GDPR status update

[Andrew van der Stock]

Hi Board,

Back in the September board meeting, IIRC Martin asked if I could provide the Board with a GDPR privacy update. I am currently going through this process now that we have a bit of clear air. I will present this as a confidential report to the Board at the December Board meeting with a public presentation, with a list of identified actions to be undertaken in 2022. However, one issue will not wait and I will progress it immediately because it will take some time to resolve.

The very first step of this process is to identify if we have an approved and published privacy policy, so that I can validate that it is up to date, accurate, effective, contains relevant GDPR requirements, and in use. Our privacy policy has been in draft since December 2019. It is not approved - and actually I am glad of this oversight for reasons that will become apparent. This is the only policy in our policy page that is not approved.

The draft does not cover all of our activities, where or how we store data,  and how we protect it and the necessary steps for GDPR compliance. The policy will need to undergo a substantial rewrite at the very least, but I think that would be a mistake. As it is so deficient, I believe it will be better if we do an outright replacement, one that is legally sound, GDPR compliant, and covers all of our use cases, storage, protections, and sharing activities.

To that end, I have contacted a very similar open source organization for permission to re-use theirs with obviously ensuring that what we do, where we store, process, and share data is updated.

I will keep you informed of progress. If you have any questions relating to privacy, our data protections, or would like something to be covered in the confidential report, please let me know.

thanks,

Andrew

[Andrew van der Stock]

And just to assuage concerns about data protection, at this stage, I do not believe we have any major data protection issues. All our key systems that store data to my current knowledge require multi-factor authentication and are hosted in organizations that protect data as far as we know. I will know more as I complete the data inventory and investigate the privacy policies and security postures of the organizations where we have personal data stored.

The one concern I have identified so far is that we have a lot of personal data in our ticketing system, which is only generally readable by staff and our accountants using a linked Google account that has MFA enabled. That said, there are retained but completed tickets without sufficient business that need to still be present on a live system. I will work with our accountants to see if we can securely archive old records that are no longer needed, starting with records prior to this year. This is operational in nature, and I hope to have this completed by the Board meeting presentation.

thanks,

Andrew