GDPR Compliance

[asaph26]

Is there any plan on the roadmap for GDPR compliance?

[axtho]

No, not yet. But we must. Did you do something on your side yet? Care to share? :)

[asaph26]

Not yet. Will update the issue with the roadmap that we come up with

[axtho]

starting points:

• https://www.smashingmagazine.com/2017/07/privacy-by-design-framework/
• https://jaxenter.com/gdpr%E2%80%8A-%E2%80%8Adesigning-privacy-data-protection-138481.html

[axtho]

ToDo list for compliance (WIP):

• HTTPS only
• encrypt the jwt with a public/private key (RS256 encryption)
• encrypt interactions using the same RSA token (http://www.yiiframework.com/doc-2.0/guide-security-cryptography.html)
• offline storage encryption?
• Profile page: add "forget me" button to let the user set a delete me flag. Admins need to delete such a user completely, not relations or logs may remain
• Process for "forget me" request (via email)
• Process for "gathered info" request (via email)
• Privacy policy section in footer

more to come.

[axtho]

@asaph26 have you looked into offline storage? Reading the GDPR material one gets the feeling that saving person related data offline (localStorage, etc) would be disallowed. I have also chatted to another project lead that said the same thing. Have you heard anything of this?