Several intrinsic contracts happen within the world of community building. Communities often bring a lot of good to people’s lives and tend to come with an exchange of information, shared knowledge, and data.
As a community builder — you are in a position of trust to ensure that the community you’re working with remains safe, healthy and trusted for time to come.
In order to retain trust within the community — the community industry as a whole should make sure to take a stand for security, safety, compliance, and privacy.
If we don't — community builders could bring havoc and even potentially physical, financial, and/or legal harm to our community members.
But what do these steps even mean within the context of community building?
Practical advice and implementation haven’t always kept up with the status quo. And, like many other things when they hit the mainstream lexicon — these topics are also now more susceptible to hype, jargon and technical brouhaha that may not be present otherwise.
Have no fear — we’re going to break it down plain and simple, and provide a no BS way to getting your footing (and keeping you and your community safe).
When we talk about security, safety, compliance, and privacy — at the end of the day, it comes down to trust.
Before we dive into the how we keep our community safe — it’s important to dive into the what and why as well.
What exactly do all these terms mean?
It’s easy to conflate these terms and use them interchangeably, but by getting into specifics, we can provide direct solutions to each of the above rather than vague generalizations. For example, creating a safe and secure community is essential — and while a community may appear very safe at first and appears not to need guidelines or moderation, this does not make it secure with proper protection measures keeping a community safe. Using the specific terms allows us to break down just how we're healthily building these communities.
Every time we communicate with someone, we learn more about them. It can be as innocuous as simply knowing they have a cat — or something as complex as their deepest darkest secrets.
The fact of the matter is — whether it seems silly or serious, it’s important to keep whatever someone has trusted you with safe and secure. And not just because someone doesn’t want their dirty laundry aired out with the community — but because of compliance and security.
In recent years, both market forces and a barrage of (rightly so) fired-up activists and legislators around the globe passed a series of laws dictating what and how companies can and cannot use your data, specifically personal identifiable information (PII).
PII, which are enforced by laws we’ll dive into later, is data that may directly or indirectly identify a natural person. This could be someone’s name, contact info, purchase habits and preferences, location, contacts, and a barrage of similar data that would make someone find-able on the web.
As community builders — this is the type of data that we use on a day-to-day basis to foster connections or understanding within a community. However, it is more important than ever to think through how this is being stored and shared — with legal enforcement on the line we need to be honest about how this is progressing.
In 2018 — you probably received a barrage of emails in regards to two laws passed — one in Europe known as GDPR or the General Data Protection Regulation and one in California titled CCPA or the California Consumer’s Privacy Act.
These policies started putting in strict enforcement for companies and organizations to not only tell you how they’re planning to use your information, but have you explicitly consent to how they are going to use it, and do so in layman’s terms among other increased protections for users including a user’s right to be forgotten.
While the laws have different nuances and enforcement tactics, they have started to outline and guide companies and organizations on how your data is used and what protections users have about it. That’s right — users often implicitly trust you to protect their data and keep it safe.
And if users aren’t implicitly trusting you — they may be explicitly trusting you. Many organizations require that their vendors comply with these laws and regulations.
While legal trust is what is typically enforced, community builders often are faced with different privacy and identity issues as well.
The internet is an amazing place, and many folks have found communities or places where they belong online, where they might not belong in the offline world. This means that community members may use an alias or an alternate identity when navigating certain spaces.
Certain communities may also be discussing more sensitive or delicate topics as well, where someone might not be comfortable talking about it publicly.
Community builders at times will be privy to information that would reveal these aliases, or come across sensitive conversations that are happening within these communities. It is of utmost importance and safety that members do not have their identity or other personally identifiable information revealed without explicit consent.
Every login, Slack message, tweet, photo, discord message, text, NFT, and even dare I say courier pigeon gives away a little bit more about ourselves. From the words that we use to communicate to how we communicate about them.
But what about all the little steps in between? Who else might have our information (and the information of our community members)?
In the rise of community, we’ve seen a rise of community tools as well — everyone is trying to find a new way to improve the day-to-day grind. This makes us (and subsequently our community’s data) a prime subject for anyone seeking to maliciously use our data.
We often overlook all the third-party apps and tools that we use to help us on our journey to build better communities. As community folks - we must be vigilant in the different tools we use, how we use them, and what access they have to not only our data but our community’s data.
Set up safeguards for yourself or if you’ve got one, chat with your compliance and security team, they often have deeper knowledge and insight into what’s happening in these spaces.
As a community builder — oftentimes you are a sort of treasure trove of knowledge about your community. Birthdays, celebrations, career milestones, and other opportunities all come to mind as that top-of-mind data that you get when you’re building community.
Add this on top of any information you might be privy to based on your role in your organization as well. Community builders have a lot of knowledge bouncing around in their brains.
Every time that you share even things that seem innocuous - or share something via a private message, you open yourself up to further vulnerabilities.
A rule I’ve taken from the journalism world: don’t conduct yourself in a manner or share information that you’d be embarrassed to see on the front page of the New York Times.
It’s quick to have the perception of trust and privacy online — platforms tell us these details are secret, trusted, and safe, but are they really?
DMs, Slack messages, and private conversations held in public spaces — you’re merely a screenshot or recording away from it being exposed to the world. Be conscious of what you’re sharing with whom, and who is at risk when information leaks.
We’ve spent a lot of time diving into all the different ways that we should investigate our own behavior and set up safeguards within our own practices and for our own community — but how are we communicating how we should be trusted and the community and products that we work with can be trusted.
Security, safety, compliance, and privacy are no longer a nice-to-have, but a need-to-have. Aside from the 6-figure monetary fines that can happen if your practices aren’t compliant — users are now more aware of data best practices and more likely to participate in communities that are trusted.
It starts with transparency – share what you’re up to, what you’re doing, and how you’re doing it. Then, follow through. Do what you say you’re going to do.
These actions of trust start on a small scale. Be human, be transparent, share what you know and what you don’t know. Provide ways for folks to learn more or reach out. Make yourself available for questions. If you can’t answer the questions — find someone on your team who can.
Trust doesn’t happen overnight, how your community carries itself and the smaller interactions and intricacies within your community are important in creating an environment where trust is the norm.
In community building — you’re likely to encounter two different types of entities as categorized by GDPR; Data Controllers and Data Processors. While it seems a bit semantic, it’s important to understand how these types of entities differ and what risks you’re putting your community at with each.
Data Controllers are a legal or natural person, an agency, a public authority, or any other body who, alone or when joined with others, determines the purposes of any personal data and the means of processing it.
Put simply — data controllers determine why data is needed, how that data is used, and processed.
Data Processors are a legal or a natural person, agency, public authority, or any other body who processes personal data on behalf of a data controller.
Orbit falls under the class of being a data processor, as with tools like certain payment gateways, Google Analytics, or other metrics/measurement software.
Be mindful and seek clarity from your security team on what tools you’re using and gain clarification if it is a data controller or data processor. For context — PayPal is both a data controller and a data processor depending on how it is being used. Also note where your data is being stored — different precedents exist between different countries as far as data sovereignty goes.
It is important to keep in mind — wherever your community data is coming from, that people have consented and opted into communications with you. This can be more implicit like a follow on Twitter, or more explicit through a sign-up form or registration.
As a community builder (and possibly a community builder that is using Orbit) we should make sure that the following are not just something that we think about, but also something that we act on as well.
As a community builder, it’s important to make sure private things stay private. From your logins, conversations, to the community data itself — even something as seemingly innocent and innocuous as a screenshot, or even sharing a password with a coworker without the right security precautions can lead to data breaches and leaks.
You’re in a position of trust (and possibly liability) if something were to get out.
You’ve likely heard this before — but password managers are your friend. Use a password manager AND multi-factor authentication (MFA) or Single Sign-On (SSO) in order to make sure even if someone DOES get your password, you’re still good to go. Change your passwords on a regular basis and don’t share them with others.
Anytime that you add an integration, software, or additional tool — you make yourself (and your organization, teammates, and members) more open to vulnerabilities.
At Orbit — before using any new tool, we have a security checklist that is completed and filled out — that is run by our security team in order to make sure everything is secure and we’re not putting our members at risk by using it. It’s important to really read those terms and conditions (like really read them) and what you’re giving them access to read and to do. Many seemingly benevolent apps actually can have very perilous implications. Talk to your team and see if they have a security checklist in place — if they don’t, talk to your team about making one.
We get that you need to share reports and what’s happening in the community with team members, your boss, or potentially other stakeholders. Putting in the right safeguards and using secure links, instead of screenshots to information can make sure that when sharing reports can help keep your community safe.
How to share reports in Orbit
Have you received a GDPR request such as a right to be forgotten notice? This isn’t something to shirk at, if not handled correctly, you could be liable to the tune of fines in the hundreds of thousands of dollars and other legal headaches. Contact your security team and make sure that you are documenting notices and actioning on them appropriately,
Deleting + Blocklisting members within Orbit
Sometimes you need to delete or even blacklist a member within the community. Here’s how to ensure that you can effectively do so when you receive the information to “opt-out” someone from all communications.
Security, safety, compliance, and privacy are all things that we take very seriously at Orbit, not only for the folks who use our product but for the people we work with and the community we collaborate with. We love to practice just as much as we preach.
On top of constantly analyzing our own security, we also require industry best practices internally, including mandatory SSO and 2FA on devices, frequent security reviews, and being extremely mindful of how we handle sensitive data in all contexts. Our team is SOC2 Compliant and upholds industry standards for compliance as well. (Curious to get into details? contact our security team)
For community builders, sometimes the last thing you want to do is fill out a vendor checklist or justify security controls — But knowing what those checklists are for and knowing why your security or compliance teams are asking those questions lets you fill them out better, faster, and helps keep your community safe.
My recommendation? Follow industry best practices, and when it comes to compliance, make sure you have someone available who understands your organization's specific legality and compliance requirements (thanks, Jindrich!).
If you think security, safety, compliance, and privacy aren’t worth investing in? Think again.
More and more users and organizations are doubling down on security and privacy and requiring this of all of their vendors. More people than ever before are getting online, and we’ve come to move even more of our lives online from ecommerce, to education.
We also saw an explosion of online communities across a variety of industries. From groups organizing around healthcare, mutual-aid, and even activism, there are more data points and potential vulnerabilities bouncing around the internet than at any other point in history.
Community builders have to do their part not only because it’s a best practice or because of increased enforcement of regulations — but rather because the fate of our online world depends on it.
Building healthy communities requires we take security, safety, compliance, and privacy as an ongoing focus.