Jump to content
Matt
 Share


How Invision Community's tools can help with GDPR compliance

The General Data Protection Regulation (GDPR) is a regulation (EU 2016/679) that is intended to strengthen and unify data protection for EU residents from 25th May 2018.

How can Invision Community help?
While Invision Community enables you to collect and store information, it's important to note that you as the site owner are the data controller. If your site can collect data from EU citizens, then we recommend that you research your responsibilities.

We have introduced several new tools in Invision Community 4.2.7 to help you with compliance, and we'll run through them and the relevant sections of the regulation in this blog.

Individual Rights (More information)

Right to be informed

Quote
  • The right to be informed encompasses your obligation to provide ‘fair processing information’, typically through a privacy notice.
  • It emphasises the need for transparency over how you use personal data.

Invision Community has an area for you to edit your own privacy policy. This is found in the Admin CP > Settings > Terms & Privacy Policy.

Terms1.thumb.png.7136680cc811e89ae2f3fe8728bb026c.png

 

Guidance on what the policy should contain can be found here.

Right to erasure (More information)

Quote

The broad principle underpinning this right is to enable an individual to request the deletion or removal of personal data where there is no compelling reason for its continued processing.

Invision Community allows you to delete a member from the Admin CP. If the member has left posts or comments on your community, you can elect to delete the content, or keep it but remove the author's details thereby making the content anonymous.

Lawful bases for processing (More information)

Consent (More information)

Invision Community now features a setting to not automatically opt in to administrator emails such as those sent by the bulk email system often used for newsletters when registering a new account on your community.

This feature is found in the ACP > Members > Registration Settings

Consent1.thumb.png.f5b39ebfdad19effddfab8a75b90f897.png

 

Part of the consent regulation is to record when consent was given. The consent to opt-in for administrator emails such as bulk emails sent via the Admin CP is recorded at registration, and each time they change the setting. This record can be found in the member history log when viewing a member in the Admin CP.

consent3.thumb.png.2f6b7a13aa8fe0dcc788d9ce7e9d2bb5.png

If you change the Terms & Conditions, or the Privacy Policy, you can request that members accept these changes when they next log in thus giving their consent for those changes.

Consent2.thumb.png.7f21b2d7c6b0b68632e01bd0d8095d11.png

Cookies (More information)
Invision Community stores a small amount of data in cookies. These are used to authorize you when you re-visit a community. Other cookies are used to provide a service at the user's request, such as changing a theme or using Commerce's cart.

We have added additional features for Invision Community 4.2.7 to permit acknolwedgement that cookies will be set, and a brief page outlining the types of cookies that are set.

Invision Community has a feature that shows a small message to new visitors to the community. This is found in the Admin CP > Terms & Privacy Policy page.

cookies1.thumb.png.d1869dd65cd8dd2f6c5881c7adf95e76.png

 

We have pre-configured a cookie acknowledgement message using the short-tags {cookies}.

This will display as follows:

Cookies2.thumb.png.490c6165a3cbd9e4f170c0c94e647c80.png

 

This links to a new page showing brief information about the types of cookies that Invision Community stores.

Cookies3.thumb.png.2dc45d23cac873db9b7d040d41427580.png

 

Although at the time of writing this blog entry, the regulation states that there is no exact information that you need to show on the cookie page, you can edit it to add more detail if you wish.

Summary
We hope these new tools available with Invision Community 4.2.7 make it easier for you to seek compliance with GDPR if you choose to do so.

It's worth pointing out that we are awesome at making community software and know a huge amount about making communities successful, but we are not experts in EU regulation. We offer this blog entry as a way to assist you in seeking compliance but you must do your own research and are responsible for your own community.

Invision Community 4.2.7 is currently in beta testing. We're aiming to release it early next week.

We hope this is a good starting point for you!

Edited by Matt

 Share

Comments

Recommended Comments



There's also a big point which would be really important.
In the EU the people have the right to say to forget my datas.
 

So we need to stay save that we can for commerce remove or replace real name and address from this person which want that that we delete his datas.

But also we need save all transactions encrypted somewhere where employees have not access to the data.

It's a complex part which we also need to integrate. I have not read a lot about this but it will be tricky for the future I think.
So we need for commerce to remove all personal informations but on the accounting side we where selected people have access to we need also to store the history. 

Link to comment
Share on other sites

Hello, I see into an italian article the gdpr force the administrators to:

1. opt-in cookies before and during (any time it would) the navigator could opt-out after visit, (list: necessary checked and disabled, preference, statistics, marketing, unclassified).

sNoIf19.png

we must track date of the user consents registered.

more at https://www.cookiebot.com/en/cookie-consent/

an example, if I use a third party app / plugin on marketplace how can I found all cookie it use? I must ask it to developers?

2. request deletion of personal data (that identify the person)

3. data portability, request personal data to export into a file or email...

Any response about this? @Matt

Thanks for your article.

Edited by BomAle
Link to comment
Share on other sites

On 3/26/2018 at 5:07 PM, opentype said:

This should be all answered by the article, the general suite features (e.g. account deletion) or by trying the 4.3 beta yourself. 

Could you be more specific about the points 1 and 3?  That is:

  • Where did IPS "answer" about the opt-in/opt-out of cookies?
    For the record, showing a message stating that cookies were set is not a valid opt-in.  I'm also not sure where we can opt-out after accepting the cookies.
    (I don't think GDPR forces us to rely on consent to store cookies, but it would be nice if IPS allowed us to do so.)
  • Where did IPS "answer" about allowing to export users' personal data?
    I'm not sure which data users may require to be exported for portability, but even if we assume it is just the profile info (which may be easy to collect), note that the users may also request to know all personal data stored about them.  I'm pretty sure this includes IP addresses stored in IPS logs.  In any case, I did not find any feature to export users data in IPS 4.3 (but I may be missing it).
Link to comment
Share on other sites

5 hours ago, asigno said:

Is there any update on self serve functionality e.g. for users to delete their own accounts?

It will not come, as the CEO has said multiple times. You will have to delete accounts manually (which shouldn’t be a GDPR problem) or use the plugin from the Marketplace.

Link to comment
Share on other sites

On 12/24/2017 at 9:54 PM, kar3n2 said:

Oh gawd   its all so so confusing isn't it?

Confusing and crazy. It's being talked about on WoltLab and XenForo. On WoltLab they are saying you have to add you Name and Address on the privacy policy page as well.

On 4/10/2018 at 10:31 AM, sulervo said:

This one? Pretty expensive :)

EDIT:

Here is another:

 

Lol, guess you could do that really. Make them pay to remove their account. Ha! Good one, call it admin fees.

Link to comment
Share on other sites

6 hours ago, GTB said:

Confusing and crazy. It's being talked about on WoltLab and XenForo. On WoltLab they are saying you have to add you Name and Address on the privacy policy page as well.

That’s nothing new by the way. If you want to run legal websites that do any kind of business, you need to show yourself. If you want people to follow your terms or purchase something, that’s a contract with responsibilities and both parties need to know who they are even dealing with. 

Link to comment
Share on other sites

Interesting though lengthy read on GDPR at Elegant Themes (Wordpress related site but still relevant)...

https://www.elegantthemes.com/blog/tips-tricks/how-to-make-your-websites-gdpr-compliant

Love this partial comment re Google Fonts breaking GDPR compliance: "If these comments are accurate, Germany has banned the internet."!

GDPR = Turning out to be next PPI era for ambulance chasers. It seemed like a good idea at the time... 

 

Edited by The Old Man
Link to comment
Share on other sites

I am missing an option to export all user data in a standardized format as required by EU law...

There are a bunch of websites I run for cities that are powered by invisionpower. Will there be a fully GDPR compliant version by May 25th or does invisionpower choose to abandon all EU customers?

Edited by DReffects2
Link to comment
Share on other sites

It would be great to know in advance what IPB are working on in regards to GDPR compliance, I keep reading that something will be posted soon but we're only three weeks out now.

Wordpress are great in showing what they are currently working on;

https://core.trac.wordpress.org/query?status=accepted&status=assigned&status=closed&status=new&status=reopened&status=reviewing&keywords=~gdpr&order=priority

  • functionality for users to either request or delete their information
  • Allow users to be able to download all their data entered, ie registration info, comments and/or posts
  • Functionality to confirm a users request for deletion has been actioned

 

Link to comment
Share on other sites

On 12/14/2017 at 9:32 PM, Matt said:

A great resource is the ICO website. It has some great tips about want to put in a privacy policy - check it out here.

I can't give out "legal" advice here because I am not an expert, but I do want to help where I can.

Invision Community © 2018 IPS, Inc. must have a lot of european customers, isn't it? So you must be preoccupied with GDPR for your terms & policy too, as we here all or not?

I apologize in advance, but I still do not understand what to do and how to prepare for the 25th of May.

To copy someone's else (IPS for example) GDPR policy to my site would be great and easy for me, and all i can as noob admin.

Edited by O9C4
Link to comment
Share on other sites




Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Add a comment...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

×
×
  • Create New...