GDPR compliance notice

GDPR compliance notice By Charlie Stross by Charlie Stross (antipope.org)

Once I receive a GDPR request I will comply with it promptly, but bear in mind I'm a human being with a day job, and this blog is a peripheral pursuit. If your requests become an irritant (e.g. if you request multiple fiddly comment deletions or edits across multiple threads) I may just erase all your content and ban you from the blog in future. (GDPR gives you a right to be forgotten; it does not impose an obligation to be remembered.)

I hope to get Charlie Stross’s permission to use his text as a staring point for my own GDPR compliance notice.

My ban on EU website traffic has been lifted.

Due to concerns about my legal responsibilities around compliance the European Union General Data Protection Regulations, I configured my Wordfence web application firewall (WAF) to block all traffic origination in EU member countries. While some people think this was an extreme move, a lack of clarity around what is expected of small website operators and that I operate an information technology related consultancy, left me feeling vulnerable. Until I could understand what/if I needed to do to comply with GDPR's "right to be forgotten", I simply did not want the risk.

Today, I have removed the WAF rules that restrict traffic originating in the EU. Automattic, the company behind WordPress.com and the supporters of WordPress.org, have updated/are updating JetPack and other properties to comply with the GDPR. Currently, my self-hosted WordPress uses the Jetpack plug-in to handle things like comments and website traffic analysis. This moves some of the risks off to Automattic. They will be the data controller for information collected via comments and website analytics.

Automattic has provided information on what information JetPack collects for comments and how that data is used. They have done the same for website analytics. Click on those links to find out more.

I have added "Do Not Track" code to my WordPress config via JetPack. According to Automattic.

Any piece of data explicitly identifying a specific user (IP address, WordPress.com ID, WordPress.com username, etc.) is not visible to the site owner when using this feature. For example, a site owner can see that a specific post has 285 views, but he/she cannot see which specific users/accounts viewed that post.

Stats logs — containing visitor IP addresses and WordPress.com usernames (if available) — are retained by Automattic for 28 days and are used only for the purpose of powering this feature.

Comments on my blog will be restricted to what JetPack and Webmentions provide. I expect that JetPack comments will soon have the ability for commenters to delete comments, allowing compliance with GDPR requirements. I expect that people using Webmentions understand how they work and understand that they can delete a comment by sending another Webmention to do so.

I do not intend to collect any information on visitors or commenters to this website other than what JetPacks collects.

I am basing my decision to remove the WAF rules based on the changes that Automattic is making and also on guidance in this codeinwp.blog post. Also, Wordfence has applied "for the Privacy Shield certification program for both EU-US and Swiss-US and will soon have available a Data Processing Agreement" for EU customers who need one.

I guess what's really pissing me off is that although I live in the United States of American, some fucking European law can reach across the ocean and potentially affect me. That, that pisses me off!!

Geography of the visitors to Island in the Net.

PCI DSS & GDPR Compliance Event with (ISC)2 New Jersey Chapter

Attending Regulatory Compliance - PCI & GDPR - Are You Ready?

Agenda

5:30-6:00 Networking / sandwiches

6:00-6:10 Chapter Update

6:15-7:15 GDPR - Will We Make the Finish Line? Mike Money, Protiviti - Global Data Privacy Regulations becomes fully enforceable on May 25, 2018. Have you implemented the right to be forgotten? Should you?

7:15-8:15 PCI's New Guidance on Cloud Security, Protiviti - Details to folow

PCI DSS & GDPR Compliance Event with (ISC)2 New Jersey Chapter

Attending Regulatory Compliance - PCI & GDPR - Are You Ready?

Agenda

5:30-6:00 Networking / sandwiches

6:00-6:10 Chapter Update

6:15-7:15 GDPR - Will We Make the Finish Line? Mike Money, Protiviti - Global Data Privacy Regulations becomes fully enforceable on May 25, 2018. Have you implemented the right to be forgotten? Should you?

7:15-8:15 PCI's New Guidance on Cloud Security, Protiviti - Details to folow

I would love to catch up with the folks in the New Jersey Chapter of the ISC2 and I have a special interest in the GDPR. I'm not sure if I'll be working in Manhattan or New Jersey that week. My attendance at the event is dependent on that.