GDPR compliancy #36
Description
What personal data does FAQ store?
In GraphCool
Here is the data the app stores that can identity a person directly:
- User.email
- User.familyName
- User.givenName
- User.name
- User.picture
Here is the data the app stores that can identify a person indirectly:
- User.id, as long as its associated with one of the direct identifiers
- Answer.user, Question.user and Flag.user, through User.id
- User.auth0UserId, through Auth0's data
Which makes every single piece of data in your app personal data which fall under the GDPR. 😝
Fortunately, removing the direct identifiers would make that data pseudo-anonymized. Further removing User.auth0UserId would make it fully anonymized.
In Algolia
It looks like there is no personal identifiers sent to Algolia.
Making FAQ compliant
Reducing the number of identifiers
If you can do without givenName and familyName, then remove them and use name only.
Consent
FAQ must ask for consent before storing the direct identifiers. It must display one checkboxes (unchecked by default) for each direct identifier. It must explain how the app will use each identifier. It must not store anything the user does not give consent to. The app must work without it. The app must store what a user has given consent to, along with when and how. The app must ask for consent even to users for which the app already has the data, and it must erase the data if a user does not give consent.
Transparency
Add a profile page where the user can:
- view and revoke any consent they've given at an earlier time
- view and change any of the 5 direct identifiers;
- view all questions, answers, and flags that they are linked to;
- download all of their personal data (direct identifiers, questions, answers, flags);
- unlink them-selves from questions, answers and flags that they are linked to;
- make the app "forget" everything about them.
About forgetting a user
Forgetting a user does not have to mean removing the questions they have asked. It means the questions/answers/flags cannot be traced back to that user. So it would be enough to keep the row in the user table but remove all fields but the id. However, it would still be possible then to collect questions, answers and flags linked to the same id, and that might give up some indication of who it is, so it would best to actually remove the row in the User table and the value of the user column of the questions/answers/flags.
Iterative implementation
This is only meant to be a tentative guideline.
- make a read-only profile page: Read-only profile page #53
- eliminate the need to store given name and family name
- make the profile page downloadable
- make the identity block of the profile page editable
- allow the user to unlink them-selves from an action in their profile log
- allow the user to remove all their data
- consent relate stuff will come later
That's all for now. It might not be 100% accurate or complete. I'll keep this top post updated.
cc @elenoir