GDPR opt-in for organisations

[moreedri]

Organisations/members of DMPonline.be should be able to opt-in for GDPR registration via DMPonline.be

• [x] superadmin can tag organisations that want this
• [x] superadmin can identify one or more users as "Data Protection Officer" for that organisation
• [x] orgadmin can tag templates as ready for GDPR
• [x] in the plan create wizard, user must answer a preliminary GDPR question
• [x] in the plan sharing details, user can invite user with role = "data protection officer"
• [x] in the plan sharing details, new role = "data protection officer" should be explained

if the preliminary GDPR question is answered yes = personal data is treated in the project:

• [x] in the plan create wizard, user can only select GDPR-compatible templates from the dropdowns
• [x] the organisation's data protection officers are added as collaborators to that project, explicitly marked as "Data Protection Officer"
• [x] in the plan sharing details, user cannot remove organisation DPO's as long as these are linked to that organisation as DPO by the superadmin
• [x] in the plan sharing details, user can add other DPO's when needed
• [x] in the plan sharing details, user can remove foreign DPO's when needed

if the preliminary GDPR question is answered no = personal data will not be treated in the project:

• [x] in the plan create wizard, user can only select templates without GDPR questions from the dropdowns
• [x] in the plan sharing details, user can add a DPO when needed for compliance edge cases

[nicolasfranck]

Additional requirements:

• when gdpr is selected, the selection of the organisation is locked to the organisation of the current user. Consequences?

[nicolasfranck]

https://github.com/DMPbelgium/DMPonline_v4/commit/97fb81cd589979387ea1f8c66a3fda6c97a768c6

[moreedri]

help text about DPO role is missing

[moreedri]

BUG: with owner rights, having just invited a foreign DPO, I should be able to remove that user ; only the institutional DPO cannot be removed by users with rights to change sharing details

[nicolasfranck]

I've set it to "remove by admin only" because that was not clear yet to me.

Who should be able to remove:

• admin
• project creator: if that dpo is not of the same organisation. For existing projects, this can mean that one can add dpo's without being able to remove them afterwards, because they happen to be the dpo for project creators organisation.

right?

[nicolasfranck]

What about the selectbox, that changes someones rights?

[nicolasfranck]

Update: when we mean "organisational dpo cannot be removed", we mean the dpos attached to the organisation of the template

[mm449]

Create plan wizard now automatically pre-fills a funder (instead of letting the end user select a funder from the list). This may be confusing, as users who forget to change to the relevant funder (or to select "funder not applicable/not listed") will by default be shown the pre-filled funder template.

https://preview.dmponline.be/projects/new

[mm449]

When users select a GDPR-compatible template, the tag [GDPR] appears next to the template title when they confirm the plan details. What would be best practice in terms of titles for the GDPR-compatible templates? On the one hand, we want to be able to distinguish between duplicate templates (based on just the title) in the superadmin database, but on the other hand we should probably avoid using "gdpr" in the template title because of the [GDPR] tag that is displayed to the end user when confirming plan details.

[mm449]

help text about DPO role is missing

SUGGESTION: Add to list of different roles in Share menu:

• 'Data Protection Officer' (DPO) is the designated person who monitors the application of and compliance with the General Data Protection Regulation (GDPR) within an organisation. DPOs can read and export the plan, and also add comments. If enabled by your organisation, the organisational DPO is automatically added as a collaborator to your plan when you indicate that you are processing personal data.

[nicolasfranck]

Update: when we mean "organisational dpo cannot be removed", we mean the dpos attached to the organisation of the template

Update on update ;-) : nope, it is the organisation that was selected during the project creation. In case of gdpr, the own organisation is selected anyway.

In code:

NOT

project.dmptemplate.organisation

BUT

project.organisation

[nicolasfranck]

help text about DPO role is missing

SUGGESTION: Add to list of different roles in Share menu:

• 'Data Protection Officer' (DPO) is the designated person who monitors the application of and compliance with the General Data Protection Regulation (GDPR) within an organisation. DPOs can read and export the plan, and also add comments. If enabled by your organisation, the organisational DPO is automatically added as a collaborator to your plan when you indicate that you are processing personal data.

That's quite long. The selectbox shows one tooltip for all options, not per option. And it does not explain the meaning, but rather what they can do.

[mm449]

help text about DPO role is missing

SUGGESTION: Add to list of different roles in Share menu:

• 'Data Protection Officer' (DPO) is the designated person who monitors the application of and compliance with the General Data Protection Regulation (GDPR) within an organisation. DPOs can read and export the plan, and also add comments. If enabled by your organisation, the organisational DPO is automatically added as a collaborator to your plan when you indicate that you are processing personal data.

That's quite long. The selectbox shows one tooltip for all options, not per option. And it does not explain the meaning, but rather what they can do.

I meant this as an addition to the list of bullet points explaining the different roles/permission levels in the text immediately under the share tab. For the tooltip we need a shorter statement indeed, e.g.: "DPOs can read plans".

[nicolasfranck]

Create plan wizard now automatically pre-fills a funder (instead of letting the end user select a funder from the list). This may be confusing, as users who forget to change to the relevant funder (or to select "funder not applicable/not listed") will by default be shown the pre-filled funder template.

https://preview.dmponline.be/projects/new

Same applies to the "institution" where the first option is preselected

[nicolasfranck]

remaining bullet points fixed on test.dmponline.be