Sendiri Store is open

you have to take those precautions, and tell the regulator that you take them, in order to comply with the GDPR

Only the first.

There’s no need to register with the ICO (in the UK) to collect data; you just need to consider all of the recommendations and requirements, decide on a course of action, and be prepared to justify your decisions should the worst happen and the ICO get involved and start asking you questions. Which is where your data audit – what data you are collecting, and the basis on which you’re collecting it – comes in.

Actually, it very much does. One of the main things from the end user side of the GDPR is “informed consent”. Having any form of pre-ticked box fails that test.

Yes. But. No. You’re cherry-picking bits of the rules, way out of context.

To process data under the GDPR, you are required to specify a purpose (or purposes) for that data¹, and a basis (or bases) under which you believe those purposes to be legitimate. Informed consent is one basis, but by no means the only one. It’s the “easy” one, which makes it a good fall-back for those who don’t really need the data that they’re collecting, but not the one that I’d think of in this context.

In this instance, we have a login that says “here you may download Sendiri software products and upgrades, purchase new software licences or download demonstration licences” and asks for a name, email address and password. There’s no data policy², but it’s pretty clear³ that the deal is that we provide contact details, in exchange for which we get the option to purchase (maybe at no cost) software products and then receive updates.

That’s your “consent”, if you want to misuse that term, right there. There should be a note to say “if you submit your details on this form, we will process your data on the basis of the purposes laid out in our data policy (see link)”², and maybe – if you’re really in to covering your a**e – a tick box to say “I’ve read and understood the data policy, thanks”, but there’s no need for consent. Because the data is not being collected on the basis of consent – it’s being collected on the basis that it is required for the store to fulfil it’s side of the implied contract to give you access to their software. No consent is required, because the data is necessary for accessing the store⁴.

Furthermore, there’s no information provided regarding how the data collected will be used, who has access to it, etc etc.

Yes, as I said, this is the issue here. Not “furthermore”, though: it is the issue.

the use of soft opt-in may be legit.

Say it with me: Informed Consent. ;)

Moving on from the name and email address, we come to the checkbox on the form: “Check this box to receive email announcements about product releases and updates”.

We’re now straying from the GDPR to the Privacy and Electronic Communications Regulations – a sort of sibling of the GDPR, if you will. These cover email marketing, and very specifically things like opting in to email lists.

Soft-Opt In is a concept in PECR which makes it reasonable to assume that if someone has bought a product from you, then they would be willing to take emails about updates to that product or news of other similar products. Or, at least, likely enough that you can pre-tick the box and let them un-tick it if they wish to opt out (and providing easy ways to opt out at any point in the future, too).

And holding that data about that opt-in (or out)? Well, again, the GDPR basis is unlikely to be consent, so there’s no extra consent step required. The most likely basis for these kinds of marketing emails is “legitimate interest”, I suspect — the ICO even mention marketing in their list of possible legitimate interests.

The key thing is that the person holding that data has thought all of this through before-hand. Why is each piece of data required (the purpose or purposes), and what is the basis under which it is stored? Also, especially for legitimate interest, why was that basis selected and what was the justification? When that’s written down, you’ve got a data audit, and with a bit of nice formatting it’s also the data policy that you stick up on the website for people to accept without reading.

ETA As Rick rightly notes, the data policy should also stipulate some of how that data is held, although I don’t think the public one needs to go to the level of who has what data. The internal policy should cover where the data is (for a website, where are the servers and who else is using them), plus – for anything that’s not a one-person operation – who in the org has the data, and why.

Note: Although I have been involved with the GPDR compliance of a number of organisations, including one charity and one CIO, the above is all my opinion based on a hurried reading of a view from the outside of the operation under discussion, and should not be considered as any form of advice in this case or any other.

¹ What you’re going to use it for. “Fulfilling a contract”, “Sending out random, unspecified marketing junk”, and so on.

² Which there very much should be. If anyone wishes to criticise, this is the thing to pick up on.

³ Even to me, as a complete cynic.

⁴ Don’t confuse this with “but… the software could be free to download from an open website.” That’s not the issue, because the decision has been taken to make the software available on different terms. You are free to accept or reject those terms, but if you do accept, then the data is needed to go along with them.

should the worst happen and the ICO get involved

You mean the infamous toothless kitten that is the ICO? Or is it only the egregious abusers that walk away with little more than a slap on the wrist with a wet noodle?

what data you are collecting, and the basis on which you’re collecting it

And how you keep it. If I remember correctly, the actual wording is something vague like “appropriate technical measures” but that’s widely interpretated to mean that said data may need to be stored in an encrypted format.
Possibly not a big deal for a simple list of email addresses (I trust the passwords are hashed (and better yet, salted)) but anything more than that and you might want to be looking at what yubikeys can do…

(and also your responsibilities as a Data Controller)

Plus right of access, right of rectification, right of deletion, privacy policy, blah blah blah.

How do I know about this? I looked into it when setting up my forum. Answer? It’s bloody complicated but I may be exempt both as a personal (non commercial and non professional) site and the use of a user ID to sign in is legitimate processing. You’ll notice the rest of my site does not use cookies (the forum needs them), there’s exactly zero embedded advertising (would make it technically commercial as it would be profit making in some capacity), and no analytics (transfer of data to a third party, potentially to a privacy hostile regime such as the US).
But, yeah, it’s complicated. And closing your eyes and pretending it isn’t relevant is no excuse. That’s why some American websites geoblock Europeans. It’s easier for them to say “stuff it” than to attempt to comply.

Note: Steve posted his longer reply while I was writing this. On break at work so don’t have time to read it through as… almost done now.

You mean the infamous toothless kitten that is the ICO? Or is it only the egregious abusers that walk away with little more than a slap on the wrist with a wet noodle?

Indeed. I was merely responding to Clive’s question about whether the ICO needed to know that data was being collected. They don’t.

It’s worth having the answers ready, though. Because away from forum databases, it’s not just the ICO who might come knocking with difficult questions about what data you were holding, how it was stored and who had access.

That’s pretty much a given, though, isn’t it?

Not really, no. Remember that this thread was to announce a new store for supporting Adrian’s software, which probably wasn’t just five minutes’ work to set up…

Can we get back to why registration isn’t working for some people? i.e. me.

Have you tried the contact form? When I had a problem Adrian soon sorted it :-)).

Regards Ron.

Can we get back to why registration isn’t working for some people? i.e. me.

The mail server of my ISP shows that it has sent 3 emails to your registered address requesting confirmation, as has become standard practice to protect against spammers/bots etc. Perhaps the confirmation emails have been arriving in your Spam/Junk folder or deleted somehow? May I politely suggest that you attempt to log in, at which point the webserver should offer to send a new email?

The intention was to make registration/login simpler, but having published the beta mailing list addresses, they regularly receive spam, and I don’t want the miscreants to drown out support requests from legitimate users.

@Ron – David will not be able to access the Contact form until after a successful login, for the same reasons; at the moment that page offers you the direct email address, but I shall think about making support more accessible without first requiring a login. Bear with me, I’m a “1s and 0s” programmer rather than a web developer! ;)

Perhaps the confirmation emails have been arriving in your Spam/Junk folder or deleted somehow?

Thanks but nothing has got through here, Plus Net has been know to blacklist some domains. I’ll have to try another provider.

It might be worth increasing the expiry time for verification codes a little… My email only collects every 15 minutes, and on registering at t+1 minutes had to wait 14 minutes for the email with the code to arrive; by the time it had, the site told me that it was invalid!

Edit Otherwise it all works fine – thanks for the updates to Aemulor.

My email only collects every 15 minutes

Don’t you have an option to force it? Like if you know you’re supposed to be receiving an email, count to twenty then hit a “fetch now” button?

Don’t you have an option to force it? Like if you know you’re supposed to be receiving an email, count to twenty then hit a “fetch now” button?

Yes: log in to the mailserver and run fetchmail at the shell prompt. I did exactly that the second time, but wouldn’t usually expect to have to do it for a verification code – especially one where no expiry time is specified.

@Steve – fair points, thank you. There was no email confirmation initially, until it dawned that the database would sooner or later be drowning in bogus bot-generated accounts. Web technologies are still relatively new to me; ones, zeros and logic gates are more my speed 😉

Brief update to say that the RPCEmu/RiscPC build of Geminus is now available in the store (https://sendiri.co.uk/store) to download, try and/or purchase.
Since the RPCEmu extension that further accelerates Geminus has been deployed only on x64 Linux hardware to date, please let me know your results on other platforms and CPU architectures.

Best wishes.

A

Nota: it would be nice to have an IBAN on your website for bank transfers. And eventually a Paypal option (much more convenient for non UK people).

Anway, I will for sure buy the ARMbook, Pi4 and RPC version :) And I praise for dual screen under Pi4, to drive my two 2560×1440 screens with only one computer.

Thank you. Yes, IBAN can be added easily and I have been looking into PayPal. Thank you for your feedback and support.

Cool. (Almost) time to spend my money :)