Support for GDPR Compliance
General Data Protection Regulation (GDPR) is a collection of data privacy and data protection laws enforceable in Europe. Organizations in the EU are subject to these regulations, as well as organizations that process or store personal data belonging to citizens of the EU. GDPR has been enforced since May 25, 2018.
Among GDPR regulations is the requirement that a data subject (person whose data is being processed or stored) can request to see all of their information, have corrections made if information is incorrect, or have their information deleted at their request. While the first two are already supported by Spigit, the ability to have information deleted was added in this release to bring Spigit software into compliance with GDPR regulations.
Super administrator may accomplish this using the link marked ‘Remove User Identity’, which is available on the Edit User page. By design, to fully comply with GDPR, this course of action has instance wide impact, is permanent and cannot be undone. As such, it is only available at the main community and to super administrators, and they are prompted to ensure they understand the impact and still wish to continue. When a user’s identity is removed, all personally identifiable information, such as their name, email and user attributes are anonymized so that they are no longer attributable to that person. Any content this user may have added, such as ideas and comments, will remain in Spigit but will reference the anonymized identity. The anonymized user is also disabled in Spigit and any user attribute fields are locked, so this user can no longer log in with the same user ID, or have their user attributes modified.
Cross Site Scripting Prevention
We have tightened our approach to cross site scripting prevention by switching from blacklisting to whitelisting for sanitizing data that is entered into Spigit. This change in approach was recommended by our contracted penetration tester as a way to enhance security.