General Data Protection Regulation : action plan proposition

Following the discussion from Legal conformity: what we need to do here is a proposal only on the data regulation topic.

I am in touch with a company in France (managed by Michael) working to support GDPR conformity processes. They really support what we do, they already knew us, and they are ready to adapt their offer to support us even if we don’t have huge ressources.

Our posture regarding GDPR is one of a “sub-contractor” / “supplier” for the person responsible for data processing.
The person in charge of data processing is the hub manager who decides about the treatments of his customers data (he can export them into mailchimp if he wants to do marketing, etc.), he is the one who collects the data, and decide to use OFN as a tool to operate his activity, so for that some of his data will be stored on OFN (especially customer’s data and records regarding transactions).

Our responsibility as sub-contractor is to give the full capacity to the person in charge of data processing (the hub manager) to be legally conform.
For instance, we need to enable him to know which users have been inactive for more than three years and enable him to delete them. We need to give him the possibility to keep, archive or delete the informations relative to his sales, his customers, etc.

From may 2018, any hub who serve one EU citizen is supposed to respect the RGDP obligations…
And as a supplier we are also supposed to show that we put all in place to ensure data protection and enable our client to respect their obligations in terms of data conservation, etc.
If a hub is sued because he didn’t respect the RGDP, he can sue back Open Food France (or other relevant instance) and we need to be able to prove that we did what was required on our side.

The support Michael propose us is to:

• Indentify the existing activities managed through OFN (in terms of data processing)
• Audit those activities
• Produce the official register that we will have to submit yearly to the EU authority
• Give recommendations for every activity which is not conform on how we can better align step by step with the legislation.
  All companies are in the same situation as us, what we need to prove is not that we are perfect, but be transparent about what’s good and what’s not and set up a plan to get conform where we are not.

We propose to do this work first for Open Food France, and translate the results in English, so if the processes are the same in other instance (which I suppose more or less), you won’t have to redo the whole thing, but you will need to publish your own register as we are separate entities.

Before entering that conformity project, I propose to pay for some “per hour consultancy” to help us take the good decisions on the deletions projects we are implementing ([FEAT] Deletions on OFN)
I proposed to list some concrete questions by mail and then plan a 1h call for instance with me, @enricostn and/or @lin_d_hop and Michael (or the best place to answer from their side), so that they hep us take the good decision in implementing the deletion processes (so that we don’t have to redo all when we start working on conformity)

Budget :

• Per hour consultancy : 300€ before tax (cost for OFFrance 360€/h as we are not in VAT scheme)
• Existing activity list and description : pack of 2700€ before tax. We can reduce the cost if we do some homework and just spend 2-4 hours with the experts (could be more around 1200€ before tax)
• First level audit : usually its 350€ by activity, estimate 5 to 10 activities for OFN. Again they can provide us with their analysis frames and we can try to do it ourselves and just pay for their support / validation of our work. And we can do that step by step.
  So the idea is that they could guide us in establishing our official data processing register, but we would do it ourselves to reduce the cost.

So the action plan I propose is :

• On demand consultancy on the topic of data deletions (financed by OFFrance) > we need to establish a list of questions (see here: What to implement in terms of users/enterprises removal)
• First step conformity : identification of the existing data processing activities in OFN : budget around 1200€ (financed by OFFrance) + we will need some time from at least Enrico or Pau or Lynne or Matt
• Then self audit and redaction of our register, with the support of Michael based on a per hour consultancy fee

thanks @MyriamBoure this looks great and will save a lot of time for @Oliver with the Stroudco plan

@NickWeir @enricostn @Oliver @maxco @sigmundpetersen here is the support proposition I received from my contact in France who works specifically on GDPR transition. He knows and support the OFN, and they want to try to help us as much as they can in a way that they kind of guide us but we do the main job, so it will result as a cheap cost for us (hopefully).

1- A phase of RGPD framing for the evolutionary maintenance of your platform (1000€)

Objectives:
Integrate the constraints of the RGPD into the specifications of future developments

Deliverables
An action plan for your platform, step by step, for the implementation of the RGPD,
Recommendations regarding the priority points of your organization

2- On-demand support for a start of compliance, with an initial credit of 3 hours (900 €)

Objectives:
Clarify the points of expertise
Answer your questions about the operational implementation of your RGPD compliance

Deliverables:
Provision of methodological guide
Telephone advice and e-mails

Happy to discuss that in Aus, but if you are happy with the plan we can start that from end of January in France. If you ant to carry that from another EU entity happy to let you take the lead on that of course, just raise your voice !

In the UK, the Information Commissioner’s Office has published guidelines which I will use to make Stroudco compliant. For us I think it will mainly consist of a privacy policy and internal procedures. A tick-box exercise because no-one will ever read it or ask for it.

I see OFN’s actions as

• ensuring data is secure and only accessible to those who have need for it
• ensuring data can be deleted, which isn’t the case right now
• allowing enterprises to publish a privacy policy

@MyriamBoure I wonder if the money would better be spent on developers time rather than a consultancy which will produce guidance?

• Produce the official register that we will have to submit yearly to the EU authority

I’m not aware there is such a requirement.

@Oliver I actually think what Stroudco needs to do is different from what OFN UK (and France) need to do. We are service providors, you are in charge of data processing… @NickWeir @lin_d_hop this is something we need to understand better (that’s why I think we need some support… sincerly I don’t feel competent on that) but both the hubs and the OFN have requirements in terms of data regulations as far as I understand… like if a hub manager export the OFN data and put them on a spreadsheet in his desktop, this is not compliant. And if OFN does not allow data deletion, this is not compliant. But our requirements are different.

Thanks @myriam yes I am happy with the plan. I agree with @oliver that it is frustrating to be spending money on this when it could go towards dev work, but I also agree with Myriam that we need to be on top of this.

Thanks @Oliver - are these the guidelines you have? It would be great if you could put up here the Stroudco plan based on this so that we can offer it to other hubs. Let us know if you need help with this. Thanks very much

Hi @NickWeir there is other guidance specifically pointing to the new requirements from the European regulation rather than our Data Protection Act though there is quite some overlap.

@MyriamBoure I agree. OFN is a processor and I’m a controller. OFN will mainly have to implement the technology and security. I mainly have to implement policy.
But I am curious where you get your advice from. For example here in the UK, the regulator hasn’t written anything about a European body to whom you need to send something every year. And why would it be non-compliant if I download a spreadsheet? As long as I have a procedure that makes sure the date is secure, is kept up-to-date and only for as long as is necessary etc, why would that in itself by a problem?

I think it’s important to keep thing in proportion. For example Stroudco doesn’t have to appoint a Data Protection Officer or carry out a Data Protection Impact Assessment according to the UK guidelines and the same must be true for most enterprises. And I think anything that the regulation refers to as large scale process, profiling etc can safely be assume to not be us, either OFN or its enterprise users.

A good starting point is the following list of rights of individuals concerning their data:
1. The right to be informed [what information is collected, how is it processed etc]
2. The right of access [we need to be able to show them what data is held]
3. The right to rectification [we need to correct any incorrect information]
4. The right to erase [we need to be able to delete information! but not necessarily provide a front-end user interface]
5. The right to restrict processing [I think this will in practice be that the hub manager tells them what processes are necessary and if the individual doesn’t like it, then they get deleted and can’t order in the future]
6. The right to data portability [not relevant to us]
7. The right to object [similar to 5]
8. Rights in relation to automated decision making and profiling. [relates to where decisions are made without human intervention]

Hi @Oliver and thank you for your investigation on that.
In fact I think we could do without consultancy on this if we take the time to read carefully all the documents. I would be happy to work with you on that if you want to team up I think I wanted to be reassured that what I understood was correct and our plan make sense, and I didn’t want to work alone on that, but if we can pair that would be great. The person I know is a contact from OuiShare who is very involved in Open Source advocacy and also data protection and is starting an activity to support data management compliance processes for companies. But of course, if we can avoid to spend money on this it’s better.
Would be great to list both the duties of the processor and the controller and compare to what OFN and hubs actually do and what needs to be changed. Like build a plan This can be useful then for OFN to publish some guidance on that for other food hubs on what is their responsability regarding their customer data, and what is the OFN responsability and we have set up or are setting up to be compliant.
And maybe in that process if there are really crucial points we can always ask some advice on our way.

I had started in C in this discussion to list some things but I can go again through all that and we can open a common spreadsheet on the drive for instance.
I just found this link wich seems pretty useful : https://gdpr-info.eu/art-24-gdpr/

About the register, actually when re-reading the article 30 I think you are right, we don’t seem to be in the scope. If we are in the scope in France we are supposed to make the register available for the CNIL, but anyway you are right we don’t need to send it. You’re right that there is no issue in itself with uploading data in a spreadsheet, and that things need to be kept proportional. But for instance if you upload that file on drive and don’t control carefully access to the drive, I guess this is not so much of a good practice regarding the “data security”. So that can be interesting I guess for both processors and controllers to think about what they do with the data, where they are stored, is it secured, who has access, etc. And keep that in a kind of “register” I guess anyway makes sense and just prove that we have reflected on that.

Article 37, on data protection officer : “In cases other than those referred to in paragraph 1, the controller or processor or associations and other bodies representing categories of controllers or processors may or, where required by Union or Member State law shall, designate a data protection officer. The data protection officer may act for such associations and other bodies representing controllers or processors.” So it seems to depend on every country. On the French CNIL website they say it is “encouraged” for all.

I’m leaving on Sunday for Australia, not sure I’ll have time to work on that before but if you open a document I’m happy to work with you on that if you want.
Cheers !

I’m travelling now @MyriamBoure but will make a start while you are in Australia. Makes sense to team up. Safe travels!

Hi @MyriamBoure
This link https://gdpr-info.eu/art-24-gdpr/ was useful, thank you. It seems to confirm that what OFN needs is mainly a) to be able to technically implement the requirements of the Controller and b) some documentation such as policies and contract terms.

What seems to be lacking in OFN and which you have pointed out here already, is that we cannot properly delete data and nor can we determine (as far as I know) if any customer has been inactive for a certain number of years. The latter isn’t urgent as OFN is too young for this to be too much of a problem right now but it will become more relevant in the future. We do need to be able to delete personal data however, or, if we want to keep sales statistics, then something more complex will be needed to remove the personal element.

Thanks @Oliver and Myriam for your work on this. Please can you let me know;

1. if you think we need to develop some policies and contract terms and if you think that we need some help with this? James Millar has a UK contact who is willing to help (for a fee) and we also have Myriam’s offer above. James and I are concerned that we need to be compliant by May 2018

2. has anyone set up a github issue on the need to be able to delete personal data

“has anyone set up a github issue on the need to be able to delete personal data”

No, @NickWeir, but it’s not exactly a bug so github now tells me to use a “feature template”, a link that brings up an empty editor screen under the “wiki” tab. No idea what I’m meant to do with it.

I wonder if this covers it Users and admins can delete accounts / entreprises / customers / order cycles / groups

What say you @MyriamBoure?

Ah yes, and thereunder is also a link to a (closed) github issue: https://github.com/openfoodfoundation/openfoodnetwork/issues/1880

Hi there, sorry for my lat reply, getting my head around it here again.
You know with our new process we are deciding together as a global team about the focus we choose to prioritize.
And while we go we will be able to prioritze new things.

I know we need to move forward on that ideally before May 2016, we had not initially put it as a priority in the 2018 roadmap (so many important things we need to do!) but probably we need to see how to fit it in.

So I have listed in this first trial for a roadmap management tool two focuses to cover that need:

• Users can delete themselves their account from the OFN
• Entreprise users can delete information (test info or info they are not entitled to keep) and archive info they need to keep but don’t want to see.
  Both focuses need a first common step which is to enable soft delete in OFN.

I propose to discuss with the product curation team on the 21st (2018 roadmap kickoff) how to prioritize that somehow in the 2018 roadmap, and when prioritized and we are ready to start work on it we can open a more precise specification discussion (I already had done a lot so that can be a base to start with).

Does it sound good to you @Oliver ?

Hi @MyriamBoure
I’m finally getting a minute to respond. My only addition to what you said would (at this stage) be that ideally the deletion of personal data should only anonymise any data held, so that the total sales data for an enterprise isn’t affected. So personal data disappears, the user account disappears, but if I run a report for how much I sold in the past, the sales to that person are still there, with the name replaced.

Also, admittedly off-topic to this thread but:
"You know with our new process we are deciding together as a global team about the focus we choose to prioritize."
It may be an idea to poll enterprises on what they think is most needed.

The GPDR becomes enforceable in May 2018, right? I think we should prioritise the work that needs to be done to comply with it.

Yes I do believe so, we do have another product curation meeting 20th march so I believe before that we will ask feedbacks from the community about what they believe are the priorities (@danielle we need to plan that somehow before the 20th March, we said in the process that we would have some “dot voting process” before curation meeting :-))
They are so many urgent/important things… we will have to decide where we accept to be a bit behind.