easyappointments
easyappointments copied to clipboard
alextselegidis
Implementation of additional GDPR features in Easy!Appointments.
Hi there,
Further studies of GDPR requirements revealed that there are still some 'must haves' that EA! seems not to comply with the way it could, at least at the moment:
- Deletion of a customer does not remove his/her name, surname and e-mail address from the database - it is recommended that customer's ID should be used instead of name, surname and e-mail in a consents' table
- Admin's password should be changed between every 14 to 30 days :-/ depends on a risk - worth reminding about it or making it a requirement
- Customer without any appointment should be able to remove his personal info or change it in EA! database in any time as easily as e.g. giving his consent for processing personal data; maybe link in an e-mail confirming the appointment that refers to the personal info as it is now, but working even after the appointment or after cancellation of an appointment would help
- Collection of unnecessary data i.e. in most cases collection of an address of a customer must be very well justified in case of inspection; e.g. address fields as an option turned on by administrator if needed would do the trick
- Automatic personal data erasement after 'X' days due to necessity to inform the customer for how long personal data will be kept
There is also advice on good pratice to encrypt the database content in case it was stolen to sleep well and avoid reporting youself to inspector.
Lack of conformity with GDPR poses a great risk of financial consequences from GDPR inspector in case sb reports us using EA!.
Minor issues:
- Cookie info on solid background without transparency could be better solution as does not display well on some devices due to text on text (transparent background ommitted)
- Translation of some parts does not work, e.g. 'delete' button when removing personal data by customer (on confirmation) - always in English.
I consider EA! as a very good product, but from what I've found present GDPR requirements made it risky to use.
Regards, Chris
Hello @chrisbols,
those are very good points that you got there.
Currently Easy!Appointments has basic GDPR support that can of course become better.
Therefore marked as an enhancement.
Best regards,
Alex
 |
Alex Tselegidis, Easy!Appointments Creator Need a customization? Contact me in person! |
Hi. Just installed and I love the look and feel and would love to use it. Needs encryption though. Is this possible soon?
Needs encryption though. Is this possible soon?
Why not encrypt the server filesystem?
Admin's password should be changed between every 14 to 30 days
Why? Requiring password changes tends to decrease security. Use a long, high-entropy, random password and store it in a password manager like you should already be doing. A change that would actually increase security by a large amount is adding TOTP (six-digit pin generated by an offline app) and/or WebAuthn two-factor support.
https://www.ftc.gov/news-events/blogs/techftc/2016/03/time-rethink-mandatory-password-changes
https://www.wired.com/2016/03/want-safer-passwords-dont-change-often/
Something I would consider not an improvement but a requirement is that the Privacy Policy needs to be linked on all sites of EA as user data is also stored before booking an appointment e.g. the ip address of the user is stored in webserver logs. It should ideally be linked in the footer. @alextselegidis It is however also correct that there needs to be a checkbox when booking an appointment, because this needs consent from the user. The Wording of the checkbox could be improved though, as it should be that the user consents to the processing of their data according to the privacy policy instead of having read and agreeing to the policy.
On the matter of admin password change I can say that this is not a requirement of GDPR. If @chrisbols thinks otherwise they should cite a source for this claim.
