How to deal with GDPR on github pages based blogs?

Hi folks,
as many of us EU based users I’m forced to make sure my page is GDRP compliant.

Besides the things like updating the privacy policy I’m having a hard time to identify all the other things to respect.

There are so many topics  like Third-Party processing, the date processing order betwenn github and us.

Do you have any recommendations? What did you have done to be prepared for 25 Mai 2018?

2 Likes

Hi @ocram85,

While I’m not a lawyer and this isn’t legal advice, most of GDPR compliance is just about giving your users choice and information about what you do with their data. In my case, here’s some of the things I did to prepare my project for GDPR:

  • Updated my Privacy Notice to let my users know exactly what information I collected, what I did with it, how long I intended to keep it, and who I shared it with (e.g. third-party payment processors, Google Analytics, etc.)
  • Updating any tracking scripts on the page to require affirmative consent from a pop-up modal before activating or not (if consent was refused)
  • Encrypting the data I stored in my database at rest and in the file system itself (encrypted backups, etc.)
  • Automating a process for users to self-serve information, export their data, delete it, and restrict my processing of it.

I would also recommend speaking to a qualified privacy lawyer to understand any additional obligations you may have.

​If there’s anything else I can help you with, let me know; so happy to help further!

Kindest regards,
Matthew

1 Like

Hi @matthewheath,

thanks for your advice!. I’m fully aware of your points.

But I’m not quite sure how to deal with the fact, that github acts as hoster/ provider with the github pageas features. Therefore the GPDR needs details about the used user data. So how do we describe it in the privacy note? - I know github provides a privacy policy on its own but this aims to help us not our users.

Hmm. Well, what sort of data does your static page collect from your users? If nothing is being collected and stored (or you do not use any tracking scripts like Google Analytics on the page) then I don’t think you need to mention GitHub Pages in your Privacy Notice.

That said, I would strongly recommend seeking out qualified legal advice to establish your responsibilities here and possibly also draft up a section in the Privacy Notice for using GitHub Pages.

So sorry I couldn’t be of further help here. :frowning:

Kindest regards,
Matthew