Providing data for GDPR

I don’t mean to offend, but this topic and its companion is a little misleading.

If you’re looking for reliable information on this subject you should restrict yourself to:

  1. Official sources, e.g. the European Commission’s Article 29 Working Party.

  2. Formal legal advice.

Don’t rely on 3rd party summaries (or even what folks are saying here, including me).

Regarding the substantive points, I would point out a few things

  1. Concerning the Article 29 Working Party’s Guidelines on the Right to Data Portability I note:

    • Availability of data via a JSON API is explicitly mentioned (multiple times) as a suitable data format. In fact one might even say it is encouraged vis-a-vis other methods.

    • There is no requirement to provide everything in a single package, or instantly. The data needs to be provided “within a reasonable time not exceeding one month”.

    • The thrust of the regulation is to avoid data “lock-in” and to promote interoperability.

    As far as I can tell, there is nothing that Discourse needs to add to its existing functionality to allow forums to which this directive applies to comply with it.

  2. Concerning the Right to Erasure (aka “Right to be forgotten”), I would reiterate that the applicable timeline (like with the Right to Data Portability) is one month. There is no need to provide a one-click “Forget me” button for users. It is quite possible to comply with requests to be forgotten within the existing functionality of Discourse.

    Moreover, It is not clear to me that it would be a good idea to allow a user to completely erase all data concerning them themselves as the Right to Erasure explicitly requires the data controller to consider exceptions and countervailing rights when complying with a request.

The bottom line here is that, as far as I can tell, Discourse does not contain any structural impediments to your compliance with the GDPR. Compliance with the GDPR is up to you, as it arises in specific cases and is largely a matter of organisational management, not one of technical functionality.

If you think the GDPR may apply to you, you should at a minimum review the help documents provided by the relevant Data Protection Authority in your jurisdiction (as they will be the ones actually enforcing the GDPR), and seek legal advice if you have specific concerns. If you’re not sure which DPA applies to you, you can review the European Commissions own documents I linked above, or just pick a DPA that uses a language you can understand.

None of the above constitutes legal advice, and I am not your lawyer.

24 Likes