I thought I would create this little post to explain what data we hold for all our visitors and what we actually do with it:
Firstly, what data does Volcanocafe hold for each user?
We hold virtually no data for each of our users, save the email address used for registering and the IP address that was used when the account was last accessed. Should anyone decide to visit their profiles and fill in the blanks (Name and such) then obviously, that data is stored in our database.
Who has access to this data?
We have a limited admin team with the necessary permissions to be able to see any personally identifiable information. As part of the WordPress environment, user’s email address and IP address are logged whenever a comment is made, this allows us to take care of troublemakers by banning IP addresses and email addresses.
There is also a security log that keeps our back end secure and to trace any problems encountered. This logs any activity on the site, so when you log in an entry is made in the log with your ip and email address are logged along with the time and date you accessed it, for accounts with higher privileges (Carl, Albert, Geolurking, et al), this data includes any activity done behind the scenes.
Our database is stored outwith our WordPress installation, in a password protected MySQL database held by our webhost. User’s passwords are held encrypted in this same database.
Access to this database is extremely limited, even most of the admins are unable to access it.
What do we use the data for?
Volcanocafe does not serve advertisements to our audience nor is the user database sold or used in any other way. The only reason we insist on users being registered at all, is to help combat the unnecessary chatter by spam bots and to distinguish between users.
I found a helpful website that takes us through the 10 Key GDPR requirements, so let me go through these 10 points and address them one by one.
1) Lawful, fair and transparent processing
- Lawful means all processing should be based on a legitimate purpose.
- Fair means companies take responsibility and do not process data for any purpose other than the legitimate purposes.
- Transparent means that companies must inform data subjects about the processing activities on their personal data.
As I have stated above, we don’t use or process our user data in anyway other than the logging of email addresses through registration and commenting on the site.
2) Limitation of purpose, data and storage
- forbid processing of personal data outside the legitimate purpose for which the personal data was collected
- mandate that no personal data, other than what is necessary, be requested
- ask that personal data should be deleted once the legitimate purpose for which it was collected is fulfilled
None of our team will use this data to contact anyone. If a user has a requirement for contacting an admin directly for any reason, then initial contact is made through our official email address firstname.lastname@example.org and we will forward the email onto the admin required. This gives traceability that there is a genuine reason for the admin to be given your contact information.
3) Data subject rights
- The data subjects have been assigned the right to ask the company what information it has about them, and what the company does with this information. In addition, a data subject has the right to ask for correction, object to processing, lodge a complaint, or even ask for the deletion or transfer of his or her personal data.
Our security system automatically deletes users that have created an account, and never commented (after 30 days), this ensures we don’t keep records of all our visitors and anyone who HAS commented and has an account with us, can request that we delete all the data we have.
NOTE: anyone who requests this, please be aware this will remove ALL data from our site, including posts and comments.
- As and when the company has the intent to process personal data beyond the legitimate purpose for which that data was collected, a clear and explicit consent must be asked from the data subject. Once collected, this consent must be documented, and the data subject is allowed to withdraw his consent at any moment.
- Also, for the processing of children’s data, GDPR requires explicit consent of the parents (or guardian) if the child’s age is under 16.
As previously mentioned, we don’t process any data in anyway except the logging of IP addresses and Email addresses. We don’t serve advertisements on the site, should this ever change (it won’t) then permission for use of this data will be sought.
5) Personal data breaches
The organisations must maintain a Personal Data Breach Register and, based on severity, the regulator and data subject should be informed within 72 hours of identifying the breach.
We maintain a security log on site, which allows us to monitor the database and any accessing of it. Should we ever discover a breach in the site, then this will be logged, and users notified.
6) Privacy by Design
- Companies should incorporate organisational and technical mechanisms to protect personal data in the design of new systems and processes; that is, privacy and protection aspects should be ensured by default.
Only admin and moderators can access our database or comment logs, this ensures that user details are kept from the general public, we also maintain a firewall and security suite to protect the site.
If anyone suspects that their data has been accessed without their permission, then you must contact us at email@example.com ASAP, so we can investigate.
7) Data Protection Impact Assessment
- To estimate the impact of changes or new actions, a Data Protection Impact Assessment should be conducted when initiating a new project, change, or product. The Data Protection Impact Assessment is a procedure that needs to be carried out when a significant change is introduced in the processing of personal data. This change could be a new process, or a change to an existing process that alters the way personal data is being processed.
As it stands, no major reworking of the way our site is run is planned and should this occur, we will undertake this assessment and notify users in advance.
8) Data transfers
- The controller of personal data has the accountability to ensure that personal data is protected and GDPR requirements respected, even if processing is being done by a third party. This means controllers have the obligation to ensure the protection and privacy of personal data when that data is being transferred outside the company, to a third party and / or other entity within the same company.
No user data is used in anyway outside of the Volcanocafe environment.
9) Data Protection Officer
- When there is significant processing of personal data in an organisation, the organisation should assign a Data Protection Officer. When assigned, the Data Protection Officer would have the responsibility of advising the company about compliance with EU GDPR requirements.
We do not do significant processing of personal data, so it seems a bit overkill for us to appoint someone specifically in this task.
10) Awareness and training
- Organisations must create awareness among employees about key GDPR requirements, and conduct regular trainings to ensure that employees remain aware of their responsibilities with regard to the protection of personal data and identification of personal data breaches as soon as possible.
I suppose this will also constitute awareness and training for the admin team also.
I hope this was not too dry for everyone. I realise everyone will be getting sick to death of hearing about the GDPR, but we felt it was necessary for us to try and explain how this legislation applies to us and how we run the blog. If you have any questions or concerns regarding your data, then please don’t hesitate to contact us via our email address and we’ll get back to you.
Now some non GDPR related news regarding Volcanocafe and the Volcanocafe Facebook group:
During the recent Hawaiian activity and as happens with any large volcanic activity, we have seen a large jump in users visiting.
Our Facebook group recent hit 2500 members and as I write this we stand at 2600 members. We could have had many more, but each member is vetted prior to being allowed access and if the profile doesn’t fit our normal sort of visitor, then they are politely declined.
Staying with Facebook, we have a new member of our moderation team with Jonet Greene helping us keep the place clear of unwanted comments and making sure the members adhere to Rule #1 (be nice).
Moving to our Twitter account, we continue to slowly grow our audience with an unsettling 666 followers, whilst this might not seem a large amount, our last 28 days activities has seen our posts appear in the newsfeed of 12k users, through retweets and people liking our posts.
The main site has also seen a jump in visitors, jumping from around 3.5k weekly unique visitors to around 5k and a peak of over 13k on the 14th of May. This increase in traffic also seen us reach a large milestone on the blog, with over 2 million views of the blog and over 300k unique visitors to the site.
You may have noticed we have had a couple of outages on the website, this was caused by a security hole that allowed someone to upload a piece of malicious software to the site, which took pleasure in taking us offline. I feel this was not a targeted attack, but one that scanned for security holes and unfortunately found one. This hole has now been plugged and our back end security beefed up somewhat.
During this process, we have also moved to an entirely HTTPS (secure browser protocol), which provides another layer of protection to the site with traffic now encrypted. Prior to this, the landing page was the old HTTP (unsecure) format, but secured for any links clicked after the initial landing page (log in has always been secured).