This May, a major new regulation goes into effect — the European General Data Protection Regulation, or GDPR. It affects any company that collects data on Europeans. And yes, that includes emails and IP addresses, and there’s no minimum company size required. If you’re an organized grid, whether commercial or non-profit, you have to comply. If you don’t, fines can go as high as 20 million Euros, or 4 percent of annual revenues — whichever is bigger.
To comply, companies have to put processes in place to protect data, notify authorities immediately if the data is breached, and allow their customers to be able to delete that data if they want.
(Image courtesy Avalonia Estate.)
Large grids that have invested a lot of time and money in their operations need to get their houses in order right now. And anyone who uses an outside hosting company for their grids needs to make sure that the hosting company is on top of things.
“One way to get around GDPR would be not to register with real life identities then it is no longer personal information,” Avalonia Estate owner Justin Ireman told Hypergrid Business. “Or grids will need to specifically exclude EU citizens from being customers, blocking European IPs for instance.”
How are the grids preparing?
I tried to contact all the major grid owners, and only a few got back to me about whether they’re ready for GDPR or not.
For instance, Kitely has already taken some steps to comply with GDPR and will be in full compliance once the regulations come into effect, Kitely CEO Ilan Tochner told Hypergrid Business.
“We’ve already developed some of the capabilities we’ll need for supporting the right to be forgotten as specified in the GDPR,” he said. “Most of the upcoming technical changes will be in our back-end and how we handle user data.”
Kitely is currently the largest commercial grid by land area, according to the latest stats, and one of the top ten grids by traffic numbers. It also runs the Kitely Market, which delivers to more than 200 other grids. So there’s a lot of information there that they collect about their customers — and a lot at stake if they don’t get up to speed.
Take for example, the question of protecting the data.
That doesn’t just mean encrypting everything. Grids also have to be careful bout how they store the passwords to unlock that data.
Kitely Welcome Center. (Snapshot by Maria Korolov.)
“It’s important to ensure that the keys used to access them aren’t just stored in plain text on the same storage device,” said Tochner. “Otherwise the database table encryption won’t be worth much when confronted with a knowledgeable hacker.”
And everything has to be done in such a way so it doesn’t interfere with operations.
“We’ll aim to minimize the amount of user-visible changes so as not to reduce the functionality our services provide,” he said.
Are the vendors ready?
For some grid owners, the new regulation is yet another reason to use outside services for as much as possible, and just stick to what they do best — community building, content, events, support, and marketing.
“Any external vendor you use that has access to your users’ personal information should be GDPR compliant or your service can’t be GDPR compliant as well,” said Tochner.
ZanGrid Hypershopping I and II regions are Gloebits enabled. (Image courtesy ZanGrid.)
For example, many grids have recently began using the Gloebit virtual currency platform, which offers a single, hypergrid-enabled currency that can be used on any participating grid.
Gloebit itself uses third-party services to handle most of the payment information it gets from its users.
“And anything that we consider personally identifiable information, we encrypt in our databases so that if any malicious actor ever did manage to copy some user rows, they wouldn’t get any information on any user,” Gloebit CEO Christopher Colosi told Hypergrid Business.
Full details of how GDPR will be enforced and how it will affect OpenSim companies are yet to come.
“Hopefully the regulation is written so that complying is not overly onerous for small businesses,” he added.
Another vendor that is taking GDPR seriously is Dreamland Metaverse, one of the oldest and most respected hosting companies in OpenSim.
“Dreamland Metaverse has always protected customer data using state-of-the-art security technologies and well defined operational processes, and we will continue to do so,” Dreamland Metaverse founder Dierk Brunner told Hypergrid Business.
The grid is already up to speed when it comes to communicating with users about how their data is used and if there’s a breach.
“We inform our customers about any issues affecting them as soon as possible,” he said. “Beside this, we did already document our operational tasks in a log book to have a data source to constantly improve our operational processes.”
How big a problem is this?
Will the European Union really go after a tiny virtual world for minor non-compliance issues?
“Probably not, but all it would take would be one disgruntled grid user not happy with a grid for failing to protect the data or not allowing the user access to their personal data, including the right to be forgotten, and a report could be made to the authorities,” said Avalonia Estate’s Ireman. “So who knows.”
Even non-commercial and not-for-profit grids will also need to comply for as long as they process personal information and allow for sign ups with real identities.
“Again a best guess, as the GDPR applies to charities and other non-profit making organizations just as much as to commercial businesses this would apply to non-profits such as OSGrid as it allows sign-ups from EU citizens,” he said. “In fact the regulation makes clear it doesn’t matter if the goods or services are provided for a fee or free of charge.”
If your grid isn’t prepared, it’s not alone.
Only 21 percent of IT professionals and executives say they have a good understanding of what GDPR means in practice and only 18 said they understood what data their company has and where it lives, according to a recent survey by Commvault, a data backup, protection, recovery and management provider who also helps companies prepare for