Jump to content

Invision Community Blog


Managing successful online communities

Matt
 

How Invision Community's tools can help with GDPR compliance

The General Data Protection Regulation (GDPR) is a regulation (EU 2016/679) that is intended to strengthen and unify data protection for EU residents from 25th May 2018.

How can Invision Community help?
While Invision Community enables you to collect and store information, it's important to note that you as the site owner are the data controller. If your site can collect data from EU citizens, then we recommend that you research your responsibilities.

We have introduced several new tools in Invision Community 4.2.7 to help you with compliance, and we'll run through them and the relevant sections of the regulation in this blog.

Individual Rights (More information)

Right to be informed

Quote
  • The right to be informed encompasses your obligation to provide ‘fair processing information’, typically through a privacy notice.
  • It emphasises the need for transparency over how you use personal data.

Invision Community has an area for you to edit your own privacy policy. This is found in the Admin CP > Settings > Terms & Privacy Policy.

Terms1.thumb.png.7136680cc811e89ae2f3fe8728bb026c.png

 

Guidance on what the policy should contain can be found here.

Right to erasure (More information)

Quote

The broad principle underpinning this right is to enable an individual to request the deletion or removal of personal data where there is no compelling reason for its continued processing.

Invision Community allows you to delete a member from the Admin CP. If the member has left posts or comments on your community, you can elect to delete the content, or keep it but remove the author's details thereby making the content anonymous.

Lawful bases for processing (More information)

Consent (More information)

Invision Community now features a setting to not automatically opt in to administrator emails such as those sent by the bulk email system often used for newsletters when registering a new account on your community.

This feature is found in the ACP > Members > Registration Settings

Consent1.thumb.png.f5b39ebfdad19effddfab8a75b90f897.png

 

Part of the consent regulation is to record when consent was given. The consent to opt-in for administrator emails such as bulk emails sent via the Admin CP is recorded at registration, and each time they change the setting. This record can be found in the member history log when viewing a member in the Admin CP.

consent3.thumb.png.2f6b7a13aa8fe0dcc788d9ce7e9d2bb5.png

If you change the Terms & Conditions, or the Privacy Policy, you can request that members accept these changes when they next log in thus giving their consent for those changes.

Consent2.thumb.png.7f21b2d7c6b0b68632e01bd0d8095d11.png

Cookies (More information)
Invision Community stores a small amount of data in cookies. These are used to authorize you when you re-visit a community. Other cookies are used to provide a service at the user's request, such as changing a theme or using Commerce's cart.

We have added additional features for Invision Community 4.2.7 to permit acknolwedgement that cookies will be set, and a brief page outlining the types of cookies that are set.

Invision Community has a feature that shows a small message to new visitors to the community. This is found in the Admin CP > Terms & Privacy Policy page.

cookies1.thumb.png.d1869dd65cd8dd2f6c5881c7adf95e76.png

 

We have pre-configured a cookie acknowledgement message using the short-tags {cookies}.

This will display as follows:

Cookies2.thumb.png.490c6165a3cbd9e4f170c0c94e647c80.png

 

This links to a new page showing brief information about the types of cookies that Invision Community stores.

Cookies3.thumb.png.2dc45d23cac873db9b7d040d41427580.png

 

Although at the time of writing this blog entry, the regulation states that there is no exact information that you need to show on the cookie page, you can edit it to add more detail if you wish.

Summary
We hope these new tools available with Invision Community 4.2.7 make it easier for you to seek compliance with GDPR if you choose to do so.

It's worth pointing out that we are awesome at making community software and know a huge amount about making communities successful, but we are not experts in EU regulation. We offer this blog entry as a way to assist you in seeking compliance but you must do your own research and are responsible for your own community.

Invision Community 4.2.7 is currently in beta testing. We're aiming to release it early next week.

We hope this is a good starting point for you!

Edited by Matt


Comments



Recommended Comments

14 minutes ago, O9C4 said:

Thank you @Matt

  1. For the InCloud communities no GDPR restrictions, or misunderstanding from me?
  2. Will we have any troubles with registration of new members from EU zone since 2018 May?

Hi, thanks for the reply.

I've modified the article to be a little clearer.

If you use our cloud hosting, then you are using a US service. However, if you collect data from EU citizens (as in allow them to register and use the site) then you may want to research what your responsibilities are there. You might choose to follow compliance just to be on the safe side. It's really not that hard and there's a good bit of data out there already.

Take a look at this article, for instance.

Share this comment


Link to comment
Share on other sites

My biggest fears, regarding the GDPR and Privacy Policies of the global internet is about to loose access to any country members. I use community for the World and cherish any members from any country. Can i copy IPS terms and PPolicy to my site with few edit, will it be enought to protect from the gov ban?

Share this comment


Link to comment
Share on other sites
17 minutes ago, O9C4 said:

My biggest fears, regarding the GDPR and Privacy Policies of the global internet is about to loose access to any country members. I use community for the World and cherish any members from any country. Can i copy IPS terms and PPolicy to my site with few edit, will it be enought to protect from the gov ban?

We cannot really give legal advice and such. You would need to do your own research. We provide the best tools we can based on the knowledge we have.

Share this comment


Link to comment
Share on other sites
15 minutes ago, O9C4 said:

My biggest fears, regarding the GDPR and Privacy Policies of the global internet is about to loose access to any country members. I use community for the World and cherish any members from any country. Can i copy IPS terms and PPolicy to my site with few edit, will it be enought to protect from the gov ban?

I think it's important to understand that really GDPR is about protecting and using data responsibly. My impression is that there isn't a draconian organisation ready to swoop and punish people who are acting responsibly.

I certainly wouldn't fear it. Just review the information out there. Make some notes. Use 4.2.7 to help with your compliance checks.

A great resource is the ICO website. It has some great tips about want to put in a privacy policy - check it out here.

I can't give out "legal" advice here because I am not an expert, but I do want to help where I can.

Share this comment


Link to comment
Share on other sites
57 minutes ago, amator said:

I agree to the Terms of Use

No option to  remove the required checkbox and add whatever text we want?

 

Sorry, I don't follow. Can you show me what you mean?

Share this comment


Link to comment
Share on other sites
1 hour ago, amator said:

No option to  remove the required checkbox and add whatever text we want?

The texts are language strings you can change in your language settings. 
The button—well, it’s kind of the point of a cookie consent option to force an agreement from the user. 

 

2 hours ago, Charles said:

These options will be available in version 4.2.7 when it is release. Look for it soon :)

Okay, it came with Beta 3. 

Edited by opentype

Share this comment


Link to comment
Share on other sites
33 minutes ago, Matt said:

Sorry, I don't follow. Can you show me what you mean?

I think that Terms of Use required checkbox can be removed and we can change the text as we want.

Example

terms.png.fd7f837898e9d4bdf020460db194f827.png

Share this comment


Link to comment
Share on other sites
28 minutes ago, Matt said:

You can change the language for this, but if you wish to be GDPR compliant, you cannot pre-check that, It must be opt-in.

What if the opt-in is the 'Create my account' button? No checkbox needed

terms.png.fd7f837898e9d4bdf020460db194f827.png

Share this comment


Link to comment
Share on other sites

Really appreciate this article and the efforts in general to provide us with the necessary tools to help us with compliance in 4.2.7, and of course the point about trying to be helpful and supportive whilst not suggesting that you are pertaining to be lawyers or providing legal advice is well taken. As I've said before, it's a good potential selling point for software companies too. 

I much prefer this more helpful customer service stance which is much more supportive than when back when the cookie consent thing became a thing.

Whilst hopefully most of us won't ever have to formally demonstrate compliance with GDPR as part of an official review, ICO complaint or audit, it's just having the reassurance that our members know we take our responsibilities seriously, and the reassurance that also comes with knowing we have the tools available when needed to show general compliance or if necessary, for administrators to easily run off a log report detailing, not war and peace, but the basics of when a member's consent was provided, acceptance of terms was agreed (when they registered, accepted an updated privacy policy etc, or in fact removed consent). The data is there in the database, it's just a matter of being able to run a 'member GDPR' report, perhaps one that can be exported as a convenient pdf, txt, csv or .docx file. Perhaps even having a list of these tools and relevant AdminCP pages in a small but handy 'GDPR' section of the AdminCP menu would be helpful?

Great to also see a basic cookie acceptance tool built-in tied into the system and the ability to edit accompanying text as needed without giving admins the potential to get it wrong by pre-checking opt-ins. Not only removes the need to use third party cookie compliance software but also makes the whole experience more natural, streamlined and seemingly less disjointed to the end user/potential new member.

The boundaries of the Internet have never been straightforward! I'm in the UK, but I have multiple IPS licences for both UK and US based websites. When I say US based site, its more a case of having switched my original .UK monickered site to being more international themed .net site many years ago, and although the majority of its forum members are US based, we have a lesser proportion of international members (Finland, France, Germany, UK) and whilst I use a cloud-based VPS from a US based service provider for all of these sites, I know I still have to show regard to GDPR if we want to provide a service to people within European countries.

I bet hardly any UK based hobby admins are actually registered with the ICO if they don't own a full businesses or organisation already registered as a Data Controller, even though they are making the decision to store and process personal information. GDPR seems to remove that convenience loophole.

I recall someone saying that an IP address is not personal information back when the cookie debate was going on, but now GDPR clearly defines it as such.

Like you say, the UK's ICO website has some good info and guidance, although at times it can seem overwhelming.

If in doubt, get some legal advice is the key thing from a potential confused admin's perspective, look for online presentations or perhaps check out the business support section of your local council, business association, college, library to see if they are providing 1 or 2 hour free sessions in the area.

Share this comment


Link to comment
Share on other sites

Thanks @The Old Man - that's a lovely and measured reply.

Absolutely we want to help but we can't claim to be certificated experts on this field and we can't accept liability for non-compliance. We provide the tools, we can't control what you guys do with them.

But yes, please do ask questions and we'll do our best to help but we'll underline that by recommending you speak to experts for a complete answer. As you've pointed out, there are lots of free support groups about that offer this help.

I sense a lot of panic over this subject, but there doesn't need to be. I don't believe that the entire internet is going to be audited on May 26th. Just keep good records, be responsible with the data and you are most of the way there.

The best advice I can give is research the subject yourself and consult with those that know more if you are unclear.

Share this comment


Link to comment
Share on other sites

I too really appreciate this blog post and the concerted efforts you have taken in introducing tools and links to relevant information help us with GDPR compliance in 4.2.7.  I chose the community software as it is top class and actively enhanced, has professional support and takes security seriously. Now it benefits from support for first rate privacy and data protection tools to the list.

 

On ‎14‎/‎12‎/‎2017 at 2:32 PM, Matt said:

I think it's important to understand that really GDPR is about protecting and using data responsibly. My impression is that there isn't a draconian organisation ready to swoop and punish people who are acting responsibly.

I certainly wouldn't fear it. Just review the information out there. Make some notes. Use 4.2.7 to help with your compliance checks.

A great resource is the ICO website. It has some great tips about want to put in a privacy policy - check it out here.

I can't give out "legal" advice here because I am not an expert, but I do want to help where I can.

GDPR is I believe a much needed step forward for privacy and the assertion that individuals own the rights to their data is increasingly vital in this age of social media and big data analysis. I hope and believe GDPR may well become the de facto world privacy standard and should not be feared but embraced to provide true transparency and protection to our community members in the best way.

One area as highlighted also by the @The Old Man that may still need to be addressed  in relation to the right to be informed and a subjects access requests. I am not concerned particularly about content such as posts, articles, blogs etc however member data, store customer data and to IP & device data is collected and is accessible and there needs to be a mechanism to provide this data in response to subject access requests in an easily readable electronic form.  This data is accessible via the ACP but it is not easily captured or exported e.g. in CSV or PDF, the only real method currently is screen capture which is laborious.

 

 

Share this comment


Link to comment
Share on other sites

Thanks for the info and effort in making the tools needed to comply With GDPR.

However I really wish for a better Way of dealing with deletion or removal of personal data. I wish that there was a dedicated user page for this, where a user could perform the following actions:

  • deactivate profile - so that the user profile will not be accessible and every thing appears if the user is removed, except data is still existent and the user can reactivate their profile.
  • delete profile - andboptions to also delete blogs and/or forum threads etc.

also when a user chose to delete it would be great if we could set a period before the actual deletion is performed where the user can cancel the deletion.

Dealing with all this through the admin is becoming a pain, especialy having to remember deleting content with the request of profile deletion. 

Share this comment


Link to comment
Share on other sites
On 18/12/2017 at 1:57 AM, alfanexus said:

Dealing with all this through the admin is becoming a pain, especialy having to remember deleting content with the request of profile deletion.

I can't recall when this feature was introduced but when you go to delete an account, you can also hide or delete content as well by  clicking on the link at this screen

 

5a38ff0137d80_Screenshotfrom2017-12-1921-53-00.png.ba6796536a4e24c41c82a8a9f4ccd3d7.png

Share this comment


Link to comment
Share on other sites

These improvements are welcome, but there are a few issues that still need to be addressed.

One is regarding the ability to either disable the collection or anonymize personal data that is not critical to the software functionalities.  I'm thinking about IP address in logs, for example.  I don't know if there are other items.

Regarding cookies, I think GDPR requires affirmative user action for things like accepting cookies.  Thus, IPS should not set any cookie until it has user consent, and it should also provide an opt-out mechanism.  I believe this is not done in current version (I didn't test 4.2.7 yet).

Using embedded content also means the users may get cookies from external domains/services.  So, we need more control on the embeds that are enabled, to make sure we don't add unexpected cookies. It would also be nice to be able to rebuild posts and remove external embedded content.

Edited by ptprog

Share this comment


Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  Ask A Question ×