Hi Board,
Back in the September board meeting, IIRC Martin asked if I could provide the Board with a GDPR privacy update. I am currently going through this process now that we have a bit of clear air. I will present this as a confidential report to the Board at the
December Board meeting with a public presentation, with a list of
identified actions to be undertaken in 2022. However, one issue will not
wait and I will progress it immediately because it will take some time
to resolve.
The very first step of this process is to identify if we have an approved and published privacy policy, so that I can validate that it is up to date, accurate, effective, contains relevant GDPR requirements, and in use. Our privacy policy has been in draft since December 2019. It is not approved - and actually I am glad of this oversight for reasons that will become apparent. This is the only policy in our policy page that is not approved.
The draft does not cover all of our activities, where or how we store data, and how we protect it and the necessary steps for GDPR compliance. The policy will need to undergo a substantial rewrite at the very least, but I think that would be a mistake. As it is so deficient, I believe it will be better if we do an outright replacement, one that is legally sound, GDPR compliant, and covers all of our use cases, storage, protections, and sharing activities.
To that end, I have contacted a very similar open source organization for permission to re-use theirs with obviously ensuring that what we do, where we store, process, and share data is updated.
I will keep you informed of progress. If you have any questions relating to privacy, our data protections, or would like something to be covered in the confidential report, please let me know.
thanks,
Andrew