掲示板
The EU General Data Protection Regulation (GDPR) compliance
6年前 に Jan Tošovský によって更新されました。
The EU General Data Protection Regulation (GDPR) compliance
Liferay Master 投稿: 566 参加年月日: 10/07/22 最新の投稿
I would be grateful for any dedicated page containing compliance of Liferay portal to GDPR, see http://www.eugdpr.org/
I am especially curious how LR deals with :
When user is selected in User Admin, it would be nice to offer new actions in the context menu (e.g. Forgot this user or Export personal data).
Jan
I am especially curious how LR deals with :
- Right to be forgotten
- Right for a data subject to receive the personal data concerning them
When user is selected in User Admin, it would be nice to offer new actions in the context menu (e.g. Forgot this user or Export personal data).
Jan
6年前 に David H Nebinger によって更新されました。
RE: The EU General Data Protection Regulation (GDPR) compliance
Liferay Legend 投稿: 14916 参加年月日: 06/09/02 最新の投稿
I've always wondered just how clear those regulations were myself.
I mean, if I just do a forum post that says "Hi Jan Tošovský" but you file a request to be forgotten, what has to happen? I mean, sure maybe your account gets dropped, but how far does it go?
You have 438 forum posts so far, are they to be deleted? Or just your name scrubbed from them? What happens to all of the valuable contributions you might have made in those?
And my forum post with your name. Does the right to be forgotten mean that every forum post, wiki page, etc has to be scanned looking for your name? Does my forum post get deleted or your name blanked out or ...?
And what if I do "Hi Jan Tosovsky" or "Jan Tosovski" where I've substituted ascii chars or just spelled your name wrong? How does that work?
I mean, I've never looked at the actual regulation itself, but I have wondered just how far it could be taken...
Come meet me at Devcon 2017 or 2017 LSNA!
I mean, if I just do a forum post that says "Hi Jan Tošovský" but you file a request to be forgotten, what has to happen? I mean, sure maybe your account gets dropped, but how far does it go?
You have 438 forum posts so far, are they to be deleted? Or just your name scrubbed from them? What happens to all of the valuable contributions you might have made in those?
And my forum post with your name. Does the right to be forgotten mean that every forum post, wiki page, etc has to be scanned looking for your name? Does my forum post get deleted or your name blanked out or ...?
And what if I do "Hi Jan Tosovsky" or "Jan Tosovski" where I've substituted ascii chars or just spelled your name wrong? How does that work?
I mean, I've never looked at the actual regulation itself, but I have wondered just how far it could be taken...
Come meet me at Devcon 2017 or 2017 LSNA!
6年前 に Christoph Rabel によって更新されました。
RE: The EU General Data Protection Regulation (GDPR) compliance
Liferay Legend 投稿: 1554 参加年月日: 09/09/24 最新の投稿
Well, I'm not a lawyer, but to me it seems we need to delete: (or at least hide from the public, if deletion is "impossible" e.g. because it is required by law to keep those records for some reason)
So, yes, "Hi Jan Tošovský" should be removed. Forum posts are a murky subject, since they will often not contain any personal information (except for the author field of course), but considering the hefty fines that can easily go into the millions, I'd rather delete them completely than miss something like "My email is ..." in one of the posts.
And I would probably delete the whole thread just to make sure that misspellings like "Jan Tosovsky" are deleted as well. Not because I think it is required by the law, just to make sure.
I already had this discussion with our chief of security. We have a small online shop selling mostly Microsoft products and we discussed how to comply to the law. Luckily, it's rather easy in our case. But this law will cause a lot of headaches to a lot of people.
Any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.
So, yes, "Hi Jan Tošovský" should be removed. Forum posts are a murky subject, since they will often not contain any personal information (except for the author field of course), but considering the hefty fines that can easily go into the millions, I'd rather delete them completely than miss something like "My email is ..." in one of the posts.
And I would probably delete the whole thread just to make sure that misspellings like "Jan Tosovsky" are deleted as well. Not because I think it is required by the law, just to make sure.
I already had this discussion with our chief of security. We have a small online shop selling mostly Microsoft products and we discussed how to comply to the law. Luckily, it's rather easy in our case. But this law will cause a lot of headaches to a lot of people.
6年前 に David H Nebinger によって更新されました。
RE: The EU General Data Protection Regulation (GDPR) compliance
Liferay Legend 投稿: 14916 参加年月日: 06/09/02 最新の投稿Christoph Rabel:
So, yes, "Hi Jan Tošovský" should be removed.
Really? I mean, I could accomplish the same desire by systematically changing it to "Hi J.T." to leave the post and content in place.
Forum posts are a murky subject, since they will often not contain any personal information (except for the author field of course), but considering the hefty fines that can easily go into the millions, I'd rather delete them completely than miss something like "My email is ..." in one of the posts.
Can't you see how messy that can be? I mean, even this post will have your name stamped on the part that I quoted. You're talking practically a full text scan of every piece of content, document, etc. And how about if I upload a video of a sock puppet saying "Hi Chris Rabel"? Scan of that won't work, there's no transcript to identify the video from, so how could any organization be expected to get 100% compliance?
And really since this is mostly data related, it's possible that each instance of Liferay may be more or less work to clean up depending upon usage, data, etc.
And I would probably delete the whole thread just to make sure that misspellings like "Jan Tosovsky" are deleted as well. Not because I think it is required by the law, just to make sure.
I already had this discussion with our chief of security. We have a small online shop selling mostly Microsoft products and we discussed how to comply to the law. Luckily, it's rather easy in our case. But this law will cause a lot of headaches to a lot of people.
I don't doubt that at all. I'm just filled with questions such as could you serve Liferay w/ a request to be forgotten from liferay.com? Liferay is not based out of the EU although they have offices there. If the data is not in the EU, hosted in data centers purposefully kept out of the EU, how would that work?
I get the core expectation that someone convicted of a crime may not be able to get past that, regardless of rehabilitation, because the internet never forgets and this kind of thing would haunt someone far beyond the end of the penalty phase.
I'm not a lawyer, but I see all kinds of murky situations where by law it is right to be erased, but in practicality and scope it would be a heck of a lot of work and expense to get it right.
Come meet me at Devcon 2017 or 2017 LSNA!
6年前 に Christoph Rabel によって更新されました。
RE: The EU General Data Protection Regulation (GDPR) compliance
Liferay Legend 投稿: 1554 参加年月日: 09/09/24 最新の投稿David H Nebinger:
Christoph Rabel:So, yes, "Hi Jan Tošovský" should be removed.
Really? I mean, I could accomplish the same desire by systematically changing it to "Hi J.T." to leave the post and content in place.
Sure, but then I have to read the posts and do it manually. If there are just a couple of posts/hits, fine.
David H Nebinger:
Can't you see how messy that can be? I mean, even this post will have your name stamped on the part that I quoted.
Absolutely. And that's why I would just axe all relevant threads.
David H Nebinger:
You're talking practically a full text scan of every piece of content, document, etc. And how about if I upload a video of a sock puppet saying "Hi Chris Rabel"? Scan of that won't work, there's no transcript to identify the video from, so how could any organization be expected to get 100% compliance?
There are some limiting clauses in the regulation about things that constitute "unreasonable effort" but they don't really make it better. Since there is no clear line, where am I safe? Since the fines are really hefty, I'd rather err on the far to cautious side.
I don't doubt that at all. I'm just filled with questions such as could you serve Liferay w/ a request to be forgotten from liferay.com? Liferay is not based out of the EU although they have offices there. If the data is not in the EU, hosted in data centers purposefully kept out of the EU, how would that work?
Yes. AFAIK, a citizen of the EU could request that from Liferay. Generally speaking: When you offer services in the EU and collect personal data of citizens, the regulation applies to you.
6年前 に David H Nebinger によって更新されました。
RE: The EU General Data Protection Regulation (GDPR) compliance
Liferay Legend 投稿: 14916 参加年月日: 06/09/02 最新の投稿Christoph Rabel:
David H Nebinger:Can't you see how messy that can be? I mean, even this post will have your name stamped on the part that I quoted.
Absolutely. And that's why I would just axe all relevant threads.
Wow. Can you imagine the loss of information for that kind of thing?
Me, for example, I don't think you can surf but a handful of posts here on liferay.com w/o running into my name, but if I could request to be forgotten, your solution is just deleting every thread I've participated in?
That's kind of significant, scary and depressing.
Come meet me at Devcon 2017 or 2017 LSNA!
6年前 に Christoph Rabel によって更新されました。
RE: The EU General Data Protection Regulation (GDPR) compliance
Liferay Legend 投稿: 1554 参加年月日: 09/09/24 最新の投稿
Yes. It's horrible.
In your case I (if I were Liferay) I would a) consult a lawyer and b) try to settle it somehow with you.
But, provided that doesn't work out. What would you do? Scan all your 13.000 posts and all corresponding threads and ack/remove them manually?
In your case I (if I were Liferay) I would a) consult a lawyer and b) try to settle it somehow with you.
But, provided that doesn't work out. What would you do? Scan all your 13.000 posts and all corresponding threads and ack/remove them manually?
6年前 に Jan Tošovský によって更新されました。
RE: The EU General Data Protection Regulation (GDPR) compliance
Liferay Master 投稿: 566 参加年月日: 10/07/22 最新の投稿
Good points. By forgetting I mean anonymizing, not deleting, e.g. Jan Tosovsky -> 124515 (user ID).
I can't imagine replacing the name in the content - how about users with the same name? How about name variants (Tosovsky, Tošovský)?
Same applies also for exporting user content. I mean only the content created by that user should be taken into an account, not the content mentioning that user (citations).
But I am afraid this could bring new way how to compromise competitors - create account in their system and then require complete removal. If their system is unable to do it properly, then initiate the lawsuit with the goal to force the other party to pay high fines. A frightening idea.
I can't imagine replacing the name in the content - how about users with the same name? How about name variants (Tosovsky, Tošovský)?
Same applies also for exporting user content. I mean only the content created by that user should be taken into an account, not the content mentioning that user (citations).
But I am afraid this could bring new way how to compromise competitors - create account in their system and then require complete removal. If their system is unable to do it properly, then initiate the lawsuit with the goal to force the other party to pay high fines. A frightening idea.
6年前 に Milen Dyankov によって更新されました。
RE: The EU General Data Protection Regulation (GDPR) compliance
Expert 投稿: 310 参加年月日: 12/10/30 最新の投稿
I'm not a lawyer and I'm far from being an expert in legal matters.
That said, I think we need to make few things clear.
It's not the tool that must comply to GDPR
Therefore I don't think there is (or will be) any page or resource containing information regarding "compliance of Liferay portal to GDPR"
It is not limited to the data in given system
While I agree with you having "Forget this user" and "Export personal data" buttons would be nice, those cover very simple scenarios where the whole data is kept in Liferay's database. In reality, the data can be (and often is) stored in multiple systems (LDAP, external databases, 3rd party systems, ...) or even in the platform but in customized ways (custom attributes, plugins, files, ...)
Perhaps Liferay platform could provide some functionality that helps with this (especially considering that liferay.com contains "data of data subjects residing in the European Union" who may want to execute their rights), but I find it hard to imagine a generic, built-in functionality that would provide the end user with desired outcome OOTB. That said, it should be relatively easy for Liferay customers to build this feature in their own Liferay based solutions using Liferay's APIs and taking into account external data storages and product customizations.
Data controlled and processed vs. personal activities
The way I understand this in the context of David's forum post example is that the user data should be removed / anonymized in the box showing the author of given post (this is what the service owner controls and process) but it is not required to search and replace through all posts (this IMHO falls under "personal activities")
That said, I think we need to make few things clear.
It's not the tool that must comply to GDPR
It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.
Therefore I don't think there is (or will be) any page or resource containing information regarding "compliance of Liferay portal to GDPR"
It is not limited to the data in given system
While I agree with you having "Forget this user" and "Export personal data" buttons would be nice, those cover very simple scenarios where the whole data is kept in Liferay's database. In reality, the data can be (and often is) stored in multiple systems (LDAP, external databases, 3rd party systems, ...) or even in the platform but in customized ways (custom attributes, plugins, files, ...)
Perhaps Liferay platform could provide some functionality that helps with this (especially considering that liferay.com contains "data of data subjects residing in the European Union" who may want to execute their rights), but I find it hard to imagine a generic, built-in functionality that would provide the end user with desired outcome OOTB. That said, it should be relatively easy for Liferay customers to build this feature in their own Liferay based solutions using Liferay's APIs and taking into account external data storages and product customizations.
Data controlled and processed vs. personal activities
This Regulation does not apply to the processing of personal data by a natural person in the
course of a purely personal or household activity and thus with no connection to a
professional or commercial activity. Personal or household activities could include
correspondence and the holding of addresses, or social networking and online activity
undertaken within the context of such activities. However, this Regulation applies to
controllers or processors which provide the means for processing personal data for such
personal or household activities.
The way I understand this in the context of David's forum post example is that the user data should be removed / anonymized in the box showing the author of given post (this is what the service owner controls and process) but it is not required to search and replace through all posts (this IMHO falls under "personal activities")
6年前 に Robin Wolstenholme によって更新されました。
RE: The EU General Data Protection Regulation (GDPR) compliance
New Member 投稿: 1 参加年月日: 17/06/05 最新の投稿
Hi Milen, David and others following this thread.
You be be interested to know that Liferay is hosting a Panel session "Public vs Private sector : GDPR’s implications for personal data" at the annual UK event, LDSF UK on November 8th. This will explore many of the implications for people managing customer (albeit citizen) data from an organisational level. It is not the forum for technical questions, but it is an opportunity to pose questions to a panel of experts and peers.
This is an important topic for many people, and an appropriate forum to share thoughts and experiences given the event spans both business and Liferay technical topics and is the largest gathering in the year.
You be be interested to know that Liferay is hosting a Panel session "Public vs Private sector : GDPR’s implications for personal data" at the annual UK event, LDSF UK on November 8th. This will explore many of the implications for people managing customer (albeit citizen) data from an organisational level. It is not the forum for technical questions, but it is an opportunity to pose questions to a panel of experts and peers.
This is an important topic for many people, and an appropriate forum to share thoughts and experiences given the event spans both business and Liferay technical topics and is the largest gathering in the year.
5年前 に Jan Tošovský によって更新されました。
RE: The EU General Data Protection Regulation (GDPR) compliance
Liferay Master 投稿: 566 参加年月日: 10/07/22 最新の投稿
I appreciate a lot that Liferay's engineering team works on it:
https://web.liferay.com/web/dennis.ju/blog/-/blogs/upcoming-gdpr-focused-features-for-liferay-d-1
https://web.liferay.com/web/dennis.ju/blog/-/blogs/upcoming-gdpr-focused-features-for-liferay-d-1