LISTSERV - LSTSRV-L Archives - COMMUNITY.EMAILOGY.COM

Now online:

https://www.linkedin.com/pulse/eu-has-just-circumvented-us-democratic-process-nobody-eric-thomas

  Eric

From: Eric Thomas
Sent: Thursday, May 24, 2018 21:19
To: 'LISTSERV Site Administrators' Forum' <[log in to unmask]>
Subject: RE: Remove accounts from ListServ database


One of the most common myths about the GDPR is that the “right to be forgotten” is absolute, when in fact you should be able to keep most of the data in most cases (with respect to LISTSERV at least). You do normally have to delete people from your lists if they request it, but this was already the case before the GDPR. Exceptions are very limited (employees that you pay to read the messages, etc.), and none of this is new.



Consider the following GDPR scenarios:



  *   Former employee requests deletion of all software patches he wrote because they are tagged with his name.
  *   Former employee requests deletion of all customer or vendor contracts bearing his signature, that he signed on behalf of the employer.
  *   Former employee requests deletion of all evidence bearing his name that you have in defense of the lawsuit he filed against you, which of course is 100% of the evidence.



I could go on forever, and my focus on former employees is because this is where I expect the conflicts to happen. A normal customer will probably be happy if you delete him from any active marketing, even if you legally cannot delete past invoices or credit card transactions bearing his name. Banks cannot delete transactions until 10 years have passed, doctors cannot delete medical journals, etc. One of the few things they did right with the GDPR is that it automatically yields to other laws requiring data retention.



With respect to passwords, while the password itself could be personal data because it could be the name of the user’s dog or other potentially identifying attribute, LISTSERV only has a 256-bit one-way hash that in my opinion is not personal data because, even if you posted it online, nobody would be able to use it to identify the user. On the other hand, if a user wants to delete his password, who cares? I recommend systematically deleting the user’s password and signup entry when processing “right to be forgotten” requests. I also recommend running the PowerShell tool<http://www.lsoft.com/download/listserv.asp> again after all deletions to make sure that everything was done properly.



I think the main point of contention will be the age-old, “I posted something really stupid 2 days ago and need you to wipe it out from the entire Internet” – now with a €20 million GDPR threat. Response, in most cases unchanged. With respect to deleting copies of the message from thousands of mailboxes all over the net… You are not the controller, or even the processor, for that data. With respect to your one copy of the data on your server, L-Soft has the following FAQ, which of course does not constitute legal advice in your or anyone else’s particular case:



http://www.lsoft.com/resources/gdpr-faq.asp



The GDPR is clear as mud in key areas, and it will probably be years before courts make any hard rulings that can be used as case law. Perhaps the GDPR will be abused but, for all its flaws, I don’t think it was meant to promote anarchy or sabotage of established communities, and I don’t think this is a mistake the courts will make. Your freedom ends where mine begins.



I have started a series of articles about what the media is not saying about the GDPR because they are too busy writing about Facebook and Google to see the forest:



https://www.linkedin.com/pulse/hidden-face-gdpr-7-predictions-eric-thomas

https://www.linkedin.com/pulse/gdpr-brexit-approach-personal-data-protection-eric-thomas



Maybe I see more clearly because I am on the one hand pro-EU and an EU citizen, but on the other hand I have been living in the U.S. for almost for 4 years now, so I see both sides of the picture. In a few hours, I will post “The EU has Just Circumvented the U.S. Democratic Process, and Nobody has Even Noticed.” It is absolutely scary how much of the GDPR has gone unnoticed in the media.



  Eric

############################

To unsubscribe from the LSTSRV-L list:
write to: mailto:[log in to unmask]
or click the following link:
http://peach.ease.lsoft.com/scripts/wa-PEACH.exe?SUBED1=LSTSRV-L&A=1