[Chapter-delegates] Update on GDPR Opt-in

Todd M. Tolbert tolbert at isoc.org
Wed May 9 05:46:37 PDT 2018 

Good Day Peter, thank you for your note.

I appreciate your comments and thoughts on what you have seen in our Privacy Statement and the opt-in process all together. As you state, this is not an easy task for any organization and especially one that is as diverse as ISOC is. You've hit the nail on the head with listing that we have members, website visitors, those who apply for fellowships, grants, etc and one you didn't list; Org Member representatives. We have spent quite a lot of time trying to put together a privacy policy that speaks to all of these types of users / people while still providing the pieces we need to protect the organization and meet the requirements of GDPR. Again, not an easy task. But it is quite inline with what we advocate for in data handling around the world.

But our commitment is the same across all. We only ask for data that we need to process the request or meet our side of the "bargain". The listing of the purposes of data are meant to give a broad feeling of why we ask for the data in the first place. We believe that for the types of interaction we have with everyone listed above, sans the website visitors, that maintaining some information helps us better interact with and provide services to those segments of our community. And in many cases, we only ask for the data we absolutely need to be able to contact, process or interact with that person. 

We fully respect anyone's decision to not grant the Internet Society the permission to store any Personal Data and will continue to advocate for and support that decision. To that end, we have no way to count someone as a member, provide them access to any of our programs, grants, online tools, etc, if they don't opt-in to storing personal data. I'm not sure about the "enforced consent" statement, as we believe we have done a lot of work to walk the walk that we have advocate for in this whole process. 

I hope this helps, and I'm happy to follow up if needed.

Thank you,
Todd



On 5/8/18, 12:51 PM, "Peter Koch" <peter at denic.de on behalf of pk at ISOC.DE> wrote:

    Todd,
    
    thank you for this update.
    
    On Tue, May 08, 2018 at 02:02:33PM +0000, Todd M. Tolbert wrote:
     
    > With just two weeks left until May 25th, as of Monday morning we are up to 36,300 Members who have opted-in. We will continue the emails reminding folks through May 25 and then stop and do a deeper dive into the data of those who have not opted-in and look to see how we can do another notification / plea for action.  You???re help in communicating to your chapters, as always, is helpful in this endeavor.
    
    First, I had not noticed the updated version (20 APR 2018), yet.  It'd be great if
    the changes could be highlighted separately.
    
    I have not "opted in" in, yet, and also do have reservations, as a member of the
    chapter leadership, to encourage others to do so, because I am rather confused
    by ISOC's approach of "enforced consent", expecially as the GDPR is mentioned
    several times in the "privacy statement".  As a membership organization, it is
    clear ISOC collects my name and email address - but that is, as you explain,
    necessary for the "execution of the contract", i.e., to administer and maintain
    the membership (and therefore would suggest another justification as per Article 6(1)).
    
    The privacy statement then continues and is rather vague about all other kind of data
    that might be collected for various purposes.  It is unclear to me, how much of this relates
    to the vanilla membership, to visits to ISOC's website or to specific actions
    like asking for grants or project funding. It is also unclear why I'd want to
    "consent" to all of this upfront, rather than when the need arises.
    
    Among the "uses of data" (which is different from "purposes") are
    
    o Improve your engagement and interaction with other Members of our community.
    o Improve our engagement and interaction with you.
    
    which appear rather vague to me.  Finally, the privacy statement says
    
      We or our authorized vendors may collect Technical Information that we do not associate with any individual Site user. This information includes -
     [...]
    	the Internet Protocol (IP) address through which you access the Internet;
    
    and also refers to the "certain anonymous information".  Now, we'll not solve the
    question of IP addresses as personal data here, but in total I have my doubts
    what I am "asked" to subscribe to.
    
    I appreciate it is hard to achieve GDPR compliance while still being comprehensible
    and also I'm nowhere near jealous of your task while I'd also generally trust ISOC's
    responsible handling of data.  That said, an "opt in" really does not feel right.
    
    Yours confused,
        Peter (ISOC.DE)
    
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5213 bytes
Desc: not available
URL: <https://elists.isoc.org/mailman/private/chapter-delegates/attachments/20180509/d6e2c9ab/attachment.p7s>

More information about the Chapter-delegates mailing list