Question: GDPR for module developers

[datakick]

I know next to nothing about the upcoming GDPR sh*t, so I wanted to ask more knowledgable people on this forum if there's anything I need to change in my modules to make them GDPR compliant.

I have two modules that I believe could be affected - revws module that collects product reviews, and price alert that notifies your customer when prices drops below some threshold. Both these modules collect personal information, specifically email addresses.

So, do I need to add some sort of consent on form, or will this be covered by some generic site-wide consent? Also, do I need to implement some hook to delete user's data, say hookEuropeanBureaucracy? Is there anything else I need to worry about?

I would really like to have some sort of GDPR compliant badge on my modules :)

[lesley]

IMO those should be covered by a site wide consent as long as it is mentioned in the gdpr notice of the site.

BUT, what is the pain is they do need to be able to export data with a main site data export. Like say I am using a site with the module installed and I want to export or delete my data, it does need to trigger an export or delete from your modules.

[datakick]

@lesley thanks. I hoped that the consent won't be necessary.

So I guess there will have to be two new hooks that core (or GDPR module) will trigger. One hook for data deletion, and one for export. These hooks should probably receive customer id and customer email as input parameters, so modules could find the data accordingly.

The deletion functionality is quite straightforward, export is more tricky. Will it be sufficient if module returned associated data as one big string blob?

[lesley]

You are correct. This might be something for @SnowyCat to talk about, he is working on the GDPR module.

For export, the best I can tell is it needs to export. I have yet to see anything that suggests it needs to be in any format or anything like that. We were just going to go with a loosely formatted CSV because really what can you do with all that data? You can never import it back into anything.

[datakick]

All right. I'll implement csv data export and data deletion into my modules. Once you guys have GDPR module ready I'll integrate these features with your hook(s)

[datakick]

Here are official guidelines from ps how to make community modules GDPR compliant

@SnowyCat / @lesley - will thirtybees GDPR module be compatible with these hooks? It would be very unfortunate if it wasn't, as all ps16 modules who implements these guidelines couldn't be used on thirtybees

[lesley]

I think it would be best if we were. But I will defer to @SnowyCat again.

[30knees]

@datakick said in Question: GDPR for module developers:

I have two modules that I believe could be affected - revws module that collects product reviews, and price alert that notifies your customer when prices drops below some threshold. Both these modules collect personal information, specifically email addresses.

But you don't get any personal data, only the shop owner does, right?

This should be covered in the privacy notice towards the customer. What you want to make sure is covered is: - Export of the data supplied, eg in a CSV - Data deletion - Data correction The PS guidelines say you need a consent tick box. That is incorrect. Consent need not be indicated by a tick box. If the customer submits a review it's clear that they consent to that processing.

[lesley]

Right, what he is talking about is hooking into a central system to download data. I think it will be confusing for a user and likely not compliant if there are 10 different systems on one shop to download data. So our module is going to have a central system that module makers hook into that the data can be downloaded from.

[toplakd]

Than same thing would be most likely possible with "consent checkbox", just placing the hook to the desired module? I think that's how the PS module works.