GDPR and open source: impact and consequences

GDPR in a nutshell

The goal of the GDPR is to protect the personal data (i.e. any information which relates to someone who can be identified) of individuals on the EU's territory in a world, where data is gaining an increasing role in every aspect of our lives. It applies to any corporate entity (including outside the EU) who stores and processes data from any citizen of the EU.

GDPR and open source

While most online articles covering the GDPR deal with companies selling goods or services, this territorial scope can also be viewed with open source projects in mind. There are a few variations, such as a software company (profit) running a community, and a non-profit organization, i.e. an open source software project and its community. Once these communities are run on a global scale, the chances are high that EU-based persons are taking part in this community.

When such a global community has an online presence, using platforms such as a website, forum, issue tracker etc., it is very likely that they are processing personal data of these EU persons, such as their names, e-mail addresses and possibly even more. These activities trigger a need to comply with the GDPR.

Consent

Let's assume that one such community uses a forum for its members, and also has forms on their website for registration purposes. Once the GDPR becomes effective, the forum owner will no longer be allowed to use one lengthy and illegible privacy policy and terms of conditions. For each of the specific purposes personal data is collected for, the forum owner or operator will need to obtain explicit consent from the users. This consent must be "freely given, specific, informed, and unambiguous." It should be noted that the regulation is concerned with individuals, not companies.

One option to make this form compliant with GDPR is to have a checkbox, which should not be pre-checked, with clear text indicating for which purposes the personal data is used, preferably linking to an "addendum" of the existing privacy policy and terms of use.

Breach notification

Under the GDPR, a data breach occurs whenever personal data is taken or stolen without the authorization of the data subject. Once discovered, the affected community members must be notified within 72 hours unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. The only excuse to delay is if the notification would hamper a law-enforcement investigation.

Right to access

One of the rights the GDPR gives to EU citizens is ask an organization if, where and which personal data is processed. Upon request, they should be provided with a copy of this data, free of charge, and in an electronic format if this data subject (e.g. EU citizen) asks for it.

Right to be forgotten

Another right EU citizens get through the GDPR is the "right to be forgotten," also known as data erasure. This means that when personal data is no longer needed for the purpose for which it was originally gathered for, data subjects can get the data controller to delete their personal data and cease its transmission.

With this in mind, any open source project, organization or community should secure specific features such as obtaining and storing consent, extracting data and providing a copy in electronic format to a data subject, and finally the means to erase specific data about a data subject.

Maintain records

Under the GDPR, every organization should keep a register with detailed descriptions of all procedures, purposes etc. for which it processes personal data. This register will act as proof of the organization's compliance with the GDPR’s and will be used for audit purposes.

Penalties

Organizations that do not comply with the GDPR risk fines up to 4% of annual global turnover or €20 million (whichever is greater). According to the GDPR, "this is the maximum fine that can be imposed for the most serious infringements e.g. not having sufficient customer consent to process data or violating the core of Privacy by Design concepts."