We have an internal wiki, for only our employees use. Even we have to comply. There are EU
citizens that access the wiki, so the data must be protected. Our installation is in
Azure, and the disks we use are encrypted by Azure, so I don’t have to worry about that.
For removal of personal data on request, we plan to remove the username, full name, and
email address from the user table, replacing the username with a GUID which we will not
track. Of course, the user will no longer be able to access the wiki.
It’s important to remember, GDPR protects all EU citizens, regardless of where they live.
They can be living in the USA and they are still protected by GDPR. It also protects
citizens of other nations if they are currently residing in the EU zone. Very broad scope
indeed.
--Mark
On Feb 21, 2018, at 8:46 PM, Tom Hutchison
<tom(a)hutch4.us> wrote:
So it goes a even a bit further.
@mat54: so even if you are an invite only, even if only one of your users resides in a
country in the EU (including the UK until they break) you must be in compliance with GDPR.
@Derk-Jan: Not only why you need the data and what the data is, the data has to be
encrypted in "flight and at REST" at all times. In flight is easy, SSL. At REST
would mean encrypting all the personal data in the database.
Trying to define personal data is a moving target. It really depends. There is the
standard MediaWiki install which would include at best, a username, optional real name,
email address and standard log entries attached to activity. Add extensions such as
CheckUser or a SocialProfile the complexity of the personal data starts to grow. Install a
new extension, then you have to ask does it increase personal data.
Sadly, some of the forum posts, comments and discussions I have seen for other software
and website owners talk of GEO blocking EU countries.
Tom
-----Original Message-----
From: MediaWiki-l [mailto:mediawiki-l-bounces@lists.wikimedia.org] On Behalf Of Derk-Jan
Hartman
Sent: Wednesday, February 21, 2018 12:18 PM
To: MediaWiki announcements and site admin list <mediawiki-l(a)lists.wikimedia.org>
Subject: Re: [MediaWiki-l] EU’s GDPR and MediaWiki on only invited users
@mat54
The definition of personal information in this law, is wider than you assume most likely.
It also includes IP addresses, nicknames, login ids, real names, fingerprints of your
browser, etc etc. basically anything that can potentially lead back to the user.
The collection of the data in itself is not the problem though. The purpose with which
you do so, having permission (by law, process or user consent), and what you do with the
data when you no longer need it are the key technical aspects. Added to this, is your
ability to tell the user what information you have collected about him, and potentially
remove or anonymise that data when requested, are what determine your liability here. And
like so often with law aspects, the answer than quickly becomes 'it depends'.
For instance, if you can easily remove stuff from the database yourself, because you have
the skill and your user base is small enough that this procedure is manageable, then you
don't need the software to be able to do that for you. You are still compliant.
If you leak all the email addresses and real names of all your users (former and current)
of a forum for coaching people with mental illness, then you have a problem (you leaked
identifiable (medical) information of users who are no longer part of the coaching
program), especially if those people had actively requested you to delete the information
you have on them.
DJ
On Wed, Feb 21, 2018 at 5:23 PM,
<mat54(a)ziggo.nl> wrote:
LS,
First of all I have no legal background so the solution must be simple
and clear (KIS)
On my wiki there are only invited users and from them I have not for example a birthday ,
address or other personal information.
So in my simple mind I don’t have privacy content.
But the question remains must I still comply to the new ruling??
_______________________________________________
MediaWiki-l mailing list
To unsubscribe, go to:
https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.wiki…
_______________________________________________
MediaWiki-l mailing list
To unsubscribe, go to:
https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.wiki…
_______________________________________________
MediaWiki-l mailing list
To unsubscribe, go to:
https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.wiki…