Claverhouse
Active member
Come to think of it, anonymizing things such as past analytics strikes me as ethically unsound. If it happened, it happened, and you want the evidence to clear yourself.
GDPR discussion thread
- Thread starter 7ore
- Start date
Hi all,
Thanks for the insightful discussion. I run a forum of 4,000 members which is private and doesn't make money. I am concerned by the new regulations as this is just a hobby for me and I don't want to get on the wrong side of the laws... these XenForo updates make it easier to comply, but I really don't want to run the risk of getting into trouble, especially as the forum isn't a business and everything comes out of my own pocket... it isn't worth the hassle. I have been seriously considering (and still am) shutting down the forum.
I had an issue with one user who decided to go back and edit all of his posts to remove everything and he requested his account to be deleted. It caused such a headache as he had many posts and now some threads make no sense. I banned and deleted his account. Just made me realise it only takes one pissy user to cause problems especially with this coming into effect.
Not sure what route I'll take.
Thanks for the insightful discussion. I run a forum of 4,000 members which is private and doesn't make money. I am concerned by the new regulations as this is just a hobby for me and I don't want to get on the wrong side of the laws... these XenForo updates make it easier to comply, but I really don't want to run the risk of getting into trouble, especially as the forum isn't a business and everything comes out of my own pocket... it isn't worth the hassle. I have been seriously considering (and still am) shutting down the forum.
I had an issue with one user who decided to go back and edit all of his posts to remove everything and he requested his account to be deleted. It caused such a headache as he had many posts and now some threads make no sense. I banned and deleted his account. Just made me realise it only takes one pissy user to cause problems especially with this coming into effect.
Not sure what route I'll take.
This has nothing to do with GDPR.
It was your mistake to let users edit or delete their content without a limit. What you should learn from it is to limit editing of content to 30 minutes or an hour. After that, members should have to contact you if they want any edits. Also state in your TOS that editing of content is allowed for 1 hour only.
trapped_soul
Well-known member
Absolutely. No offence, but you're better off looking at how you can prevent that kind of behaviour in future rather than just shutting up shop and going home.
With 4k members (active?) chances are you've put a lot of work, effort and time into this. Don't be scared off by GDPR. Rather, do some reading, learn what you can and use the resources here (forums and threads) to try to ascertain answers to your questions.
Minefield it may be, but it's just not worth throwing the towel in over something like this. I agree with @HWS that better management of the permissions would help such things from reoccurring.
I was half expecting such a reply. Yes, it was my mistake for not changing the time limit for editing posts although I have rectified this after the incident and made users aware of the new rule.
That example I gave was simply to highlight a headache I had with a disgruntled user. He made threats if I didn't delete his account and his content. Now I understand I must delete his account, but do I have to delete his content and ruin a lot of good threads? Regarding personally identifying info, must I then edit each and every post that had his username tagged?
@trapped_soul, not all 4,000 are active but there are around 200 active users per day. It's a very specific sub community with many users checking in once a week or so... my concern is/was that I may do something wrong by mistake or miss some small detail and end up getting legally shafted from it.
trapped_soul
Well-known member
You can change the username before deleting/banning to something obscure like memberABC. The latest releases (BETA) allow anonymisation of this too.
Remembering now, a lot of this is about explicit consent with email marketing, PII and so forth.
IP, Email and any other such things are of course par for the course with regards to collecting. What you do with it is something else.
You also have rights to ban and still go by your retention periods for banning. The ICO confirmed this with me on the phone - that you have to use what you already have in place for DPA and good practices when banning someone.
If they want their account removed then again, you do not have to (if say a problematic member) but you should and in doing so should also remove any PII.
A bog standard name like mine for example, doesn't reveal any.. whereas Joe Bloggs may well do.
I am sure that if you slowly and steadily, read some things on this - you will be fine.
The recent tools by XF definitely help with this.
In a nutshell; if you practice good DPA now? Then there's not that much to worry about in reality - only focusing on marketing emails et al. (in essence)
I appreciate the reply, I've been reading up and will continue to do so. I don't do any email marketing or send emails to users (only automated emails on registration, or forgotten passwords).
I will try my best to cover everything... I just don't want to be screwed over for potentially missing something, especially as the forum doesn't benefit me in any way, it benefits the users. I hope that makes sense.
Thanks.
I will try my best to cover everything... I just don't want to be screwed over for potentially missing something, especially as the forum doesn't benefit me in any way, it benefits the users. I hope that makes sense.
Thanks.
trapped_soul
Well-known member
I'm not an expert in this by any means okay? Any doubts then definitely check. I've been trying to get along with it myself since mid-last year.. and have hit a few snags along the way.
The only thing I would say is remember that this is definitely not a new legislation to hit smaller sites and hobby sites. More like the big boys who genuinely DO need a shakeup on such matters. That doesn't mean we're not to follow suit though of course.
Yes makes perfect sense to me.
There's plenty of resources among the forums with advice and specific quotes if need be.
Good luck..
Kevin
Well-known member
Assuming, of course, that they gave permission for the IP address to be logged.
AndrewSimm
Well-known member
Are cookie notices required under GDPR? I see only a few major American websites give these notices.
If you have a legitimate interest in storing details, then you dont have to delete them.
Nuno
Well-known member
Hi,
Regarding "Default Registration Values" under "User Registration" options, should we disable "Receive site mailings" by default?
What about "Receive email when a new conversation message is received"?
The first one I think I need to disable, the last I'm in doubt.
What's your opinion?
Thanks
Regarding "Default Registration Values" under "User Registration" options, should we disable "Receive site mailings" by default?
What about "Receive email when a new conversation message is received"?
The first one I think I need to disable, the last I'm in doubt.
What's your opinion?
Thanks
AzzidReign
Well-known member
https://gdpr-info.eu/recitals/no-47/
1The legitimate interests of a controller, including those of a controller to which the personal data may be disclosed, or of a third party, may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding, taking into consideration the reasonable expectations of data subjects based on their relationship with the controller. 2Such legitimate interest could exist for example where there is a relevant and appropriate relationship between the data subject and the controller in situations such as where the data subject is a client or in the service of the controller. 3At any rate the existence of a legitimate interest would need careful assessment including whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place. 4The interests and fundamental rights of the data subject could in particular override the interest of the data controller where personal data are processed in circumstances where data subjects do not reasonably expect further processing. 5Given that it is for the legislator to provide by law for the legal basis for public authorities to process personal data, that legal basis should not apply to the processing by public authorities in the performance of their tasks. 6The processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest of the data controller concerned. 7The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.
I've highlighted the parts that I think pertains to almost everyone here or anyone who runs a forum. Number 4 is a bit obscure and left to the imagination, I'm going to interpret it as "not being annoying sending emails, not selling my data to another company, etc.", which we have sent out like 4 "site update" emails in the past year...I think it falls within reasonable expectations. Then we have number 6, preventing fraud; this applies to those banned members I believe. And last but not least, it appears "direct marketing purposes" is a legitimate interest to hold on to the data.
Now, I could be interpreting this entire page incorrectly because....let's face it, the wording in all of this is so obscure and sketchy that it leaves us to imagine up ways to protect our business models (whether that be to protect other members from sketchy members, spammers, etc.). I think that's the point with all legislation...to make it obscure to the point where fines can be sent out and put SMB's out of business, creating an internet of a few monopolies...at least until there are cases that create a legal precedence, making these waters a little less murky.
abdfahim
Well-known member
Does XF 2.0.6 introduce an option to obtain user consent for a specific use such as Google Adsense? Apparently, Google instructed the publishers to do so. Maybe I am wrong though.
Martok
Well-known member
No it doesn't.
XenForo provides ad templates that can be used by forum owner (though they often aren't). When they are used, they can be used with any ad-provider that a forum owner chooses - it may be Google Adsense but it can be other providers or even custom ads. XenForo has no control over if and how a forum owner uses their ad templates. It is therefore up to the forum owner to sort out any user consent that may be required. Note that for Google Adsense you can choose to serve non-personalised ads once Google implement this feature (which won't come until 25th May).
Mr Lucky
Well-known member
I didn't know that, great!
Similar threads
- Question
