Update on Privacy and GDPR Compliance
Respecting users’ privacy and ensuring a safe experience on Disqus. Now, with the General Data Protection Regulation set to take effect, on May 25th, we want to share an update on our work to comply with new regulations and ensure that users and publishers who use Disqus can continue to do so with confidence. With these updates, we intend to improve the experience for users on Disqus, rather than simply check off boxes for compliance. Although GDPR applies exclusively to data collected from persons located in the European Union, our plans focus on network-wide improvements and new functionalities for all users on Disqus. Currently, users with Disqus accounts can update their settings to.
When a user is in Privacy Mode, Disqus will not collect or process any personal data, as defined by GDPR. In cases where we do not have a lawful basis for processing personal data we will apply Privacy Mode to requests from IP addresses associated with an EU country. Today, users can delete their Disqus account by following the instructions found at this link: Delete My Disqus Account. As part of our updates, we will implement new procedures to obtain consent, where needed, from Disqus users located in the EU for the collection of personal data both for processing by Disqus and, where applicable, third parties. What publishers should know and how these updates will impact them: In most all cases, unless a publisher integrates Disqus with their own user management system through Single Sign-On, users sign-up and login to comment through Disqus.
We require publishers who use SSO to obtain consent from users for the collection and processing of their data, including by Disqus for posting comments. Disqus only obtains consent from users for the collection and processing of data necessary for the use of Disqus. As part of our compliance updates, we will no longer use unique identifiers for analytics or any other purposes for users in Privacy Mode.
Why the GDPR email deluge, and can I ignore it?
GDPR, which stands for General Data Protection Regulation, has been described as the biggest overhaul of online privacy since the birth of the internet. It is designed to give all EU citizens the right to know what data is stored on them and to have it deleted, plus protect them from privacy and data breaches. The new rules bolster the requirement for explicit and informed consent before data is processed. Typically, individuals are being asked to give explicit permission for the company to continue emailing them and holding their data. The European Union’s new stronger, unified data protection laws, the General Data Protection Regulation, will come into force on 25 May 2018, after more than six years in the making.
The new laws govern the processing and storage of EU citizens’ data, both that given to and observed by companies about people, whether or not the company has operations in the EU. They state that data protection should be both by design and default in any operation. To ensure companies comply, GDPR also gives data regulators the power to fine up to €20m or 4% of annual global turnover, which is several orders of magnitude larger than previous possible fines. Data breaches must be reported within 72 hours to a data regulator, and affected individuals must be notified unless the data stolen is unreadable, ie strongly encrypted. The General Data Protection Regulation restricts the way businesses collect, store and move people’s personal data.
It applies to all companies that process the personal data of people located within the EU. Personal data includes your name, photo, email address, IP address, bank details, posts on a social networking site, medical information, biometric data and sexual orientation. Under GDPR, people get expanded rights to obtain the data a company has collected about them. If a company has a data breach, it must be reported to the relevant authority within 72 hours.
Workplace and GDPR – Workplace Stories
Many of the principles build upon the current data protection rules in place within the EU. But GDPR also places some new requirements on companies. GDPR expands current data protection law and also adds some new requirements. Workplace Premium customers act as data controllers and appoint Facebook as a data processor under the Workplace agreement. In Workplace Standard, Facebook is the data controller and is responsible for the processing of Workplace Standard users’ data.
We understand that GDPR requires Workplace Premium customers to engage data processors with appropriate safeguards to ensure an appropriate level of protection for personal data. GDPR requires Workplace Premium customers to engage data processors who can provide an appropriate level of security to meet the requirements set out in the new regulations. GDPR applies to all EU data subjects so will apply to all companies and organizations who have EU citizens as part of their business or organization. GDPR will apply to all companies processing the personal data of subjects residing in the European Union, regardless of the company’s location. The data processing addendum will ensure that you can continue to use Workplace in compliance with GDPR by providing the undertakings which we, as the data processor, must provide you with under Article 28(3).
In relation to user rights specifically, you as the data controller are responsible for compliance with your GDPR obligations. Access: Admins are able to use the Workplace APIs in order to provide access to personal data held about any user, should you receive a subject access request and to port this data if required. We have certified Workplace Premium under Privacy Shield for these required data transfers outside of the EU. Security and data privacy are principal concerns of Workplace as noted and explained in our information on Security on Workplace and Trust Center.