Does your grid need to prepare for GDPR?
This May, a major new regulation goes into effect — the European General Data Protection Regulation, or GDPR. It affects any company anywhere in the world that collects data on Europeans. And yes, that includes emails and IP addresses, and there’s no minimum company size required. If you’re an organized grid, whether commercial or non-profit, you have to comply. If you don’t, fines can go as high as 20 million Euros, or 4 percent of annual revenues — whichever is bigger.
To comply, companies have to put processes in place to protect data, notify authorities immediately if the data is breached, and allow their customers to be able to delete that data if they want.
Large grids that have invested a lot of time and money in their operations need to get their houses in order right now. And anyone who uses an outside hosting company for their grids needs to make sure that the hosting company is on top of things.
“One way to get around GDPR would be not to register with real life identities then it is no longer personal information,” Avalonia Estate owner Justin Ireman told Hypergrid Business. “Or grids will need to specifically exclude EU citizens from being customers, blocking European IPs for instance.”
(Ireman insists he is not an expert and not a lawyer and so his views are his opinions and interpretations of this complex law only so each reader should cross check.)
How are the grids preparing?
I tried to contact all the major grid owners, and only a few got back to me about whether they’re ready for GDPR or not.
“We’ve already developed some of the capabilities we’ll need for supporting the right to be forgotten as specified in the GDPR,” he said. “Most of the upcoming technical changes will be in our back-end and how we handle user data.”
Kitely is currently the largest commercial grid by land area, according to the latest stats, and one of the top ten grids by traffic numbers. It also runs the Kitely Market, which delivers to more than 200 other grids. So there’s a lot of information there that they collect about their customers — and a lot at stake if they don’t get up to speed.
Take for example, the question of protecting the data.
That doesn’t just mean encrypting everything. Grids also have to be careful bout how they store the passwords to unlock that data.
“It’s important to ensure that the keys used to access them aren’t just stored in plain text on the same storage device,” said Tochner. “Otherwise the database table encryption won’t be worth much when confronted with a knowledgeable hacker.”
And everything has to be done in such a way so it doesn’t interfere with operations.
“We’ll aim to minimize the amount of user-visible changes so as not to reduce the functionality our services provide,” he said.
Are the vendors ready?
For some grid owners, the new regulation is yet another reason to use outside services for as much as possible, and just stick to what they do best — community building, content, events, support, and marketing.
“Any external vendor you use that has access to your users’ personal information should be GDPR compliant or your service can’t be GDPR compliant as well,” said Tochner.
For example, many grids have recently began using the Gloebit virtual currency platform, which offers a single, hypergrid-enabled currency that can be used on any participating grid.
Gloebit itself uses third-party services to handle most of the payment information it gets from its users.
“And anything that we consider personally identifiable information, we encrypt in our databases so that if any malicious actor ever did manage to copy some user rows, they wouldn’t get any information on any user,” Gloebit CEO Christopher Colosi told Hypergrid Business.
Full details of how GDPR will be enforced and how it will affect OpenSim companies are yet to come.
“Hopefully the regulation is written so that complying is not overly onerous for small businesses,” he added.
“Dreamland Metaverse has always protected customer data using state-of-the-art security technologies and well defined operational processes, and we will continue to do so,” Dreamland Metaverse founder Dierk Brunner told Hypergrid Business.
How big a problem is this?
Will the European Union really go after a tiny virtual world for minor non-compliance issues?
“Probably not, but all it would take would be one disgruntled grid user not happy with a grid for failing to protect the data or not allowing the user access to their personal data, including the right to be forgotten, and a report could be made to the authorities,” said Avalonia Estate’s Ireman. “So who knows.”
Even non-commercial and not-for-profit grids will also need to comply for as long as they process personal information and allow for sign ups with real identities.
“Again a best guess, as the GDPR applies to charities and other non-profit making organizations just as much as to commercial businesses this would apply to non-profits such as OSGrid as it allows sign-ups from EU citizens,” he said. “In fact the regulation makes clear it doesn’t matter if the goods or services are provided for a fee or free of charge.”
If your grid isn’t prepared, it’s not alone.
Only 21 percent of IT professionals and executives say they have a good understanding of what GDPR means in practice and only 18 said they understood what data their company has and where it lives, according to a recent survey by Commvault, a data backup, protection, recovery and management provider who also helps companies prepare for compliance ahead of GDPR coming to effect,
“It is highly likely that we will see a number of high profile organizations hitting the headlines for contravening GDPR soon after it comes into effect next May, mainly due to a lack of understanding of the data they hold and its relationship to GDPR,” said Nigel Tozer, solutions director at Commvault.
For more on the regulation, please visit the FAQ page here.
Are UUIDs personally identifiable information?
A UUID — the unique number assigned to each OpenSim avatar — may be classified as personal data if it can be used to identify a real person.
“Under the GDPR, personal information isn’t just phone numbers, names and addresses,” said Ireman. “It can be any information that can lead back to the real identity of an EU citizen. UUID numbers of avatars that are tied to real identities at grids will now be considered personal information. The scope of this is truly massive.”
And it’s not just customer information that has to be protected. So does information about employees, volunteers, and donors.
Grids that are hobby grids, used by just the grid owner and their friends, will most likely be exempt. That is one way of ensuring the grid does not fall under that jurisdiction.
These grids don’t offer any goods or services to the general public, and make no effort to collect and analyse data about EU citizens.
Preparation for compliance
Here are some steps grids should take to prepare for the GDPR. They are generally good policies to follow in any case, however.
The firs step is to get real consent.
Make sure your users give their consent for you to collect information about them in an informed way. Pre-checked “I accept” boxes are not enough. And consent has to be granted again when the data is going to be collected or used in a new way.
Here’s one way to do this: “Given the nature of OpenSim, by using OpenSim and signing up with our grid you will be consenting to the collection and necessary processing of your data. Please click the tick box here to show your consent.”
“This sort of thing would meet the consent part of GDPR as far as I can see, said Ireman.
One thing which could be harder for grids to do is to create a system to allow customers to request and review the data that has been collected about them — and to delete that data if they want.