GDPR and open source: impact and consequences
GDPR in a nutshell
The goal of the GDPR is to protect the personal data (i.e. any information which relates to someone who can be identified) of individuals on the EU's territory in a world, where data is gaining an increasing role in every aspect of our lives. It applies to any corporate entity (including outside the EU) who stores and processes data from any citizen of the EU.
GDPR and open source
While most online articles covering the GDPR deal with companies selling goods or services, this territorial scope can also be viewed with open source projects in mind. There are a few variations, such as a software company (profit) running a community, and a non-profit organization, i.e. an open source software project and its community. Once these communities are run on a global scale, the chances are high that EU-based persons are taking part in this community.
When such a global community has an online presence, using platforms such as a website, forum, issue tracker etc., it is very likely that they are processing personal data of these EU persons, such as their names, e-mail addresses and possibly even more. These activities trigger a need to comply with the GDPR.
Under the GDPR, a data breach occurs whenever personal data is taken or stolen without the authorization of the data subject. Once discovered, the affected community members must be notified within 72 hours unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. The only excuse to delay is if the notification would hamper a law-enforcement investigation.
Right to access
One of the rights the GDPR gives to EU citizens is ask an organization if, where and which personal data is processed. Upon request, they should be provided with a copy of this data, free of charge, and in an electronic format if this data subject (e.g. EU citizen) asks for it.
Right to be forgotten
Another right EU citizens get through the GDPR is the "right to be forgotten," also known as data erasure. This means that when personal data is no longer needed for the purpose for which it was originally gathered for, data subjects can get the data controller to delete their personal data and cease its transmission.
With this in mind, any open source project, organization or community should secure specific features such as obtaining and storing consent, extracting data and providing a copy in electronic format to a data subject, and finally the means to erase specific data about a data subject.
Under the GDPR, every organization should keep a register with detailed descriptions of all procedures, purposes etc. for which it processes personal data. This register will act as proof of the organization's compliance with the GDPR’s and will be used for audit purposes.
Organizations that do not comply with the GDPR risk fines up to 4% of annual global turnover or €20 million (whichever is greater). According to the GDPR, "this is the maximum fine that can be imposed for the most serious infringements e.g. not having sufficient customer consent to process data or violating the core of Privacy by Design concepts."This material is based on an article by advisor internet and e-Government Robin Muilwijk published in opensource.com. It should not be used as legal advice or a definite guide to GDPR compliance.