General Data Protection Regulation : action plan proposition

Following a debate at the OFN UK board meeting last week, three of us (including an OFN UK director) did the online self-assessment test here and all of us got the result that OFN UK does not need to register for GDPR.

However we do want to develop a privacy policy. Has anyone developed an OFN privacy policy already? @MyriamBoure @CynthiaReynolds @enricostn If not then we will draft one and you are all welcome to translate it.

Please let me know by Monday 7th May otherwise we will get started on the draft.
Thanks
Nick

@NickWeir yes we do not need to register and as we don’t manage any sensitive date we don’t need to have a data officer, etc. BUT we still need to comply with the law, which as a data processor is:

• to enable the data controller to do what he is required to do (= delete user data if the user asks it, delete data older than X years, delete data for users that have been inactive for a long period of time (3 years if I remember well)…)
• to require user agreement for trackers (cookies)
  Cookies work has been prioritized for Q2 and we have started to work on a first UX / legal inception with @Rachel and a French lawyer (https://github.com/openfoodfoundation/openfoodnetwork/issues/2242), we will submit it to the community in the coming days and then run a proper inception with devs to plan implementation.
  For the other point we will probably prioritize later, but it’s not as urgent as we can always delete in database if required and we have not yet reached the legal conservation periods (6 or 7 years usually for trade related documents).

Actually @NickWeir we have an example of a “privacy policy” in France, our plan is to write a similar page in the “about” section about what we do with users data, and this will also be linked in the cookie agreement banner. https://docs.google.com/document/d/1ghR8k07xSKgYs8f_gnSfwdu4ZvSLsyupwnnv0PnCosw/edit?usp=sharing (this one has been written by the French lawyer who supports us, but it’s in French obviously)

Thanks @MyriamBoure

Yes I agree that we need to sort out deletions and cookies. Thank you very much for starting the balls rolling for this.

I have google translated your privacy statement and will have a go next week at producing an English version.

Just to be clear @NickWeir this document is not the privacy policy of Open Food France but the one of another French entity whose lawyer is supporting us. So we can get inspired but we need to adapt as well. We are also going to work on that in France in the coming weeks so maybe we can share the results of our respective works!

Thanks @MyriamBoure here is our first draft which I started today. It would be great to have comments/suggestions/edits from anyone interested. Ping @Oliver @CynthiaReynolds . Please ping on

@NickWeir I reckon it’s the shop that needs a privacy policy, not OFN.

OFN needs contracts with the enterprises: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/contracts/

Thanks everyone for your help. OFN UK now has a privacy policy which links to our updated terms of service. The change to the terms of service is this addition as the last main bullet under 'responsibilities of contributors - section 2:

"You will conform to the regulations of the General Data Protection Regulation including (but not restricted to the following):

• Inform your customers what information you collect about them and how is it processed.
• Give your customers the right to restrict that processing.
• Give your customers access to their data and agree to correct any incorrect information.
• Erase customer data if they request deletion."

Both of these docs are still draft at the moment but we will link them from the about page