Forum

Thread tagged as: Question, Discussion

GDPR compliance

I have been reading about this confusing GDPR thing coming in May. Will perch be changing the way form data is stored? The article on this link summarises the changes effecting websites quite well.

https://www.fellowshipproductions.co.uk/make-your-website-gdpr-compliant/

It would be good to hear what other web folk have implemented ahead of the GDPR start date. 25th May 2018.

James Tedder

James Tedder 0 points

  • 3 years ago
Simon Clay

Simon Clay 127 points

Yes, I'm interested to hear opinions too.

One of my clients, a recruitment agency, are going to a workshop about it on Monday. I'll report back about any info they feed back to me.

In their case they receive and store job applications and CVs submitted through Perch Forms. So, at the moment, we think that we'll need to add a check box on the form to say that the applicant gives consent for us to store their details.

I'll post back if I find out more.

ADDIDION: After reading the helpful article mentioned and linked above. Getting consent is one (important) thing, but storing the data in a truly encrypted way on the database is another essential factor, referred to as 'pseudonymisation'. All CMSs will need solutions to this.

With "The maximum sanction for non-compliance with the GDPR is 20,000,000 Euros or up to 4% of your annual worldwide turnover (based on figures from the the preceding financial year), whichever is the greater. Yup, you read that right.", hopefully Perch, along with all the other CMS players will begin to address the issues that are raised by the new legislation.

Rachel Andrew

Rachel Andrew 394 points
Perch Support

Like everyone, we are still assessing the impact. However it is unlikely that anyone in our situation can offer a "compliant solution" as the questions you need to ask vary from business to business and depend on more than our software. For example the security of the web server (we know how poor security is on much shared hosting), and what happens to the data once downloaded.

By default all that Perch stores is a name and email address, so you can log into your account, anything else is at the discretion of the person building the website.

Simon Clay

Simon Clay 127 points

I completely agree Rachel. The legislation reaches so far and wide there is a lot to take in, even what emails you keep.

As time ticks towards the deadline in one year, I reckon our clients will be beginning to ask 'will the data from our website forms be saved in a 'pseudonymisation-al' way on the database? (well, they probably won't use that wording :))

As a website developer I imagine I'll be needing to use CMSs that have solutions to the issue.

I am sure more will become apparent as it unravels, just as in the 'Cookie consent' fiasco.

Rachel Andrew

Rachel Andrew 394 points
Perch Support

As I say, all Perch stores by default is login information.

There is nothing to stop anyone using the API to create a solution that complies with their client needs. That would be my approach if I were using a third party system, find out what my client needed and develop a solution for them. Any other self hosted CMS will be in the same position as us with regard to compliance. It's the same as PCI-DSS, or EU VAT, we can give you some tools, but we can't tell you whether they comply as a great part of this is out of our hands.

Duncan Revell

Duncan Revell 78 points
Registered Developer

Disclaimer: I'm not an expert on GDPR. I half-know someone that has been on a Data Protection Officer course/seminar with the ICO. Personally, I would only "trust" ICO documentation on this (quite a good overview https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf here) - there will start to be lots of articles from people that want organisations to buy their "thing" or "service" that will "fix" GDPR. And they will all quote the potential fine as a way to encourage that sale...

The ICO said in their seminar (don't forget I wasn't there - this is second-hand) that they exist to help organisations, not fine them, and that to start with, they encourage every organisation to look at process - how has personal data been collected, why has it been collected, who has access to that data (and why). That's the biggest part of GDPR - gaining control of the data and being able to demonstrate that processes have been introduced and documented.

There isn't (yet) a requirement for pseudonymisation - GDPR promotes it as way to protect personal data - in fact, going as far to say that some parts of GDPR legislation are relaxed for data that has been pseudonymised. Again though, it's not a requirement.

Also, pseudonymisation does not equal encryption - they are separate things, often used together. Also, saying "my CMS uses pseudonymisation" does not mean the CMS is GDPR compliant.

The other point from that seminar was to not get caught up in the small things - the ICO want organisations to demonstrate an understanding of the bigger picture when it comes to personal data.

This is just my understanding - I'm not saying it's right!!

Rachel Andrew

Rachel Andrew 394 points
Perch Support

Thanks Duncan - that roughly aligns with my basic understanding as well.

With my other hat on I've commissioned a couple of articles for Smashing Magazine that hopefully will shed some light on what developers need to know.