GDPR and Professional Communities

Problem

The Symfony project needs to be able to track Code of Conduct (CoC) violations and share them on a need-to-know basis to prevent violators from attending / speaking at events.

However, the General Data Protection Regulation (GDPR), due to be implemented from 25 May 2018, requires companies to seek explicit consent for all data collection, storage and use. It also grants users the right to request the deletion of their data.

Symfony asked us to investigate how they could achieve their goal while complying with GDPR.

Objective

We created a roadmap for the Symfony project team to follow that allows them to protect their online and offline communities, while also complying with GDPR requirements.

Approach

GDPR requires organisations to collect as little personal data as necessary (data minimisation) and only use it for the purposes intended. Data collected for one purpose cannot be used for another purpose without explicit consent.

However, there are exceptions that give organizations some leeway. Article 6.1 of the GDPR, "legitimate interest," states that processing is lawful if it is necessary for compliance, to protect someone, or is in the public interest.

This suggests that it is lawful for Symfony to track and share CoC violations under the GDPR if:

  • Consent is explicitly given to collect, retain and use data for CoC violations, OR
  • Data usage outside of consent is otherwise lawful, as in the various cases laid out in Article 6.1

We analyzed the following documents & processes create Symfony’s CoC process:

  • GDPR & supporting documentation
  • The individual user journey in Symfony’s online forums & offline engagements
  • Human interaction in the Symfony community, including between users, users and personnel, and between personnel

We then determined:

  • How & when individual consent should be obtained
  • How to treat data coming from collective discussions, where more than one person might need to give consent
  • How data should be handled within Symfony (Controller) and by third parties (Processors)

Outcomes

We provided the Symfony project with a report that; a) explained the relevant aspects of GDPR, b) laid out guidelines for seeking user consent, and c) advised on internal and third party data handling.

More information

EU GDPR portal

EU GDPR key changes

EU GDPR FAQs

GDPR legislation

GDPR glossary

Client

Symfony