Featured GPDR - What does it mean for the forum owner?

Discussion in 'Site Security & Legal Issues' started by Shin Ryoku, Mar 18, 2017 at 8:00 AM.

  1. Shin Ryoku

    Shin Ryoku Adherent

    383
    182
    +175
    See: http://privacylaw.proskauer.com/201...n/a-primer-on-the-gdpr-what-you-need-to-know/

    It seems like all or most of us with forums that include EU members or guests will have to comply with the GPDR.

    I am unclear whether this means that we will have to delete all a members' posts on request and/oe provide them a means to take those posts elsewhere.

    Does anyone know more about what this means for us and can shed some light here?
     
    • Informative! Informative! x 1
    • List
  2. Shin Ryoku

    Shin Ryoku Adherent

    383
    182
    +175
    The penalty could be 4% or EUR 20M whichever is greater.

    It also introduces the right for users to sue for compensation.

    If this is all what it seems to be, barring EU members may be the only path forward for some of us. Would be a real shame.
     
  3. Maddox

    Maddox Adherent

    394
    72
    +264
    I'm not sure that this will affect personal forums unless you are running the forum as a business; i.e. selling something. However, having said that, many EU regulations are quite ambiguous in their definition of scope when it comes to something (or an entity) that sits on the borderline of whether said regulation applies or not. On the face of it, from what I've read, it's mostly about business and companies retaining personal data in relation to selling a product or service. I have serious doubts as to whether this will apply to private forums run by individuals as a hobby or extended interest, with the proviso that said forums or sites are not actually selling anything.

    I reckon it will be another one of those 'wait and see' scenarios - the EU thinks it rules the world and can dictate (as any dicatorship will) what goes and what does not. Personally, I wouldn't lose any sleep over this.

    ;)
     
  4. Shin Ryoku

    Shin Ryoku Adherent

    383
    182
    +175
    The article I linked states that "any company that markets goods or services to EU residents may be viewed as subject to the GDPR". I definitely think of my sites as providing services.
     
  5. Maddox

    Maddox Adherent

    394
    72
    +264
    Are they paid services? Are you selling anything? If not I wouldn't worry about it - look at the wording too; "any company" are you a company - if not then it most likely will not affect you, but with the EU who can say? If you are in any doubts at all I would contact someone (or body) to clarify how it may or may not affect you.

    ;)
     
  6. mysiteguy

    mysiteguy Habitué

    1,843
    867
    +1,204
    Bureaucrats never meet a business killing regulation they don't like, especially in Europe.
     
  7. MattW

    MattW Administrator

    749
    762
    +754
    This is the key part which I see :

    and the penalties
    Source: http://www.eugdpr.org/gdpr-faqs.html

    I take from it that you need to ensure the data being obtained is accurate, correct, and it's use is clearly outlined. You are also responsible for ensuring reasonable measures are taken to ensure there is no unauthorised access to this data. No idea what would happen if there was a 0 day vuln to some software you were using, and the DB was exploited. It does mention that you should notify people in a timely manner of any breach.

    But....it's the EU, and they love making things very difficult to follow and as complicated as possible.
     
  8. Shin Ryoku

    Shin Ryoku Adherent

    383
    182
    +175
    Does this law require us to allow members to download all their posts and take them elsewhere?
     
  9. MattW

    MattW Administrator

    749
    762
    +754
    I don't think so, because that's not their personal information. It's just the data you are collecting about them (IP / Name / email etc).
     
  10. pierce

    pierce Fan

    766
    162
    +458
    This rule applies to companies not physically located in the EU. If users are located in the EU you fall under these rules.

    From wiki
    So applies to everyone with a single member residing in the eu
     
  11. ozzy47

    ozzy47 Moderator

    8,877
    742
    +4,138
    Good luck trying to enforce it in other countries.
     
  12. pierce

    pierce Fan

    766
    162
    +458
    *Cough* cookie policy *cough*
     
  13. ozzy47

    ozzy47 Moderator

    8,877
    742
    +4,138
    In practice, as enforcement is on a country by country basis, any company which has no legal EU presence, is going to be very hard to pursue a case against.
     
  14. rafalp

    rafalp Desu Ex

    1,106
    607
    +310
    Not really. Your company uses Visa/Mastercard/Paypal for payments processing? This is enough for EU courts to charge you for mishandling of their citizens data. If your payment processor will in return charge you, is up to them.
     
  15. gilmoreren

    gilmoreren Aspirant

    38
    13
    +22
    Hopefully this information, from the UK's Information Commissioners' Office - although not directly relevant for all - will be helpful for those who are curious...

    An overview of the GDPR and how it may affect organisations

    A blog with more information on the GDPR and next steps

    Broadly, for organisations that are relevant, it seems to concern consent and customers having control on how data is obtained and processed. A fair amount of this can be mitigated by having good processes on data collection, a decent 'need to know' basis on why you need specific personal data (ensuring that this is reasonable) and clarity in T&Cs so users know what data is held, how it is processed and the control they have over its removal.

    There are possibly more complex considerations over the 'active' consent and age verification of children but for now, a lot of the practical implications of this are still up in the air. Particularly for the UK and our own legislative hokey cokey (sigh). Still, I don't think the GDPR comes into force until May 2018 so let's hope there's clarity by then!
     
  16. pierce

    pierce Fan

    766
    162
    +458
    Why does the UK even bother when they are about to BREXIT?
     
  17. gilmoreren

    gilmoreren Aspirant

    38
    13
    +22
    Three reasons - it's too tricky to know what if any EU regulations we may still need to follow depending on the agreement reached and how long it may take in the meantime to reach it, because an equivalent law will possibly come into effect in the UK if we're exempt from the EU and because if we have EU citizens using services we may still need to follow it.
     
  18. gilmoreren

    gilmoreren Aspirant

    38
    13
    +22
    But that's a lot of probably possibly and likely so who knows?
     
  19. pierce

    pierce Fan

    766
    162
    +458
    All fair points.

    It's going to be a monumental amount of work to process
     
  20. Shin Ryoku

    Shin Ryoku Adherent

    383
    182
    +175
    Matt, it's the part of what you quoted bolded below which has me concerned:

    Forums are social networking websites, and members post personal things very often. I don't mind having to delete a member's posts on request, but a requirement to make them easily transportable seems like it would be difficult to satisfy.
     
Verification:
Draft saved Draft deleted