New General Data Protection Regulation 2018-05-25

[30knees]

@lesley said in New General Data Protection Regulation 2018-05-25:

Its not that I am skeptical, there is a stark difference in my mind in data protection and data deletion. We are very security minded here and try to make it impossible to leak data, so I feel like the protection part is handled.

Not for lawyers. "Data protection" is a poor term that has come to represent how data is is handled. One part of it is data security. The principles of data protection are found in Article 5 GDPR and include "data minimisation" (collect only the data you need) and "storage limitation" (keep it only as long as necessary). The security bit is called "integrity and confidentiality".

See we are back to it being a German issue again.

No, no, and no. :-) It's a European law. ALL EU/EEA authorities audit data retention/storage limitation. Swedes, Finns, Norwegians, Dutch, Austrians. This is the comparison of the OJ Simpson case to the shop lifting one. Germans are the most vocal merchants. It doesn't mean this is not an issue elsewhere.

Again, I am happy to reach out to non-German authorities for you.

I would like to get some other input on this, because the requirements you stated, I said how we could meet them.

Do you mean from me or from a third party? If from me, I am happy to have a call and go through in detail and evaluate different options. We talked about this by email already. Ping me whenever. If from a third party, gladly.

[Traumflug]

I had similar discussions with Lesley earlier and my impression is that he's mostly concerned about usability of the shop software. And I can understand this well, setting up a shop is pretty complicated already, even in the United States. Just look at the hundreds of settings a merchant has to take care of (or cross fingers for luck) in Backoffice.

With this in mind it might be helpful to direct the discussion a bit more towards how these regulations can be met without adding burdens to merchants and customers. Keeping usability high isn't simple, but it's crucial for success. That's the distinction between a powerful software and a successful software. I think we all agree to want a successful software.

One detail as an example: thirty bees allows to set up shops without secure transfer, without HTTPS. There's a whole lot of code dealing with both, the HTTP and the HTTPS case and for switching between them. This slows the software down to some extent. There are Backoffice options which have to be set and which have to be taken care of. Which is a burden for merchants. And all this in 2017, where running a public shop without a secure protocol is no longer an realistic option. Which means, this distinction can be removed from what's visible to merchants. Keeping the power, making the software faster, liberating merchants. By wise design decisions.

While this detail example isn't part of the law discussed here I hope it sheds some light on ways to comply with this law: find ways to get it into "just works" and everybody will be happy. My dream is a choice "Law to comply with:" and a menu just listing all the countries. One choice to be done for being reasonably safe on the regulations side everywhere.

[30knees]

Yes - I am a strong believer in adapting data protection law so that usability does not suffer. It's definitely possible. Great post, @Traumflug.

[MockoB]

@lesley said in New General Data Protection Regulation 2018-05-25:

One thing I have noticed, you can even notice it with this thread, is the regulations are only problems for the Germans. These are German changes, not EU changes. 70% of thirty bees shops are EU companies, the Germans are the only people that seem to be having these issues.

@Lesly you are not right, those are not just German or EU changes. Those changes are concerning every merchant who is aiming the EU market. It is explained in the regulation. Other thing you are wrong is that Germany hates e-commerce, it's not Germany the greedy lawyers in Germany hate it, and the greedy competition as well! And Germany is the biggest ecommerce market in Europe you should not underestimate that, in fact I believe the online market in Germany is bigger than the rest of the EU together (excluding the island which soon will be out of EU). The ability to remove old carts from a certain date back that do not have an order affiliated with them. This can be made into a module rather easily, it is a text field, a button, and two queries.

That is easy I believe, I followed @nemos' or vekias' blog for my current 1.5 shop and it was easy implementation.

From that I read so far about GDPR, it is mostly concerning big companies like facebook, google etc. In Bulgaria there is government institution which is dealing with the data protection, to process user data (to have an e-store) I must register as data processing operator and comply with all the government regulations which are almost same as the new regulation. When the GDPR regulation is out I don't even have to register as operator, I just have to fill some documents and keep them with me. Of course there are few more obligations I have to deal with in the documents than before.

Two things to think of about the regulations for me are: 1. I have to provide the customers all the data I got about them when they need it. It is possible every registered customer to view it in his user panel, but what about guest orders? Should I give access to the back office to every customer who needs that information, or should I copy/paste it in other document to provide the information .... 2. Second and the most complicated issue which is mostly concerning online merchants is "the right to be forgotten". Sure you will make module for deleting orders (and everything connected with the orders including user data, carts, invoices, etc.) which I find great feature! There is ability already to delete customers, but that is against other law. The law says that you don't have to delete any financial data and it is crime at least in Bulgaria to hide taxes and deceive the government by deleting orders and in the whole world as well ... Which law you think we have to comply with, keeping financial history or delete user data? I believe the greedy lawyers in Germany are eager to launch lawsuits against merchants because they perfectly know we don't have the answer to that question.

All other things concerning the new regulation is enough to be mentioned in the privacy policy.

[30knees]

@mockob "Which law you think we have to comply with, keeping financial history or delete user data? I believe the greedy lawyers in Germany are eager to launch lawsuits against merchants because they perfectly know we don’t have the answer to that question."

It is crystal clear for anyone who has a basic understanding of data protection law and law in general that there is absolutely no conflict here that needs to be resolved. It’s about deleting data that is a) no longer subject to a legal obligation to be kept or b) no longer required for the purposes for which it was originally collected. Any data required for tax purposes falls outside the scope of the right to be forgotten ... until the legal retention period has expired.

[DRMasterChief]

thank you 30knees ! you got the point

[MockoB]

@30knees those are good news for me! It means that thirty bees already complies with GDPR! You are already able to remove mentioned by you data, aren't you?

[30knees]

@mockob There are some things that need to be addressed by the software, but nothing major. Of more hassle are the organisational measures needed, such as Data Processing Agreements with all parties who can touch your customer data, etc.

[MockoB]

In my case those are just shipping companies, and I did it before the regulation as well. It will be more strict for companies who work with "sensitive" data, which is not the case with the data collected by thirty bees platform.

[toplakd]

And extending Customer Privacy Data module to contact form is also very easy. Hook needed in contact-form tpl and additional override file ContactController.php in folder /override/controllers/front/

I'm not yet using the TB on live shop, but might use it very soon. Have just upgraded to clean 1.6.1.18 and have applied the Contact-form Customer Privacy data, so it should also work on Thirtybees install.

Regarding the cookies. If the only cookie your shop is using is the prestashop session cookie, than you can set it's expiration time to 0 and than it meets the GDRP requirements as it becomes true session cookie which expires when browser closes. In this case Cookie popup is not needed. Sure visitors will loose their cart everytime they close the browser, but make sure you enable "Re-display cart on login" for registered customers.

[alishahenderson]

Hello buddy,

The General Data Protection Regulation (GDPR) requires all organizations adhere to strict methods and process while collecting and storing personal information of European Union (EU) citizens.

It proposes to increase data protection efforts for all citizens of the EU, and also ease the regulatory environment for international trade by giving a uniform regulation throughout the EU.

The first important distinction is one of scope. GDPR goes beyond safeguarding against the perversion of personal information such as name, address, email addresses and telephone numbers.

The Regulation applies to any form of personal information that can recognize an EU citizen, including usernames and IP addresses.

Moreover, there is no distinction between data held on an individual in a business or personal capacity - it's all classified as personal information identifying an individual and is hence covered by the new Regulation.

Regards Alisha

[Beeta]

I'm reading very interesting comments on Disqus in the GDPR article: https://thirtybees.com/blog/thirty-bees-and-gdpr/

are those users registered in the forum?

[lesley]

I don't think so.

[toplakd]

Just want to tell that Official PS GDPR module for 1.6 versions is out.

[lesley]

Link?

[lesley]

Ahh I found it. $100, not cheap.

[toplakd]

But based on pictures I stil think they are missing something for contact form, as one who contact us does have to know what happens with his data entered on contact request (his email) :)

[lesley]

I don't know, pushing the button is explicit consent to me.

[toplakd]

Have you ever thought about same crowdfounding for GDPR in TB? I think money should get in fast.

Yeah, for all normal minded (lawyers and other law enforcment excluded) pushing the button means they consent.

User must know what will happen with his personal data before he pushes the button and agree to it as email is personal data. Basicaly data privacy block extended into contact form (easily done).

[lesley]

We are releasing our beta module next week for GDPR and will have a final release the next week.

[toplakd]

That is very nice to hear. As i started playing with manual migration of my store to TB yesterday (on backup)

[lesley]

Nice. Hopefully you like what we have done with the software.

[toplakd]

Would have already donated, but my CC month limit already 99% full do to internet buys, and it resets on 18th. So if I migrate, the money which would be spent on GDPR module will for sure be donated.

[lesley]

Awesome, thank you.

[toplakd]

They cant get me onto 1.7 with some free GDPR module, or even by paying me to use it. So just make sure you add consent/info box also on contact us form. Better 1 checkbox to many as 1 to less.