[Chapter-delegates] Update on GDPR Opt-in

Wed May 9 06:47:31 PDT 2018

I am advising several professional membership associations on this issue
and have conferred with Ireland's Data Commissioner on this.  It is
generally accepted that any organisation must hold and process some
personal data on members in order to conduct normal business and that it is
acceptable to tell people that if they don't want their details recorded,
they cannot be a member.  In fact, we shouldn't even have to think about
this - it's common sense.

Brandt Dainow
Ireland

On 9 May 2018 at 13:46, Todd M. Tolbert <tolbert at isoc.org> wrote:

> Good Day Peter, thank you for your note.
>
> I appreciate your comments and thoughts on what you have seen in our
> Privacy Statement and the opt-in process all together. As you state, this
> is not an easy task for any organization and especially one that is as
> diverse as ISOC is. You've hit the nail on the head with listing that we
> have members, website visitors, those who apply for fellowships, grants,
> etc and one you didn't list; Org Member representatives. We have spent
> quite a lot of time trying to put together a privacy policy that speaks to
> all of these types of users / people while still providing the pieces we
> need to protect the organization and meet the requirements of GDPR. Again,
> not an easy task. But it is quite inline with what we advocate for in data
> handling around the world.
>
> But our commitment is the same across all. We only ask for data that we
> need to process the request or meet our side of the "bargain". The listing
> of the purposes of data are meant to give a broad feeling of why we ask for
> the data in the first place. We believe that for the types of interaction
> we have with everyone listed above, sans the website visitors, that
> maintaining some information helps us better interact with and provide
> services to those segments of our community. And in many cases, we only ask
> for the data we absolutely need to be able to contact, process or interact
> with that person.
>
> We fully respect anyone's decision to not grant the Internet Society the
> permission to store any Personal Data and will continue to advocate for and
> support that decision. To that end, we have no way to count someone as a
> member, provide them access to any of our programs, grants, online tools,
> etc, if they don't opt-in to storing personal data. I'm not sure about the
> "enforced consent" statement, as we believe we have done a lot of work to
> walk the walk that we have advocate for in this whole process.
>
> I hope this helps, and I'm happy to follow up if needed.
>
> Thank you,
> Todd
>
>
>
> On 5/8/18, 12:51 PM, "Peter Koch" <peter at denic.de on behalf of pk at ISOC.DE>
> wrote:
>
>     Todd,
>
>     thank you for this update.
>
>     On Tue, May 08, 2018 at 02:02:33PM +0000, Todd M. Tolbert wrote:
>
>     > With just two weeks left until May 25th, as of Monday morning we are
> up to 36,300 Members who have opted-in. We will continue the emails
> reminding folks through May 25 and then stop and do a deeper dive into the
> data of those who have not opted-in and look to see how we can do another
> notification / plea for action.  You???re help in communicating to your
> chapters, as always, is helpful in this endeavor.
>
>     First, I had not noticed the updated version (20 APR 2018), yet.  It'd
> be great if
>     the changes could be highlighted separately.
>
>     I have not "opted in" in, yet, and also do have reservations, as a
> member of the
>     chapter leadership, to encourage others to do so, because I am rather
> confused
>     by ISOC's approach of "enforced consent", expecially as the GDPR is
> mentioned
>     several times in the "privacy statement".  As a membership
> organization, it is
>     clear ISOC collects my name and email address - but that is, as you
> explain,
>     necessary for the "execution of the contract", i.e., to administer and
> maintain
>     the membership (and therefore would suggest another justification as
> per Article 6(1)).
>
>     The privacy statement then continues and is rather vague about all
> other kind of data
>     that might be collected for various purposes.  It is unclear to me,
> how much of this relates
>     to the vanilla membership, to visits to ISOC's website or to specific
> actions
>     like asking for grants or project funding. It is also unclear why I'd
> want to
>     "consent" to all of this upfront, rather than when the need arises.
>
>     Among the "uses of data" (which is different from "purposes") are
>
>     o Improve your engagement and interaction with other Members of our
> community.
>     o Improve our engagement and interaction with you.
>
>     which appear rather vague to me.  Finally, the privacy statement says
>
>       We or our authorized vendors may collect Technical Information that
> we do not associate with any individual Site user. This information
> includes -
>      [...]
>         the Internet Protocol (IP) address through which you access the
> Internet;
>
>     and also refers to the "certain anonymous information".  Now, we'll
> not solve the
>     question of IP addresses as personal data here, but in total I have my
> doubts
>     what I am "asked" to subscribe to.
>
>     I appreciate it is hard to achieve GDPR compliance while still being
> comprehensible
>     and also I'm nowhere near jealous of your task while I'd also
> generally trust ISOC's
>     responsible handling of data.  That said, an "opt in" really does not
> feel right.
>
>     Yours confused,
>         Peter (ISOC.DE)
>
>
> _______________________________________________
> As an Internet Society Chapter Officer you are automatically subscribed
> to this list, which is regularly synchronized with the Internet Society
> Chapter Portal (AMS): https://portal.isoc.org
>

-- 
brandt.dainow at gmail.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://elists.isoc.org/mailman/private/chapter-delegates/attachments/20180509/0e09bb1c/attachment.htm>