GDPR - What does it mean for the forum owner?

Discussion in 'Site Security & Legal Issues' started by Shin Ryoku, Mar 18, 2017.

Tags:
  1. Maddox

    Maddox Habitué

    1,253
    407
    +972
    Many thanks - I'm using Pixel Exit's Flat awesome + on XF2 with Xenporta 2. Some modifications in the style settings and a couple of bits of CSS code in the Extra.Less file and that pretty much got it sorted. Oh and some changes in the phrases lol. Still a WIP with loads more content to go in.

    I'd really like to get this GDPR crap sorted though, it's a total distraction.

    :)
     
  2. Maddox

    Maddox Habitué

    1,253
    407
    +972
    Here is another resource that may help to guide you towards GDPR compliance. I've not had time to register and download the toolkit as yet, too much happening today, but I will in due course:

    https://www.nymity.com/gdpr-toolkit.aspx

    :)
     
    • Like Like x 1
    • Informative! Informative! x 1
    • List
  3. R0binHood

    R0binHood Habitué

    1,301
    512
    +1,044
  4. Maddox

    Maddox Habitué

    1,253
    407
    +972
    OK just to throw some more wood on the fire with regards to this new GDPR. Do you keep paper records? Are you using a CRM? Do you keep client contact information on your mobile? All of these come under the umbrella of the GDPR, it's not solely about Internet usage, though that has been the main focus. I have several clients who use all of these models and compliance with the GDPR is stretching the limits of their endurance, not to mention distracting them from their main focus, running their business.

    Here's an interesting link for paper records: https://www.orsgroup.com/news/compliance/how-the-gdpr-affects-paper-documents

    One for running a CRM: https://www.qgate.co.uk/blog/gdpr-and-crm-system-compliance/

    And another for mobile phones: https://blog.lookout.com/compliance-gdpr-mobile-security

    Isn't this fun? Not!

    :(
     
    • Informative! Informative! x 1
    • List
  5. we_are_borg

    we_are_borg Administrator

    5,360
    1,417
    +2,127
    GDPR is for everything. But private stuff is excluded so keeping records of family and friend does not fall under GDPR. Only when it has to do with activity like forums and so on that falls under GDPR.
     
  6. Maddox

    Maddox Habitué

    1,253
    407
    +972
    That is true for family and friends, but a lot of people keep paper records of transactions, invoices, etc. Also a lot of people in business keep client contact details on their mobiles and some small to medium size businesses (some of which may be forum owners) may use CRM software that has personal details on record. So whilst we are mainly concerned with the responsibility of forum owners, some of those owners may be affected by other data storage mediums; so, its worth point this out.

    ;)
     
  7. feldon30

    feldon30 Adherent

    431
    172
    +434
    This is like the 3rd time you've called people having a PRIVATE conversation on a forum who mention private information (e-mail, phone, age, health status, other personal details) as not having sense.
    You keep saying that, but this law crosses well into the realm of regulating thought. For instance if I have a Skype exchange with another moderator about a particular user who is being extremely disruptive, do we have to keep that e-mail exchange under data protection and keep records of that conversation to be challenged in a court of law?

    The folks writing these laws seem to have no limits put upon them such as reality and an understanding of human behavior. They don't care that they are shouldering small (often free) websites with compliance costs which large businesses can easily absorb. It reminds me of the silly cookie law. I do not have the ubiquitous "cookie popup" on my sites, but if I was forced to put one, it would say:

    Like all websites, this one uses cookies. EU regulations require us to notify you of this fact. This website also uses HTML and CSS. We are not yet required to make you aware of this.
     
    Last edited: Apr 9, 2018
  8. Maddox

    Maddox Habitué

    1,253
    407
    +972
    I am not and never do imply that people have NO SENSE - but we can often display a lack of sense in the heat of the moment. And yes we shouldn't blow it up to be more than we assume; assumption is a demon that plagues us, so before blowing things up and out of proportion you have to investigate. There were things that I assumed about the GDPR that were wrong, so after some investigation I am better placed to understand what is required in various circumstances; that in no way implies that I am an expert - we all live and learn.

    As for Cookies, I have learned that a simple notice at the bottom or top of your site is not enough; this was discovered through more investigation on my part. For example; if you drop cookies onto someone's device 'before' they accept your cookie notice, that is not allowed when GDPR comes into effect. There has to be a mechanism that allows a visitor to opt-in rather than opt-out, so if you are dropping cookies before they opt-in you're breaking the law. I found that out by investigating, beforehand I 'assumed' (wrongly) that a cookie notice like we use now was sufficient alongside an appropriately worded cookie policy. Do you know if cookies are dropped before they accept the notice?

    This is a vastly complex law that creates many inroads to other questions being raised (such as your mention of Skype), so we are all on a learning curve and there is no need for snide remarks such as you make, based on your own assumptions of what I said; I will say, as always, if you have nothing constructive to offer there is no need to belittle others when they are trying to help.
     
  9. Nev_Dull

    Nev_Dull Anachronism

    1,986
    807
    +1,083
    I think it's more accurate to say "overly complicated" law, but that's just me. They've created a broadly sweeping law which they can choose to apply to a huge array of situations. That will always result in confusion, and invariably, endless court challenges by those with the means to launch them. In the end, the small players will be the losers.

    BTW, if you visit the home of the European Parliament (europa.eu), you get a cookie served to your browser, with no notice or prior warning. Perhaps this is another case of "do as we say, not as we do"?
     
    • Like Like x 2
    • Funny Funny x 1
    • List
  10. Maddox

    Maddox Habitué

    1,253
    407
    +972
    That's a great example of, as you rightly say, "do as we say, not as we do". It's right that DP laws are beefed up in light of recent and past events of people's data being harvested or stolen enmass, but regularly the EU will take extreme measures where more measured and appropriate actions would make more sense; but that's not the way the EU operates. Reading between the lines we all can believe that the GDPR is squarely aimed at big companies to ensure that they take the right measures to protect people's data; having said that, because it becomes a law, then everyone is affected and governed by it.

    When the big guy's are all playing nicey nicey and doing the right thing, the EU will move it's sites to smaller companies to justify their existence and to show that they are doing their job. Then when they see the smaller guy's are doing the right thing and playing nicey nicey, the sites will move again further down the line; this is what jobsworth's do to justify their existence. Somewhere along the way there are going to be casualties to make a point; the ICO already have 30 companies in their sights, so it will be interesting to see what transpires.

    And Nev_Dull you are right on the button when you say that this is an 'overly complicated' law, but that's the EU for you, they love to complicate things.

    ;)
     
  11. we_are_borg

    we_are_borg Administrator

    5,360
    1,417
    +2,127
    Yes all records digital or paper falls under GDPR. Even worse if people look on papers that is not their job where personal information is written formally you have a data leak.
     
  12. feldon30

    feldon30 Adherent

    431
    172
    +434
    Cookies are a core component of the useful internet as much as HTML and CSS are. If users want to disable all cookies, there is trivially easy-to-install software to provide this capability to them. These laws will have these results:
    • Make it HARDER to block bullies and other bad actors who use the internet as a vehicle to assault others. Setting persistent cookies and logging IP addresses of bullies and bad actors is our only meaningful way as webmasters to track them. These laws make it illegal to do so.
    • Add more warning labels and another checkpoint that users will blindly click through.
    • Make advertising as dumb as it was in the late 1990's.
    What it will not do:
    • Prevent any financial or personal data breaches.
    • Make the internet better in any way.
    This law is the EU trying to take control of the worldwide internet and bend it to its most extreme interpretation of user privacy. And I say all this as someone horrified with America's own overreaching enforcement actions at home and abroad. America's government sees itself at the world police. That's already 1 country too much, but now the EU is trying to make it 22 countries patrolling how the world uses the internet.

    Clearly we do not have the same definitions for "constructive", "snide remarks", or "belittling others". And in the best EU tradition, I expect my opinion to be given just as much chance and respect as anyone else's.
     
  13. Maddox

    Maddox Habitué

    1,253
    407
    +972
    You can do that without attempting to make someone look as though they are trying to belittle people. Your only contribution to this discussion is that you will lock your server and ban people from the EU and going on about the EU trying to take over the world - hardly constructive opinions in light of the upcoming law.

    As for cookies no one said to disable them, rather - if you read correctly instead of going all gung ho - is that explicit permission is required for cookies to be set, that is a world of difference to disabling them. From the content of your posts you appear to be anti-everything when it comes to privacy control on the internet; go ahead and perform your isolation tactics by shutting out the EU if you don't want to follow their rules, which by the way I don't entirely agree with, but the law is the law whether you agree with it or not. In this instance we are attempting to find the best ways to comply with the law, you, on the other hand don't want to even try; you've made that explicitly clear, so unless you have something constructive to add to the discussion that is helpful, you would be better off spending your energies elsewhere because nothing you have said so far is making a positive contribution to this thread. I will respond no further to your comments.

    :tdown:
     
  14. fixer

    fixer I'm In My Prime

    1,978
    677
    +1,202
    just got an email from daddy google...

    Dear Google Analytics Administrator,
    Over the past year we've shared how we are preparing to meet the requirements of the GDPR, the new data protection law coming into force on May 25, 2018. Today we are sharing more about important product changes that may impact your Google Analytics data, and other updates in preparation for the GDPR. This e-mail requires your attention and action even if your users are not based in the European Economic Area (EEA).
    Product Updates
    Today we introduced granular data retention controls
    that allow you to manage how long your user and event data is held on our servers. Starting May 25, 2018, user and event data will be retained according to these settings; Google Analytics will automatically delete user and event data that is older than the retention period you select. Note that these settings will not affect reports based on aggregated data.
    Action: Please review these data retention settings and modify as needed.
    Before May 25, we will also introduce a new user deletion tool
    that allows you to manage the deletion of all data associated with an individual user (e.g. site visitor) from your Google Analytics and/or Analytics 360 properties. This new automated tool will work based on any of the common identifiers sent to Analytics Client ID (i.e. standard Google Analytics first party cookie), User ID (if enabled), or App Instance ID (if using Google Analytics for Firebase). Details will be available on our Developers site shortly.
    As always, we remain committed to providing ways to safeguard your data. Google Analytics and Analytics 360 will continue to offer a number of other features and policies around data collection, use, and retention to assist you in safeguarding your data. For example, features for customizable cookie settings, privacy controls, data sharing settings, data deletion on account termination, and IP anonymization may prove useful as you evaluate the impact of the GDPR for your company’s unique situation and Analytics implementation.
    Contract And User Consent Related Updates
    Contract changes

    Google has been rolling out updates to our contractual terms for many products since last August, reflecting Google’s status as either data processor or data controller under the new law (see full classification of our Ads products). The new GDPR terms will supplement your current contract with Google and will come into force on May 25, 2018.
    In both Google Analytics and Analytics 360, Google operates as a processor of personal data that is handled in the service.
    • For Google Analytics clients based outside the EEA and all Analytics 360 customers, updated data processing terms are available for your review/acceptance in your accounts (Admin ➝ Account Settings).
    • For Google Analytics clients based in the EEA, updated data processing terms have already been included in your terms.
    • If you don’t contract with Google for your use of our measurement products, you should seek advice from the parties with whom you contract.
    Updated EU User Consent Policy
    Per our advertising features policy, both Google Analytics and Analytics 360 customers using advertising features must comply with Google’s EU User Consent Policy. Google's EU User Consent Policy is being updated to reflect new legal requirements of the GDPR. It sets out your responsibilities for making disclosures to, and obtaining consent from, end users of your sites and apps in the EEA.
    Action: Even if you are not based in the EEA, please consider together with your legal department or advisors, whether your business will be in scope of the GDPR when using Google Analytics and Analytics 360 and review/accept the updated data processing terms as well as define your path for compliance with the EU User Consent Policy.
    Find Out More
    You can refer to privacy.google.com/businesses to learn more about Google’s data privacy policies and approach, as well as view our data processing terms.
    We will continue to share further information on our plans in the coming weeks and will update relevant developer and help center documentation where necessary.
    Thanks,
    The Google Analytics Team
     
    • Agree Agree x 1
    • Informative! Informative! x 1
    • List
  15. R0binHood

    R0binHood Habitué

    1,301
    512
    +1,044
    • Informative! Informative! x 3
    • Appreciation Appreciation x 1
    • List
  16. Bikenut

    Bikenut Enthusiast

    124
    33
    +39
    Crazy question, can I just ban all EU Ip Adresess and be done with this crap? Beyond that, I dont know what else to do.
     
    • Funny Funny x 1
    • Appreciation Appreciation x 1
    • List
  17. Maddox

    Maddox Habitué

    1,253
    407
    +972
    You probably could do that, but that's cutting an incredible amount of people off from the service you offer; it's not all of the people's fault that the bureaucrats have been more-or-less compelled to go down this road. It would be better to try and comply with this new regulation than pulling up the drawbridge; it's an easy option for sure, but not the best.

    We're working towards, ever so slowly, potential solutions and ways and means to help others to comply. The US is beginning to bring in similar laws so it appears the principles will become universal in some form or other.

    ;)
     
  18. zappaDPJ

    zappaDPJ Administrator

    6,890
    1,432
    +5,500
    You probably could but it's starting to become evident other areas in the world are keen to adopt similar cra ... regulations so I suspect sooner or later you'll still be obliged to adopt some kind of Frankenstein policy to please them all.
     
  19. PoetJC

    PoetJC ⚧ Jacquii: Black Kween of TSSN ⚧

    21,004
    1,497
    +5,326
    Ha. I saw what you did there....
    But wow... Talk about regulation... So MUCH regulation coming from sides which would generally say less regulation is better.
    I'm sorta miffed about it all ((sigh...))

    J.
     
  20. R0binHood

    R0binHood Habitué

    1,301
    512
    +1,044
    Here's the statement from OneSignal about their upcoming changes. I know a lot of admins are using it on their XF1 sites and a few people are working on XF2 versions.


     
    • Informative! Informative! x 2
    • List
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.