User with 8,000+ posts requesting post deletion per GDRP

[BlueGreen91]

Hi everyone, I hope some of you can help. Our forum recently received a post deletion request citing GDPR, and the user has 8,000 posts. It is difficult to remove this many posts and having to do a query to remove them all will definitely cause the server to crash, so we will probably have to take the website offline to do it.

Am I correct in assuming I can delete this user's account and anonymise their posts? Or would post deletion still be required to comply with GDPR?

 

[Mr Lucky]

Yes, just delete the user account and rename to a number or something.

You don't need to delete their posts. You cannot delete 8000 posts without destroying a lot of the threads, nor do you need to under GDPR.

You can ask them to identify any posts that have PI, e.g. phone number, email, address DOB or other identifying factors. That would cover you .

 

[StarArmy]

You may run into a case where the username is still visible in posts that mention or quote them, so you may want to also what to set up a wordfilter (censoring) that changes the deleted user's username into something like "Deleted User" so to cover those edge cases as well.

 

[punisher1]

Rename his account, e-mail, password and remove every post that points him that he is the account owner and then ask him what account he is talking about? He's surely don't have an account in your forum.

 

[Digital Doctor]

having to do a query to remove them all will definitely cause the server to crash,

Did you know about this one ?

Resource icon

Post Content Find / Replace

Oct 19, 2017

Allows an administrator to do a regular expression find and replace in the content of all posts.

• XenForo
• Add-ons [2.x]

 

[Wildcat Media]

We've only had a few former members get really prickly about having their posts deleted (although one was a good member and needed his posts deleted due to the possibility of losing licensure at his job), and that was back in our vB days, where we could simply put the user into "Coventry" and their posts would not appear to anyone but themselves. So when I moved to XF back in 2012 (?), I ran a query to soft delete all of their posts (it's just a matter of changing one "flag" in a database column, I believe). Having said that, we've never done that since then, and we just tell them the above--we'll anonymize the username and clear out their account data.

 

[Zwielicht]

I used to have to do this for a large forum. Whenever this was handled, it always just seemed to be enough to rename the account to “DeletedUserXXXX” and not remove or edit any of the existing posts. The only time posts were edited was if someone posted the eir real name or their details in the post.

 

[zappaDPJ]

Pretty much in accordance with what's already been said I don't immediately delete any content but ask the member to identify content that contains their PII. I also make it clear that once their account has been anonymized and the specified content deleted, it's an irreversible process.

There are two reasons for this. Firstly under GDPR deletion is intended to be an irreversible process but secondly on some occasions it has caused the member to reconsider their request. In my experience GDPR requests often come from disgruntled members who on reflection may have a change of mind.