Lack of interest GDPR: Data retention for banned accounts

This suggestion has been closed automatically because it did not receive enough votes over an extended period of time. If you wish to see this, please search for an open suggestion and, if you don't find any, post a new one.
R

RobParker

Well-known member
In relation to the discussion here: https://xenforo.com/community/threads/gdpr-discussion-thread.142396/page-27#post-1277630

The ICO made it clear that it's unacceptable to have an "indefinite" retention period for banned account data.

This means we need a way to either automatically or manually review accounts after the retention period.

Possible solutions:

1) Notify admin that "$account has been banned for $retention_period, please review their personal data" automatically based on a cron
2) Have an option in the batch update user tool to automatically remove DOB and email address (in the same way that it currently allows you to remove avatars, etc). This would still need to be run manually but it makes wiping the data easier.
 
Upvote 4
This suggestion has been closed. Votes are no longer accepted.
This is what the ICO replied to me regarding this:

The ICO is not able to provide a considerable time guideline for an organisation to retain data. The GDPR does not dictate how long you should keep personal data, it is up to you, as the organisation to justify this, based on your purposes for processing and why you need to keep personal data in a form that permits identification of individuals. You are in the best position to judge how long you need it.

You should consider any legal or regulatory requirements, and relevant industry standards or guidelines. For example credit reference agencies are permitted to keep consumer credit for six years.

The approach you take should be proportionate, balancing your needs with the impact of retention on individual's privacy. The retention period should be fair and lawful.

Finally, the countdown for a retention period would be, using your example of banned accounts, from the date the account was banned and you would explain to the individual requesting their information to be deleted that it is kept for XXX amount of time and justify why.

The retention period for the banned accounts can be different from the retention period for closed accounts. It is important to note, that once the retention periods are set they are to be clear within your privacy policy.
Click to expand...
 
Just wait until the EU implements their new laws against abuse, hate speech, etc. Then this will become a whole new ballgame.
https://xenforo.com/community/threa...ies-required-to-take-websites-offline.152859/
Protecting your community against abuse is much more important that data protection. For example: if you ban a NeoNazi for posting racial slurs and hate speech. Then they want you to unban him after X time? I think not. IMO what the ico is saying is not realistic and cannot work in practise.

You can either retain data and protect against abuse OR not retain data and not protect against abuse. Its as simple as that.
 
Back
Top Bottom