How to cater for GDPR?

General discussion of Mantis.

Moderators: Developer, Contributor

Post Reply
ajtruckle
Posts: 69
Joined: Oct 16, 2011 2:21 am

How to cater for GDPR?

Post by ajtruckle » Apr 23, 2018 9:34 am

GPDR is coming in to force on May 25th 2018.

What steps are being taken for us to take note of this?

ajtruckle
Posts: 69
Joined: Oct 16, 2011 2:21 am

Re: How to cater for GDPR?

Post by ajtruckle » Apr 24, 2018 1:41 pm

No comments on this serious matter?

Thanks.

Starbuck
Posts: 180
Joined: Feb 13, 2006 9:53 pm
Location: USA
Contact:

Re: How to cater for GDPR?

Post by Starbuck » Apr 25, 2018 1:56 pm

The GDPR allows for server logs to be kept for security and administration purposes. Our responsibility to end users is to advise them of exactly what data is being saved and why. It's the user's responsibility to decide if they want to continue using our services with the information we have provided.

The MantisBT profile includes a field for Real Name and email address but this data isn't used anywhere and can be easily changed by users. So this software doesn't have any feature that is subject to the GDPR.

Now, if you're installation requests, gathers, and uses personal information for any purpose, you do need users to consent to data usage for that purpose. Outside of that, if you're not using data for any purpose then there's nothing to worry about.

What about when a user leaves your services and asks for their data to be deleted? You are allowed to maintain a record of transaction history, but not to use that as a source for user profiling outside of that historical context.

What else are you concerned about with this software?
If you want Mantis to work differently, use or create a plugin. Visit the Plugins forums.
Ask developers to create a plugin that you need - and motivate them to help you!

ajtruckle
Posts: 69
Joined: Oct 16, 2011 2:21 am

Re: How to cater for GDPR?

Post by ajtruckle » Apr 25, 2018 2:02 pm

Sounds good to me. 😀

samtuke
Posts: 5
Joined: Jul 28, 2010 4:48 am

Re: How to cater for GDPR?

Post by samtuke » May 24, 2018 6:00 am

I think you're overlooking some other obligations / user rights.

The right to access allows users to get a portable (machine readable) copy of all data stored on them. Mantis has no facility built for this, e.g. in the user pages so they can export it themselves. Adding a button to export 100% of data stored on the user, so that they can manage this themselves, seems to be the best solution.

A temporary workaround would be the writing of an SQL query which could be manually executed with a given user's ID, to export the data to a file. That file could then be sent to the user. I don't suppose anyone already has such a query on file?

mushu
Posts: 145
Joined: Jan 04, 2017 12:41 pm

Re: How to cater for GDPR?

Post by mushu » May 30, 2018 11:28 am

The GDPR is terrible. Here is a response from one small business that cannot comply, and is telling all EU people not to use his services any more because of these things he cannot do which the GDPR requires. The best he can do is post a message on his website that asks EU people to not use his services, since it is in violation to look at their IP Address to see if they are in the EU or not:
* "Appoint a representative within the EU - "If you have a business outside of the EU and you collect data on EU citizens, you should assign a representative in one of the member states for your business. This person should handle all issues related to processing. In particular, a local authority should be able to contact this person." - This is the first year I could financially justify hiring an accountant - I can't financially justify hiring another professional just to handle GDPR stuff.

* "Accept a $20M euro penalty if I can't prove that my users didn't consent to my GDPR compliant privacy policy.

* "Be able to prove who has ever seen any of the data I collect.

* "Not transfer data outside of the EU to countries that offer "an appropriate level of protection" - man, what does that even mean. I'm positive the EU doesn't consider the US to have "appropriate protection" for user data, and that's exactly where all of my data is stored.

* "Ask for consent every time I start processing a person's information. This makes it illegal for me to do something like send an email to users who have never received a file offering some help to get their account setup without: a.) asking for their permission to send them that email, and b.) being able to prove that they consented to their data being used for decisions like that.
All of this is to show how poorly-written the GDPR is, and to submit that perhaps the best thing to do is allow for a message on the homepage of every MantisBT installation of the administrator's choice, and hope for the best.

ajtruckle
Posts: 69
Joined: Oct 16, 2011 2:21 am

Re: How to cater for GDPR?

Post by ajtruckle » May 30, 2018 12:41 pm

Well ...

1. We only store what we need to in the database.
2. There should be a setting to anonimalyse the ip address (for existing and future content).
3. There could be an enhanced cookie feature ( ihave noticed this on some sites). Basically they show the things collected by the website and you can tick what bits you want to permit.
4. Put the reminder notices at the bottom of the report issue and add note comments.
5. Provide a way to extract all personal data for a user (as they can ask me for that on request)
6. Provide a way to delete all personal data for a user (they have the right)
7. Beyond the above the rest is in the hands of us. That is, keeping our database secure, and any backups of the database.

Those are my thoughts.

samtuke
Posts: 5
Joined: Jul 28, 2010 4:48 am

Re: How to cater for GDPR?

Post by samtuke » May 30, 2018 1:41 pm

@ajtruckle Great summary. +1

Post Reply