bases you use to store customer data?

We store the minimum of data needed to manage and run a customer account, for effectively when you register you are signing up to our terms and conditions.

If customers are using one of free products, the information we hold would include an email address, a unique username, an IP address and a location.

If you paid us at some point Sustaining Dunbar will keep records of that for billing and tax purposes.

If you contact support or billing by email, we’ll store that information too.

We log website usage in quite a lot of detail, for security, to help understand and improve performance and to provide support / troubleshoot problems, should they arise.

We have established working practices that minimise the accidental loss, inadvertent sharing, quiet leakage or mass diffusion of customer data. We have trained ourselves to respect privacy, your rights, and information management issues generally.

Our full GDPR compliance information is work in progress, but updates a policy publicly available since 2010.

Can I opt out of Our Locality marketing emails?

We don’t operate marketing emails as such, rather we hold a mailchimp list of website admins and users, to send occasional emails. We have done so twice in almost a decade, but we are reviewing wherther more regular updates help us revive our membership as we develop the service.

We are aware that some of you have newsletter sign up forms on your own websites and we may have helped you set this up. We advise everyone makes sure they update their sign up procedures and forms as soon as practical, not just check that the legal bases for processing are GDPR compliant (prior and explicit consent).

Do I need to re-permission my newsletter customers?

It is hard to say. But at least one scenario is clear, if you didn’t obtain your list by explicit prior consent, technically you shouldn’t use that list at all, end of story. You have no right to contact people that did not consent, before GDPR nor after.

Read this: https://www.theguardian.com/technology/2018/may/21/gdpr-emails-mostly-unnecessary-and-in-some-cases-illegal-say-experts

If you want to contact people to say you updated or are in the process of updating your policies, that might be a good idea.

Will I need an SSL certificate after GDPR?

All our websites have SSL certificates, and have been secured this way for around 2 years.

We need to setup certificates the first time round, after which they should quietly auto renew, but going forward there will be a small setup and renewal fee.

I need more help …

The ICO have a helpline, but we expect this might be busy this week and the next, indeed for the foreseeable future.

The ICO has also produced this guide to help small businesses with GDPR compliance.

You should consider contacting a data protection specialist if you handle a large amount of personal data on various computers around your home office and are terrified of technology, have nightmares that you are a spammer …

Alternatively contact me philip@ourlocality.org for an informal chat