Webhooks and GDPR

gdpr

(Andrew P) #1

I’ve been lurking here for a bit as I’ve been setting up a Discourse forum, but I’m not completely certain of the forum structure to be sure that this is the right place for this post. Please move if needed.

GDPR is a hot topic lately and I came across something today which may unknowingly expose some admins to liability.

I was experimenting with the webhook functionality to use Zapier to notify me when a new user has signed up. It would appear that the user’s email address is included in the JSON package that is sent via the webhook POST.

Unless the site admin discloses the third parties that webhooks are sent to, the personally identifiable data contained in the message, and the purpose for sending it they may be opening themselves up for some unintended liability. I’m not sure what the best course of action is here, but at a minimum it would be nice if there were an option to eliminate certain fields (or at the very least the email address) from the webhook message.


(Sam Saffron) #2

I can see us allowing you better control via the UI of what fields to include and what not to include. Nothing is slotted yet but it could be achieved in a plugin of sorts.


(Andrew P) #3

Thanks @sam! That functionality would be very much appreciated. Mostly wanted to log it here so people were aware of it.