We are building one such service and I agree (to name a few services doing GDPRaaS : soveren.io, ethyca.com, securiti.ai, datagrail.com, alias.dev) .this is so much needed as there is almost no legally valid answer on the whole comment section!
I started to write an article on all the points above… should get back in 2 hours and post it here
In bullet points :
- GDPR is a risk management policy about personal data protection more than a privacy regulation
- for any personal data (PII) all companies must declare the following :
- purpose of the collection and the treatment of the specific data
— legal base of the treatment (6 available, they are the field card in Magic the gathering, they define a context of what is possible to do)
- data category (what type of data you are collecting i.e if you declare collecting delivery shipping information for a purpose, you limit yourself to data that correspond to that category )
- data retention duration (how long you declare storing the data in production and then in archive)
- list of recipients (all the 3rd party companies who will access the data)
- security measures (what is the level of security for keeping that data safe from breaches)
- some infos about the company, the data controller (who is responsible) etc…
So all companies must do a internal data mapping to know and declare where is the data and where it flows in production and write for every PII a ROPA (record of processing activity)
You can find an open source specification UROPA here)
I am a multiple meetup organizer and owner on meetup.com and I find it actually great that the meetup can stay alive if the organizer stop to pay.
Your communities are not owned by you.
Also, they don't give subscribers infos but just "an access" to send them email communication to the list, not the "list" with email list etc...
In that case it’s a moot point, but on the other hand we have had so many past examples of community “owners” shutting down their community out of spite. The community needs to be able to control their own destiny with or without the founder.
I've never been an admin of any meetup group, but I have been an attendee of many. As an attendee, I'm almost never caring who the group owner is, and it certainly doesn't play a role in whether I decide to join the group or not.
As you suggest, I think the community belongs to the community.
I think there needs to be some sort of a middle ground. Maybe the organizer can call a vote, and if a certain quorum is met the community can be dissolved.
I'm not sure even that necessarily works. Say the majority of the group wants to move to a new platform. Someone else--perhaps in the minority--wants to keep the group going on meetup.
I don’t know about you, but I feel a little weird about the fact that some random person can just buy all the contacts/access to the profiles of our old podcast producer meetup group without my input or opting in.
Imagine if folks could buy abandoned Facebook profiles and be instantly connected to all their friends and groups/pages. I think most people would be against that.
At the very least I would hope to see a prompt or notification of some kind appear that says “hey, this community is under new management” and then I have to opt to stay in.
Having not been a meetup admin, what access do you have for user's information? Is it just their meetup profiles, or do you actively have their email addresses?
Also, you said two things interesting: "profiles of our old podcast producer meetup group", and then "without my input or opting in".
You used both "our" and "my". Do you see it as your group, or a group of people who have come together and could keep it going without you?
I think the only thing I can see that other members can't is:
1 Number of RSVPs
2 List of meetups attended
3 No-shows
4 Last visit to the Meetup page
5 Whether they are blocked from the group
Except for 3 and 5, the information is all available on pages visible to members anyway, though you'd need to page through all the past events to aggregate it.
I do see a box "Get to know your members — With the Pro registration form, you can get key attendee details like email address and job title". I wonder where job title comes from, I certainly haven't provided that to Meetup. I'd also like there to be a way to hide my email address from Pro group owners, but I can't see one. Possibly I don't see the setting as I'm not a member of any Pro groups.
Ah, now that's interesting. I looks like they have a product that seems to be more focused on businesses organizing things: https://www.meetup.com/lp/meetup-pro
I wonder what all the differences there are. That would be more concerning if that allowed transfer.
There is one piece of not so obvious data that is public in Meetup profiles: zip code. The city is listed, but hovering over the link that has the city as link text shows the zip code that member registered with, possibly long ago. This can be handy for deciding meeting locations, etc.
I actually didn’t create the original meetup group, my colleague did. I agreed to join his group that he runs. If someone else takes the reins that we don’t know I would like the option to drop out before they access anything.
Well, in the scenario outlined by OP, their former community is now _owned_ by a third party uninterested in the community's purpose and spamming the members to their own ends.
Tbh that practice seems to be on par with any social network standard out there. You get stuff, even for free, but the real product is still your data. If you don't want anyone to access that, you can't use these things.
Members of groups don't pay. And it's their data that is valuable, since it comes in bulks. Noone would care if it was just the data of the paying group organisers.
There is a value in being able to spam via an already verified list.
If that value is more than a dump and run on the Meetup expense, there is an obvious arbitrage opportunity. Capitalism all but guarantees others will be able to leverage this along with the less obvious opportunities.
Either you don’t do business anymore with Eu users or any user on Eu territory (but how do you know there are not actually on Eu territory), either you try to automate it so you continue to “not care about it”
We have never been successful showing that internal maintainers of the legacy were the ones really paying the bills and delivering the current value of the company. Fame and payroll was mostly towards the cool engineers working on new tech not yet in production serving real customers. I hope Echoes helps giving merit to the one contributing to the economic value of the company
I certainly hope too, especially as those teams are typically at the crossroads of every initiative and therefore unfairly perceived as "what is slowing us down" rather than "what carries everything else". Echoes can shine a light on their contribution, and on the challenges of being in the middle of it all.
Our model of a unit of effort typically originates from a commit. Deployments are declared through an API: because we already know the commits, and most importantly their intents, this tells us what a given release aims to achieve. The next link is to connect that to observable impact.
Nice. Do you plan to match it with marketing/sales budget per product line or Business unit? To be sure that the effort of "maintaining legacy" is equally measured versus over funded efforts on new features for growth?
Disclaimer : I am running a non profit in my country called "The Maintainers", this is why I look for products that can give more merit to code maintainers.
That's not currently in the plan, but as Echoes models the engineering organization you could easily see how much of your engineering capacity goes toward maintenance versus new features.
I'd be happy to show you a demo of the product and how it can fit your use case! My time as engineering manager for the maintainers of the Docker open source project was a significant inspiration in creating Echoes, and I'm very familiar with the difficulty of highlighting maintenance work.
The link between "groups never admit failure" and "non-profit organizations are not sustainable by design" is a little bit too direct and non relevant.
Lots of non-profits make revenues, selling stuff with customers, they just don't pay dividends by design and re-invest everything. So what he says does not apply.
And again, even foundations are at least oriented to hear feedbacks from donators who are their "customers". So it does not apply here.
The only valid point is that yes, group never admit failure as a whole, but the post should have stopped after this
Co-author here of the research. The most simple and effective and rapid solution would be to impose API neutrality.
As explained in the report, it would just obliges API providers to give back the same API access to users than they give to their partners.
For instance, why I get less data from Facebook if I ask my personal data, than if I create an app and ask maximum app permission (all OAuth scopes)?
API neutrality already works. For instance, Open banking in UK and PSD2 in Europe apply API neutrality. Any 3rd party can access to a bank API if they are granted by the user to do so.
After 2 years, for instance, up to 20% of the UK online banking population beneficiated from it as "Banking data Portability via APIS" . 20% is huge.
If FAMGAs and all other big companies data was accessible via "neutral APIs" to users, data portability would be "a thing"
Also, the fact that you don't know what to do with you data dump in JSON is a blocker. With APIs, integrations by 3rd parties are simpler and more user oriented.
Last point, with API neutrality, no need of maximizing "interoperablity" (even is is always useful and makes things simpler, we have seen that with DataTransferProject it does not work really as companies don't work with the same data model)
Developers will do the matching work between the original app and the destination app, no worries, when incentive is here, middleware glue will come. The problem these days is that the source of data is useless, has no value, so no incentive. You can look at this study with GDPR Facebook data value for developers https://www.law.nyu.edu/centers/engelberg/pubs/2019-11-06-Da...
The main question is : Why a Facebook GDPR Data dump/takeout has no value for developers where Facebook API has value for millions of applications developers and businesses?
With API neutrality it will have maximum value for users (as it has already value for partners) and minimizing fatigue to implement portability (an API is lot more developer friendly than a JSON dump that you receive in 30 days via email and that the user need to upload somewhere)
author here. We divided the number of revenues and the marketcapitalization per regional revenues
US user : $1294 market cap in average, EU user : $494 market cap in average, Asia $109, Rest of the world $80
It is explained in more detail in the report
This is why, according to GDPR and CCPA principles (it is not written as is in the text) we need to include API neutrality for users, as the right to have an API access to 3rd party applications to exercise users' data portability regulations. All of this without the possibility of the company to revoke API access. Like the net neutrality, but for APIs.
https://api500.tumblr.com/post/31465739810/what-is-api-neutr...
