This is interesting amongst shades of where we were a couple of years ago:
Due to our hosting and SaaS business, this involved a huge amount of time and money (legal fees for GDPR compliant contacts in particular) and we eventually fulfilled our requirements with our SaleFaith GDPR FileMaker WebDirect database.
In case anyone is interested, I’ve lifted the following from my original community post as we worked towards GDPR - https://community.filemaker.com/en/s/question/0D50H00006h9MEtSAM/gdpr-ostriches-with-our-heads-buried-in-the-sand where a (slightly out of date, light on data and read only) demo version is still online at:
User name: GDPR
Good luck with everyone who is involved with this at the moment.
Since built-in email “encryption” (SSL/TLS) is only between you and your ISP (email is almost totally insecure), I’m always curious how many folks use PGP and other common-sense tools for encrypting basic communications like email.
I don’t like services that “handle encryption for you” since they have the keys. It’s like handing someone keys to your house and them saying “well take care of it.”
Aside from data breach blunders like Dropbox, Yahoo, and others have had, it’s difficult to trust these companies. (I can think of a few others also)
Sorry, a bit off topic, but still close I think.
Good link. As part of our GDPR procedures, we never email out sensitive information in its entirety, it is split up via different delivery methods so that each part is no use without the other.
A simple example is setting up a new cloud account for a user. The email may include both server address and user name details, but the password will be sent by Skype, WhatsApp, SMS.
I would never (ever) use WhatsApp or anything by FB. Skype owned by MS and they scan messages (or have the ability to). SMS is also not secure.
There’s really nothing like secure PGP email and I use it every day – all day, but sadly it seems to complex for most users – even experienced ones.
I can’t argue with you. But as mentioned, those delivery methods are fine for us, as there is a only 1 piece of the jigsaw being sent.
Probably the best way, minus PGP, would be to have the user create their own password on a secure site. Then, there’s nothing to send.
If they need to reset their password, they just use the standard “forgot my password” type workflow.
That’s how I do it with the CMS sites I host – a password or other sensitive info is never sent.
Thanks for your reply!
Yup, temporary passwords only sent out, usually changed within a few hours.
We’re usually setting up Windows Active Directory accounts for streaming FileMaker Pro. Most of our FileMaker systems have an HR module from within which our clients can manage their own FileMaker user accounts across our data separated systems.
In addition, we often have preset temporary passwords agreed with some clients that we can refer to as ‘your normal temporary setup password’.
Each user has a 2-stage, 2-user name, 2-password log on process.
Was not criticizing your approach.