Hi,  
  
Thanks to Stephan's pointer to the eugdpr.org website.  I've spent some time with this and have some comments below.  
  
First, the GDPR will apply if we let EU residents go to the Squeak websites.  Given the popularity of Squeak in the EU that means GDPR regardless of where we physically host it.  
  
Second I think we're going to run into a computer geek view of the world not agreeing with the EU view of the world.  Ie, you sent an email to a public mailing list with your full contact info that is archived forever.  What words in that last sentence did you not understand?   
  
The things I think we have to comply with are:  
  
1.  Consent.  The users have to know what they are giving us.  Cookie notifications on the main webpage and some sort of page that describes what we log for access like IP addresses, etc.  We also have to make clear how long info is stored.  So if the webserver keeps that last 30 days of IP address logs than that has to be clear.  We also have an age problem.  We will need parental consent if there are users under 16.  For the wiki, mailing lists etc we need to be clear what additional info is gathered.  This is probably the easy one.  
  
2.  Breach notification, Right to Access, and Right to be forgotten are going to be harder.  
  
The places where we collect more personal info than just IP address are for the Wiki, the Mailing lists, and the bug tracker.  In all three cases we would need to have enough info that:  
  
1.  For breach notification we can actually notify folks.  We would need to collect email addresses in all cases for that to work.  
2.  For right to access we would have to be able to show ALL the info we've kept on a particular user.  All posts to the email lists, all swiki entries, etc.  
3.  And for right to be forgotten we would have to allow users to delete ALL the data we've captured.  All swiki entries, all archived email, etc.  This is probably the hardest.  
  
For number 2, the right to access, would all be easiest if the wiki, email and bug trackers had a unified account, but, it probably would be ok if one had three accounts.  None the less you have to be able to see all your entries in all three.  
  
Number 3 is the trickiest especially with the mailing list archive.  People's postings and signatures get copied into other threads and other's emails.   It might be hard to keep the archives in that case.  Getting this one right starts sounding like an AI research problem.  
  
Someone asked about the DPO (Data Protection Officer).  The way I read [http://www.eugdpr.org/gdpr-faqs.html](http://www.eugdpr.org/gdpr-faqs.html) is no, we do not need this.There are other issues but I think these are the most important.  
  
NB:  I am not an expert, though I do spend some time professionally on this, and, will be spending more time in the future.  This advice is worth every centime you've paid for it as well.  
  
cheers  
  
bruce  
  
  
  


  

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squeakfoundation.org/pipermail/squeak-dev/attachments/20171015/1803cafc/attachment.html>