GDPR - What does it mean for the forum owner?

[Shin Ryoku]

See: http://privacylaw.proskauer.com/201...n/a-primer-on-the-gdpr-what-you-need-to-know/

It seems like all or most of us with forums that include EU members or guests will have to comply with the GPDR.

I am unclear whether this means that we will have to delete all a members' posts on request and/oe provide them a means to take those posts elsewhere.

Does anyone know more about what this means for us and can shed some light here?

 

[Shin Ryoku]

The penalty could be 4% or EUR 20M whichever is greater.

It also introduces the right for users to sue for compensation.

If this is all what it seems to be, barring EU members may be the only path forward for some of us. Would be a real shame.

 

[Maddox]

I'm not sure that this will affect personal forums unless you are running the forum as a business; i.e. selling something. However, having said that, many EU regulations are quite ambiguous in their definition of scope when it comes to something (or an entity) that sits on the borderline of whether said regulation applies or not. On the face of it, from what I've read, it's mostly about business and companies retaining personal data in relation to selling a product or service. I have serious doubts as to whether this will apply to private forums run by individuals as a hobby or extended interest, with the proviso that said forums or sites are not actually selling anything.

I reckon it will be another one of those 'wait and see' scenarios - the EU thinks it rules the world and can dictate (as any dicatorship will) what goes and what does not. Personally, I wouldn't lose any sleep over this.

 

[Shin Ryoku]

The article I linked states that "any company that markets goods or services to EU residents may be viewed as subject to the GDPR". I definitely think of my sites as providing services.

 

[Maddox]

Are they paid services? Are you selling anything? If not I wouldn't worry about it - look at the wording too; "any company" are you a company - if not then it most likely will not affect you, but with the EU who can say? If you are in any doubts at all I would contact someone (or body) to clarify how it may or may not affect you.

 

[mysiteguy]

Bureaucrats never meet a business killing regulation they don't like, especially in Europe.

 

[ds8vtrhfhe7]

This is the key part which I see :

What constitutes personal data?
Any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.

and the penalties

What are the penalties for non-compliance?
Organizations can be fined up to 4% of annual global turnover for breaching GDPR or €20 Million. This is the maximum fine that can be imposed for the most serious infringements e.g.not having sufficient customer consent to process data or violating the core of Privacy by Design concepts. There is a tiered approach to fines e.g. a company can be fined 2% for not having their records in order (article 28), not notifying the supervising authority and data subject about a breach or not conducting impact assessment. It is important to note that these rules apply to both controllers and processors -- meaning 'clouds' will not be exempt from GDPR enforcement.

Source: http://www.eugdpr.org/gdpr-faqs.html

I take from it that you need to ensure the data being obtained is accurate, correct, and it's use is clearly outlined. You are also responsible for ensuring reasonable measures are taken to ensure there is no unauthorised access to this data. No idea what would happen if there was a 0 day vuln to some software you were using, and the DB was exploited. It does mention that you should notify people in a timely manner of any breach.

But....it's the EU, and they love making things very difficult to follow and as complicated as possible.

 

[Shin Ryoku]

Does this law require us to allow members to download all their posts and take them elsewhere?

 

[ds8vtrhfhe7]

Does this law require us to allow members to download all their posts and take them elsewhere?

I don't think so, because that's not their personal information. It's just the data you are collecting about them (IP / Name / email etc).

 

[pierce]

This rule applies to companies not physically located in the EU. If users are located in the EU you fall under these rules.

From wiki

The proposed new EU data protection regime extends the scope of the EU data protection law to all foreign companies processing data of EU residents

So applies to everyone with a single member residing in the eu

 

[ozzy47]

Good luck trying to enforce it in other countries.

 

[pierce]

Good luck trying to enforce it in other countries.

*Cough* cookie policy *cough*

 

[ozzy47]

In practice, as enforcement is on a country by country basis, any company which has no legal EU presence, is going to be very hard to pursue a case against.

 

[rafalp]

Not really. Your company uses Visa/Mastercard/Paypal for payments processing? This is enough for EU courts to charge you for mishandling of their citizens data. If your payment processor will in return charge you, is up to them.

 

[gilmoreren]

Hopefully this information, from the UK's Information Commissioners' Office - although not directly relevant for all - will be helpful for those who are curious...

An overview of the GDPR and how it may affect organisations

A blog with more information on the GDPR and next steps

Broadly, for organisations that are relevant, it seems to concern consent and customers having control on how data is obtained and processed. A fair amount of this can be mitigated by having good processes on data collection, a decent 'need to know' basis on why you need specific personal data (ensuring that this is reasonable) and clarity in T&Cs so users know what data is held, how it is processed and the control they have over its removal.

There are possibly more complex considerations over the 'active' consent and age verification of children but for now, a lot of the practical implications of this are still up in the air. Particularly for the UK and our own legislative hokey cokey (sigh). Still, I don't think the GDPR comes into force until May 2018 so let's hope there's clarity by then!

 

[pierce]

Why does the UK even bother when they are about to BREXIT?

 

[gilmoreren]

Why does the UK even bother when they are about to BREXIT?

Three reasons - it's too tricky to know what if any EU regulations we may still need to follow depending on the agreement reached and how long it may take in the meantime to reach it, because an equivalent law will possibly come into effect in the UK if we're exempt from the EU and because if we have EU citizens using services we may still need to follow it.

 

[gilmoreren]

Three reasons - it's too tricky to know what if any EU regulations we may still need to follow depending on the agreement reached and how long it may take in the meantime to reach it, because an equivalent law will possibly come into effect in the UK if we're exempt from the EU and because if we have EU citizens using services we may still need to follow it.

But that's a lot of probably possibly and likely so who knows?

 

[pierce]

All fair points.

It's going to be a monumental amount of work to process

 

[Shin Ryoku]

I don't think so, because that's not their personal information. It's just the data you are collecting about them (IP / Name / email etc).

Matt, it's the part of what you quoted bolded below which has me concerned:

It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.

Forums are social networking websites, and members post personal things very often. I don't mind having to delete a member's posts on request, but a requirement to make them easily transportable seems like it would be difficult to satisfy.