GDPR - what does it mean for us?

[Lydia Pintscher]

Hey folks,

As you might have heard new EU privacy regulations are going to come
into effect on May 25th. I wanted to start this thread to see if there
is anything we still need to do and to make sure we're all aware of it
for future activities.
I found https://blog.varonis.com/gdpr-requirements-list-in-plain-english/
helpful in understanding what it all means.

What I am taking away from it for us so far:
* Don't track without consent unless required by law. Consent needs to
be asked for in plain understandable language. Collecting data without
being able to track the person seems ok (and relevant for our
telemetry efforts).
* When we're asking for data we need to have a reason for it and we
need to make it explicit what we're using the data for.
* People can ask for all the data we have about them and can ask for
it to be deleted. This means we need to make it less of a pita to do
this for sysadmin. And we need a list of all the places where we hold
data. Sysadmin: do you have that already?
* Penalties for non-compliance are potentially _severe_.

What's still fuzzy to me:
* What is considered data in this context? A user profile that the
user himself created? A machine-generated user profile based on
actions the user took for advertising etc? A post on a forum? Probably
all of the above.

Are you aware of any place where we're not in compliance atm? Anything
we need to do still?


Cheers
Lydia

-- 
Lydia Pintscher - http://about.me/lydia.pintscher
KDE e.V. Board of Directors
http://kde.org - http://open-advice.org