37 coaches online • Server time: 18:48
* * * Did you know? Up until now, 1479782 players have died on the pitch.
Recent Forum Topics  Conceding v Goblins/... | Advice tabletop tour... | War Drums? |
2018-04-23 12:33:02
24 votes, rating 5.8
24 votes, rating 5.8
FUMBBL and GDPR
On May 25:th, roughly a month from the time of me writing this, the General Data Protection Regulation (GDPR) will take effect. The GDPR is an European Union (EU) regulation on data protection and privacy for individuals within the EU.
This regulation affects all services that collect what is called "Personal Data". In this context, Personal Data means not only the obvious things (your name, email address, and various things advertisers like to track about you), but also some non-obvious things like your IP number, cookies used to maintain your login or things like device identifiers for your mobile devices (phones, tablets, etc), and things you do such as forum posts and posts to social media.
The official regulation document is 216 pages long. Take some time to let that sink in.
So.. Without expecting you all to read those 216 pages, what does that mean for FUMBBL?
Well, a couple of things:
1. FUMBBL will need explicit "Consent" from every member to "Process" their "Personal Data". This only really applies to people within the EU, but I (like more or less everyone else) have no reliable way to identify EU coaches so it will apply to everyone. Given that FUMBBL doesn't function without cookies, this will be a new completely blocking page that will appear before anything on the site shows up.
2. The "Consent" given must be specific and can't be enabled by default. E.g. you've undoubtedly seen the "This site uses cookies" type overlays that show up everywhere on the web today? Well, those aren't good enough with the GDPR so get used to more intrusive things appearing everywhere.
3. FUMBBL currently uses Google Analytics to keep tabs on how users access the site, and various things like which operating system and browser versions you use. In order to not have to look into how Google maintains IP numbers and how that relates to GDPR, I will very likely get rid of that connection. It's simply not important enough for me to spend the time and effort figuring it out. No real change for you all, but a loss of functionality on my end.
4. "Right of access". This is an article of the GDPR that gives citizens the "right to access their personal data and information about how this personal data is being processed". What this means is that FUMBBL has to be very clear about what is tracked about its users, and have a way for users to view this data. In practise, most of what is tracked is directly visible (your teams, your bios, your forum posts, blogs, etc), but I will need to add views of certain other information (session cookies and corresponding IP numbers).
5. "Right to erasure". This article states that FUMBBL has to provision for a way for members to have their personal information removed from the site. Drawn to the full extreme, this would be the equivalent of removing everything relating to the coach (cookies, IP numbers, email addresses, forum posts, blog entries, teams and bios, the user account itself and all matches having been played). Luckily, it's not quite that extreme in reality. the GDPR allows for data to be retained "for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes", assuming measures are taken to "respect for the principle of data minimisation", using something that's referred to as "pseudonymisation" for example. This follows more or less what the site allows for now where people can contact me personally to request to have their private information be removed from the site, but I need to be more clear about this process and what it involves in a more precise way.
There are of course mote to the 216 pages than I can reasonably fit in a blog entry, but the above are the (in my opinion) most important parts.
Oh the joys of regulations... :)
This regulation affects all services that collect what is called "Personal Data". In this context, Personal Data means not only the obvious things (your name, email address, and various things advertisers like to track about you), but also some non-obvious things like your IP number, cookies used to maintain your login or things like device identifiers for your mobile devices (phones, tablets, etc), and things you do such as forum posts and posts to social media.
The official regulation document is 216 pages long. Take some time to let that sink in.
So.. Without expecting you all to read those 216 pages, what does that mean for FUMBBL?
Well, a couple of things:
1. FUMBBL will need explicit "Consent" from every member to "Process" their "Personal Data". This only really applies to people within the EU, but I (like more or less everyone else) have no reliable way to identify EU coaches so it will apply to everyone. Given that FUMBBL doesn't function without cookies, this will be a new completely blocking page that will appear before anything on the site shows up.
2. The "Consent" given must be specific and can't be enabled by default. E.g. you've undoubtedly seen the "This site uses cookies" type overlays that show up everywhere on the web today? Well, those aren't good enough with the GDPR so get used to more intrusive things appearing everywhere.
3. FUMBBL currently uses Google Analytics to keep tabs on how users access the site, and various things like which operating system and browser versions you use. In order to not have to look into how Google maintains IP numbers and how that relates to GDPR, I will very likely get rid of that connection. It's simply not important enough for me to spend the time and effort figuring it out. No real change for you all, but a loss of functionality on my end.
4. "Right of access". This is an article of the GDPR that gives citizens the "right to access their personal data and information about how this personal data is being processed". What this means is that FUMBBL has to be very clear about what is tracked about its users, and have a way for users to view this data. In practise, most of what is tracked is directly visible (your teams, your bios, your forum posts, blogs, etc), but I will need to add views of certain other information (session cookies and corresponding IP numbers).
5. "Right to erasure". This article states that FUMBBL has to provision for a way for members to have their personal information removed from the site. Drawn to the full extreme, this would be the equivalent of removing everything relating to the coach (cookies, IP numbers, email addresses, forum posts, blog entries, teams and bios, the user account itself and all matches having been played). Luckily, it's not quite that extreme in reality. the GDPR allows for data to be retained "for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes", assuming measures are taken to "respect for the principle of data minimisation", using something that's referred to as "pseudonymisation" for example. This follows more or less what the site allows for now where people can contact me personally to request to have their private information be removed from the site, but I need to be more clear about this process and what it involves in a more precise way.
There are of course mote to the 216 pages than I can reasonably fit in a blog entry, but the above are the (in my opinion) most important parts.
Oh the joys of regulations... :)
Comments
Posted by Throweck on 2018-04-23 12:38:08
I'm going through this at the moment. It's a ball ache. I empathise!
Posted by Cloggy on 2018-04-23 12:39:34
Now try being a professional recruiter and trying to work out how the hell to do your job while not breaking these rules every 3.7 seconds :P
Posted by Zed on 2018-04-23 14:00:45
/me ask someone to shake him from his slumber state, "what happened ?"
Posted by Guardikai on 2018-04-23 15:24:41
I have to help get a university ready for this. Yeah. A headache for sure.
Some thoughts:
It only relates to individuals (not corporations or groups - so, leagues are safe at least I suspect) and only where they can be identified.
As the site uses coach names instead of real life names there may be some scope of arguing these are pseudonyms since they don't identify a real life individual (without IP address or other details, which you can keep separately, securely and without public access).
For the google aspect - as long as Google is compliant then they should be responsible, as a third party data processor, for Google Analytics stuff potentially. You may not need to remove this functionality...? Would be easy to give consent to it too.
Maybe helpful:
https://www.fellowshipproductions.co.uk/make-your-website-gdpr-compliant/
Good luck Christer!
Some thoughts:
It only relates to individuals (not corporations or groups - so, leagues are safe at least I suspect) and only where they can be identified.
As the site uses coach names instead of real life names there may be some scope of arguing these are pseudonyms since they don't identify a real life individual (without IP address or other details, which you can keep separately, securely and without public access).
For the google aspect - as long as Google is compliant then they should be responsible, as a third party data processor, for Google Analytics stuff potentially. You may not need to remove this functionality...? Would be easy to give consent to it too.
Maybe helpful:
https://www.fellowshipproductions.co.uk/make-your-website-gdpr-compliant/
Good luck Christer!
Posted by Rags on 2018-04-23 16:05:17
Thanks Christer, on the ball as always. I work in so-called 'big data' for Ireland's Central Statistics Office (CSO), and have already written two Data Protection Impact Assessments (DPIAs) (aka Privacy Impact Assessment (PIA)), one for the CSO, and one for a previous employer the Royal College of Surgeons in Ireland.
DPIAs are kind of an audit of data processing involved in a given project or system, and are required by the GDPR when personal data processing involves 'high risk' to persons rights. EU law enshrines privacy as a 'fundamental human right', and therefore the GDPR requires a DPIA when there are high risks to privacy.
I think that while IP addresses do constitute personal data, and as such do require consent to process, a strong argument can be made that records of teams and matches do not constitute personal data. This information probably cannot be used to identify coaches real life alter egos either directly or indirectly.
Besides IP addresses, fumbbl related material which definitely is personal data under definition includes at least:
[ul]
[li]Profile pics displaying photos of coach and/or family members etc[/li]
[li]Coach handles based directly on real world name[/li]
[li]Credit/debit card or other payment information for fumbbl supporters[/li]
[li]Credit/debit card or other payment information for fumbbl supporters through Patreon[/li]
[/ul]
Indirect identification in the GDPR context is understood using principles of Statistical Disclosure Control (SDC), which basically means a risk of an individual being 'singled out' through a low incidence combination of variables. Just for fun, here's an example - the beloved fumbbl Legend, MattDakka. Could he be identified?
Let's see:
[ul]
[li]Handle gives away first name and indication of surname, probably beginning with D or Da - so Matt D to start[/li]
[li]teams have Italian flag, so he's probably Italian[/li]
[li]profile pic obscures face but shows identifying features - black hair, plays guitar [/li]
[li]tough talk on site indicates egomania [/li]
[/ul]
So Matt D, the black haired guitar picking, Italian Blood Bowl wizard - could he be singled out? Yes probably quite easily by someone who knows him personally, and in the age of google images and what not, probably anyone determined.
On the other hand, a mediocre coach with a generic handle, no profile pic or nationality or other group identity declaration, (me for example) would be more difficult to identify from publicly displayed info. But while some coaches could be easily identified and other couldn't, overall it would have to be considered personal data.
Sorry for the rambling. Bottom line is data on coaches is personal, but data on teams, including matches, probably not. If fumbbl needs a DPIA, I'm happy to do it or to contribute to a team effort.
DPIAs are kind of an audit of data processing involved in a given project or system, and are required by the GDPR when personal data processing involves 'high risk' to persons rights. EU law enshrines privacy as a 'fundamental human right', and therefore the GDPR requires a DPIA when there are high risks to privacy.
I think that while IP addresses do constitute personal data, and as such do require consent to process, a strong argument can be made that records of teams and matches do not constitute personal data. This information probably cannot be used to identify coaches real life alter egos either directly or indirectly.
Besides IP addresses, fumbbl related material which definitely is personal data under definition includes at least:
[ul]
[li]Profile pics displaying photos of coach and/or family members etc[/li]
[li]Coach handles based directly on real world name[/li]
[li]Credit/debit card or other payment information for fumbbl supporters[/li]
[li]Credit/debit card or other payment information for fumbbl supporters through Patreon[/li]
[/ul]
Indirect identification in the GDPR context is understood using principles of Statistical Disclosure Control (SDC), which basically means a risk of an individual being 'singled out' through a low incidence combination of variables. Just for fun, here's an example - the beloved fumbbl Legend, MattDakka. Could he be identified?
Let's see:
[ul]
[li]Handle gives away first name and indication of surname, probably beginning with D or Da - so Matt D to start[/li]
[li]teams have Italian flag, so he's probably Italian[/li]
[li]profile pic obscures face but shows identifying features - black hair, plays guitar [/li]
[li]tough talk on site indicates egomania [/li]
[/ul]
So Matt D, the black haired guitar picking, Italian Blood Bowl wizard - could he be singled out? Yes probably quite easily by someone who knows him personally, and in the age of google images and what not, probably anyone determined.
On the other hand, a mediocre coach with a generic handle, no profile pic or nationality or other group identity declaration, (me for example) would be more difficult to identify from publicly displayed info. But while some coaches could be easily identified and other couldn't, overall it would have to be considered personal data.
Sorry for the rambling. Bottom line is data on coaches is personal, but data on teams, including matches, probably not. If fumbbl needs a DPIA, I'm happy to do it or to contribute to a team effort.
Posted by spelledaren on 2018-04-23 16:17:07
Good luck and carry on. I have been on the sidelines listening to this being processed in school and for our union work. Not an easy task this.
Posted by Arktoris on 2018-04-23 17:08:21
Facebook is dealing with it by moving everything to America. Reading these comments, I don't blame them.
Posted by Christer on 2018-04-23 17:30:39
@Rags, thanks for that post. As for match records being personal information, there's an argument that can be made that because some people participate in things like NAF tournaments, their ID here could be connected to their NAF id. This could lead to their real name and identity. Therefore, explicit consent for FUMBBL storing match data is required.
However, the "right to erasure" does not necessarily require me to delete the matches, but I do need to remove that naf coach name connection (the naf name is stored as an attribute on the coach on here) to create a pseudonymous state. Could someone with enough time on their hands actually connect the two? Probably. But honestly, there's simply no way for me to protect people who post things on public platforms and also expects to be able to maintain complete privacy.
And I honestly don't think the GDPR is out to get public forums in that way. It's there to protect people's private information to be lost, sold or squandered. People who willingly publish their information in public places can't possibly expect it to be private. And I don't mean places like Facebook where you could argue that you're posting only for your friends and not the whole world.
FUMBBL is pretty obviously set up in a way where blogs, forums, teams/players/bios and matches are 100% public access. People's email addresses are obviously not something we publish. I highly doubt we'll get into trouble with GDPR.
However, the "right to erasure" does not necessarily require me to delete the matches, but I do need to remove that naf coach name connection (the naf name is stored as an attribute on the coach on here) to create a pseudonymous state. Could someone with enough time on their hands actually connect the two? Probably. But honestly, there's simply no way for me to protect people who post things on public platforms and also expects to be able to maintain complete privacy.
And I honestly don't think the GDPR is out to get public forums in that way. It's there to protect people's private information to be lost, sold or squandered. People who willingly publish their information in public places can't possibly expect it to be private. And I don't mean places like Facebook where you could argue that you're posting only for your friends and not the whole world.
FUMBBL is pretty obviously set up in a way where blogs, forums, teams/players/bios and matches are 100% public access. People's email addresses are obviously not something we publish. I highly doubt we'll get into trouble with GDPR.
Posted by bghandras on 2018-04-23 17:58:41
I do blame Facebook. For example this may not have happened (so soon) without them. Also expect further legislative actions specifically targeting Facebook (but splash damaging others, like fumbbl), if their response involves only to move to USA (or a banana state) with low level of legislation.
Posted by Rags on 2018-04-23 21:24:26
Agreed. Fumbbl shouldn't have GDPR problems. While the GDPR is strict, it's not about forbidding collection of personal data. A major impetus is cracking down on [i]unconsented[/i] uses of personal data, which is exactly what Facebook and the shady outfits they deal with are in trouble for right now.
Fumbbl is different. Users/people/coaches share their data, which is used by fumbbl exclusively for fumbbl purposes - playing Blood Bowl. Fumbbl doesn't sell this data to Games Workshops, Clearasil, Kerrang, or anyone else. Nor does it engage in other sorts of chicanery without coaches knowledge or consent. Near uniquely in sites I frequent, it doesn't even have ads!
The only data sharing is with the payment facilitators mentioned earlier, Patreon, PayPal, etc. Coaches are fully aware and consent to this, so there's no problem. Basically if fumbbl sticks to the statement of values and intent posted here, everything should be fine: https://www.patreon.com/fumbbl/overview
Alos, while GDPR is strict and is imposing, there's only so much resource available for monitoring and enforcement. Fumbbl is big for a Blood Bowl site, but in the wider world is a small and innocuous hobby outfit. We're unlikely to be a priority for Big Bro.
Fumbbl is different. Users/people/coaches share their data, which is used by fumbbl exclusively for fumbbl purposes - playing Blood Bowl. Fumbbl doesn't sell this data to Games Workshops, Clearasil, Kerrang, or anyone else. Nor does it engage in other sorts of chicanery without coaches knowledge or consent. Near uniquely in sites I frequent, it doesn't even have ads!
The only data sharing is with the payment facilitators mentioned earlier, Patreon, PayPal, etc. Coaches are fully aware and consent to this, so there's no problem. Basically if fumbbl sticks to the statement of values and intent posted here, everything should be fine: https://www.patreon.com/fumbbl/overview
Alos, while GDPR is strict and is imposing, there's only so much resource available for monitoring and enforcement. Fumbbl is big for a Blood Bowl site, but in the wider world is a small and innocuous hobby outfit. We're unlikely to be a priority for Big Bro.
Posted by Lill-Leif on 2018-04-23 21:41:43
6. "Right to revival". This article clearly state that all individuals have the right to revive their retired teams, especially from the lrb4 era.
Posted by Kondor on 2018-04-24 05:21:27
Once again I am amazed that Christer has not decided Fumbbl is more trouble than it is worth and turned off the server permanently.
Thank you sir.
Thank you sir.
Posted by garyt1 on 2018-04-30 19:01:43
sounds like a massive hassle. Well done for taking the task on Christer.
Posted by petalwarfare on 2018-05-10 15:10:14
GDPR is a massive hassle. My work has been dealing with it for over a year so I get the pain. Thanks for doing the work.