10

I know that GDPR does not technically introduce any new controls that do not already exist in other existing regulations, but where do we want to draw the boundaries, if any, on GDPR questions?

We allow personal privacy questions, and technical controls are obviously on-topic. Legal questions are also well-established to be off-topic. Guesses on what the ICO will allow are right out.

But I'm getting a feeling that we should make a decision now about what we do and do not want to accept.

Questions like:

  • "How to perform a Privacy Impact Analysis?"
  • "What impact will X have on privacy?"
  • "Does X impact privacy?"

Do we deem these all "legal" questions? Are they technical control-type questions?

Where do we want to draw the line?

4
  • Can we extend this meta question to also cover eIDAS? That also tends to generate a lot of quasi off-topic questions that span technical and legal.
    – Mike Ounsworth
    Commented Dec 1, 2017 at 3:03
  • Handling your own privacy is vastly different from handling other people's. Part of my question is if handling other's is on topic...
    – schroeder Mod
    Commented Dec 2, 2017 at 14:02
  • 1
    Your 3 example questions would probably all get closed as too broad
    – user13695
    Commented Dec 4, 2017 at 12:57
  • 1
    I think when it is pure privacy, people better create a Privacy stack exchange.. otherwise we will have hacking etc also under infosec. I dont see hacking or privacy part of infosec, but Influencing it
    – johan vd Pluijm
    Commented Dec 7, 2017 at 14:23

2 Answers 2

Reset to default
6

I'm in two minds on this. From my own perspective, working in a heavily regulated industry, I know it doesn't materially change any of our privacy related work - it just increases the level of controls required, and clarifies some of the detail. But for many other industries, and for small companies, GDPR is really the first key driver they have in the privacy field. So they will almost certainly first search on the GDPR tag.

So I don't think we should decide a question is on or off topic based on whether it is GDPR relevant, necessarily.

Of more importance, does it come within the scope of this site? Privacy controls generally will (although I could probably come up with some out of scope privacy questions) especially if they are technical or process controls. Data protection questions, similarly, could well be on topic.

But you are correct - if the question is about law it is very likely to be off topic...

2
  • I'm not so precious about "GDPR" (I didn't use the term in my examples), but "privacy" is getting technical. Website owners, security managers, sole-proprietors will have some technical questions to ask. Data protection becomes an interesting line to draw as a part of our scope.
    – schroeder Mod
    Commented Nov 30, 2017 at 15:37
  • 3
    I mostly agree with this, GDPR-relevance is not the main criterion for ontopicness. More likely it will fall for other reasons - e.g. the first example "How to perform a Privacy Impact Analysis" is far too broad. Whereas the other examples (assuming there is a good level of detail there) are clearly ontopic, and GDPR could perhaps be one aspect of a good answer. Anyway, we should treat GDPR as any other regulation (and not as a legal question), if the question itself is ontopic or not. Data protection, privacy controls, impact, etc.
    – AviD Mod
    Commented Nov 30, 2017 at 16:15
0

I think these should be handled the same way as any other questions of the same kind. For example questions regarding compliance with the GDPR should be handled the same as questions regarding compliance with any other laws/regulations. Questions regarding GDPR-related audits should be handled the same as questions regarding the handling of any other audits. And so on.

The fact that they're about the GDPR is irrelevant; they should be handled the same as any other question of the same kind.

Questions regarding the legal aspects of the GDPR are irrelevant, the same as questions regarding the legal aspects of any other laws or regulations. e.g. "How to interpret this clause in the GDPR", "What does this part of the GDPR mean", and so on. As would be the case with any other legal questions.

2
  • Except my question is about the technical nature of privacy, not about regulatory questions. Do we want to take on handling other people's privacy as an in-scope topic?
    – schroeder Mod
    Commented Dec 2, 2017 at 12:24
  • @schroeder The answer depends on whether or not privacy-related questions are currently considered on-topic. As per my answer, privacy in relation to the GDPR should not be handled any different to privacy in any other context. Whether or not privacy is currently on-topic I don't know.
    – micheal65536
    Commented Dec 2, 2017 at 14:09

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .