MyBB Community Forums

Full Version: General Data Protection Regulation (GDPR) - anyone preparing plugins?
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
Pages: 1 2 3 4 5 6 7 8 9 10 11 12 13 14
So it looks like on 24.05 at 23:59 I must turn off my forum and redirect it to joomla site w gdpr plugin :-(
Stop overreacting, you don't need to shut your forums. As already said you only need to prove you are working on complying with it and not just pretending GDPR never existed, delaying it on purpose, etc.
The basic idea behind GDPR is that no one can store personal data of EU users without their explicit consent IN ADVANCE. This includes personal information, data like IP address or cookies that could lead to the identification of a user. The problem here is also that no such cookies should be stored prior to obtaining the consent, so the site needs to offer by default a sort of anonymous/non-personalized version and switch to standard version if the user agrees to terms, which exactly describe what information is being used/kept. Plus the user must be allowed to request what kind of information is kept by the provider and a way of requesting to delete all personal information anytime.
It doesn't matter where the owner (forum) resides, important is if it has users from EU. So it concerns most sites which deal with personalized information.
It's a huge change to most sites on the internet, imagine how Google's personalized ads will (not) work if the users don't provide consent - they will need to use non-personalized contextual ads.
But still some say that it's a matter of how the law is understood, some owners interpret the law their own way and think they are not affected.
Good luck Sad
I have had someone look over my suggestion that has been on a course about it and she said it would be enough for a forum. So I will be making a page with this content and putting links in the footer and on the sign up agreement.

Quote:Statement about Cookie and GDPR regulations

Cookies: I am supposed to ask your permission to put cookies on your computer. However a cookie is put onto your computer as soon as you visit the site, so asking for your permission is impossible!

The guidance states: Implied consent is a valid form of consent and can be used in the context of compliance with the revised rules on cookies. So the way I interpret that law is that you have consented to the use of cookies simply by visiting the site! Yep I know it's a daft way of looking at it, but by making this statement it's the only way I can see to abiding by the law, and ruling out any complaint against me.

FORUM NAME HERE makes use of cookies to store your login information if you are registered, and your last visit if you are not. Cookies are small text documents stored on your computer, and are used by all websites. the cookies set by this forum can only be used on this website and pose no security risk. They are designed to make loading quicker and aid navigation. It is not possible to view this website without cookies, and members will not be able to login.

GDPR: I don't have to tell you about The General Data Protection Regulation (GDPR) as FORUM NAME HERE is not an organization or business and it has no income, however I thought I would post some Questions and Answers.

Q: What personal data does FORUM NAME HERE keep in the database?
A: #1 Userames #2 Email address #3 IP addresses #4 Profiles #5 Posts #6 PM's #7 Avatars #8 Personal notepad.

Q: Is my personal data safe?
A: That depends on how much you have shared. For example your Username, Posts and Avatars can all (with the exception of member only boards) be seen by the public and search engines. Your profile can only be seen by those with more than 5 posts (this excludes the parts you see above your posts). Your Email and IP can only be seen by one administrator (Me). Your PM's are only seen by you and the person you send them to and your Notepad is only seen by you.

Q: Why is this data kept?
A: Without it there would be no members, no posts and no forum. For example when you join and choose your location in your profile it is stored in the database, as is your posts, etc. The whole forum is stored in one database on a server and only one administrator (Me) has access to it

Q: Will FORUM NAME HERE do anything with my data?
A: No I will never give access or sell it onto anyone (the exception being if required to do so by law, but even then I wouldn't give it easily).

Q: Can I delete my account and be forgotten?
A: Our sign up agreement does say "You agree your account can not be deleted without exceptional circumstances" I will however review each case as requested on a one to one basis.

Tracking and Analytics: FORUM NAME HERE does not track your movements to or from other websites, or use any third-party tracking tools. AWStats and Google Analytics are used by FORUM NAME HERE but no personal information is gathered.

Funding and Registration: FORUM NAME HERE is funded by a private individual (Me) and is not registered as an organisation or business. I do not accept any donations, sponsorship or advertising.

I hope the above information has helped, if you have any other questions please contact me on the forum or use the contact form.

OWNER NAME HERE

Change to suit, but that's what I will be doing.

There is no need for a forum owner to worry unless you are running it as a registered business and have a monetary turnover.
(2018-05-13, 01:23 PM)sarisisop Wrote: [ -> ]I have had someone look over my suggestion that has been on a course about it and she said it would be enough for a forum. So I will be making a page with this content and putting links in the footer and on the sign up agreement.

Quote:Statement about Cookie and GDPR regulations

Cookies: I am supposed to ask your permission to put cookies on your computer. However a cookie is put onto your computer as soon as you visit the site, so asking for your permission is impossible!

The guidance states: Implied consent is a valid form of consent and can be used in the context of compliance with the revised rules on cookies. So the way I interpret that law is that you have consented to the use of cookies simply by visiting the site! Yep I know it's a daft way of looking at it, but by making this statement it's the only way I can see to abiding by the law, and ruling out any complaint against me.

FORUM NAME HERE makes use of cookies to store your login information if you are registered, and your last visit if you are not. Cookies are small text documents stored on your computer, and are used by all websites. the cookies set by this forum can only be used on this website and pose no security risk. They are designed to make loading quicker and aid navigation. It is not possible to view this website without cookies, and members will not be able to login.

GDPR: I don't have to tell you about The General Data Protection Regulation (GDPR) as FORUM NAME HERE is not an organization or business and it has no income, however I thought I would post some Questions and Answers.

Q: What personal data does FORUM NAME HERE keep in the database?
A: #1 Userames #2 Email address #3 IP addresses #4 Profiles #5 Posts #6 PM's #7 Avatars #8 Personal notepad.

Q: Is my personal data safe?
A: That depends on how much you have shared. For example your Username, Posts and Avatars can all (with the exception of member only boards) be seen by the public and search engines. Your profile can only be seen by those with more than 5 posts (this excludes the parts you see above your posts). Your Email and IP can only be seen by one administrator (Me). Your PM's are only seen by you and the person you send them to and your Notepad is only seen by you.

Q: Why is this data kept?
A: Without it there would be no members, no posts and no forum. For example when you join and choose your location in your profile it is stored in the database, as is your posts, etc. The whole forum is stored in one database on a server and only one administrator (Me) has access to it

Q: Will FORUM NAME HERE do anything with my data?
A: No I will never give access or sell it onto anyone (the exception being if required to do so by law, but even then I wouldn't give it easily).

Q: Can I delete my account and be forgotten?
A: Our sign up agreement does say "You agree your account can not be deleted without exceptional circumstances" I will however review each case as requested on a one to one basis.

Tracking and Analytics: FORUM NAME HERE does not track your movements to or from other websites, or use any third-party tracking tools. AWStats and Google Analytics are used by FORUM NAME HERE but no personal information is gathered.

Funding and Registration: FORUM NAME HERE is funded by a private individual (Me) and is not registered as an organisation or business. I do not accept any donations, sponsorship or advertising.

I hope the above information has helped, if you have any other questions please contact me on the forum or use the contact form.

OWNER NAME HERE

Change to suit, but that's what I will be doing.

There is no need for a forum owner to worry unless you are running it as a registered business and have a monetary turnover.

One obvious thing wrong with this that I can find, baring in mind I've done little research on GDPR. It doesn't matter what they agree to when they sign up. Agreements don't overrule law. It is their legal right (or will be) to be forgotten, so as long as they request it, you have to abide whether the circumstance is exceptional or not. There's probably more wrong with this but you can count on someone with more research to point it out.
(2018-05-13, 02:04 PM)Wires Wrote: [ -> ]One obvious thing wrong with this that I can find, baring in mind I've done little research on GDPR. It doesn't matter what they agree to when they sign up. Agreements don't overrule law. It is their legal right (or will be) to be forgotten, so as long as they request it, you have to abide whether the circumstance is exceptional or not. There's probably more wrong with this but you can count on someone with more research to point it out.

That is why I say I will deal with it on a one to one basis.

I agree there is probably a lot wrong with it as far as a lawyer would be concerned, but it shows I have tried.

Also the penalties are 4% of annual global turnover for breaching GDPR or €20 Million.

So as I have no turnover it will €20 Million. I wish them luck in getting that.  Big Grin

I may also be wrong but I think to be forgotten you can only do that when it's your real name that has been used, I don't have any members using their real name.

However, I think this is just like the Cookie law. We all worried about it at first but now realise it was nothing to worry about. I don't have a cookie pop up warning and it has never caused me a problem.
Ok, I understad that all posts removal is not a mandatory condition in GDPR regarding the forums, if posts don't contains personal data. But I repeat, MyBB must do something with the ID's that remain unchanged in quotes when we rename a userID, because there are many persons that use the surname or even entire name when they register on forums. If a person with ID "OMar G." (like our colegue) request all post deletion, you can't refuse because he can show you a scan of ID card where the name is "Omar George" for example. and you must detele all 7406 posts because your have in forum many posts with his name, leaving thousands of replies without sense...
Maybe a change in the core of next versions will allow changing the usernames in the old quotes.
For me, that's the bigest problem of GDPR regarding the forums.
(2018-05-14, 08:12 AM)Lyvyoo Wrote: [ -> ]Ok, I understad that all posts removal is not a mandatory condition in GDPR regarding the forums, if posts don't contains personal data. But I repeat, MyBB must do something with the ID's that remain unchanged in quotes when we rename a userID, because there are many persons that use the surname  or even entire name when they register on forums. If a person with ID "OMar G." (like our colegue) request all post deletion, you can't refuse because he can show you a scan of ID card where the name is "Omar George" for example. and you must detele all 7406 posts because your have in forum many posts with his name, leaving thousands of replies without sense...
Maybe a change in the core of next versions will allow changing the usernames in the old quotes.  
For me, that's the bigest problem of GDPR regarding the forums.

Yes a way to change the name in all quotes whilst changing the user name would be very helpful.
It has been discussed and we will try to find a way for names displayed in quotes.
Its all on the parser and the parser is likely to be rewritten.
Well, many things are said here, and if you all don't mind, I'm going to recap all the important things the MyBB GPDR plugin must have:

New Users:

1] A check box (unnchecked by default) that warns about the Cookies Policy and/or the Privacy Policy of the Forum.
2] New users can't register if he/she doesn't accept the conditions.
3] The confirmation must be recorded (among the other data) in the Database.
4] In the plugin settings (in Admin CP), there could be this different fields:
- a blank field of the text that accompanies the check box (Default: I've read the cookie Cookies Policy and/or the Privacy Policy of this Forum)
- a blank field of the URL of the Cookies Policy, because maybe somenone want to create an unique page only for this.
- a blank field of the text of the Cookies Policy, it's only shown if the URL of the Cookies Policy it's empty
- a blank field of the URL of the Privacy Policy, because maybe somenone want to create an unique page only for this.
- a blank field of the text of the Privacy Policy, it's only shown if the URL of the Privacy Policy it's empty

Existing Users Before Plugin:

1] A warning message (MyBB's PopUp), forcing to accept the Cookies Policy and/or the Privacy Policy of the Forum.
2] Existing Users can't use the forum until they accept.
3] The confirmation must be recorded (among the username, date, and IP?) in the Database.
4] Plugin settings could be the same as for new users, no need to new fields


Now let's check the different rights of the users:

Right to be informed

This should be in your Privacy Policy, and not it's a thing to cover in this plugin.


Right of access

Quote:The right of access, commonly referred to as subject access, gives individuals the right to obtain a copy of their personal data as well as other supplementary information. It helps individuals to understand how and why you are using their data, and check you are doing it lawfully.
Now the plugin with a given username / email of an user, must retrieve all the data of this user, for example:
- User name
- Real name
- IP
- Join date
- Total Posts
- Time Spent Online
- etc.

All this data must be assembled in an electronic format, just to be able to send him/her through e-mail.

At this point, about data gathered by plugins I'll talk later at the end of this post.


Right to rectification

Just simple as read what the user wants, and change it if we can. Nothing to add here to the plugin.


Right to erasure

Now the 'worst' part for a forum. As in the 'Right of access' part, we must collect al the data and delete/change it to something not recognizable.
Let's see the differents parts of a post to see what could be done:
- Username: change it to Jhon Doe (or whatever you want by default)
- Joined: change it to 01-01-2000
- Last Visit: change it to 01-01-2000
- Time Spent Online: 0
- Members Referred: 0
- Reputation: 0
- IP: 127.0.0.1
- Additional Info: make it empty or 0
- quotes: the default username or just the ID of the post or the quote to follow the conversation.
- etc.

But now we face a big problem, imagine that a user writes down his/her name in a post, or an adress, or whatever personal data (email, phone, etc.), you must check one by one all the post just to be sure that you remove this data. I think it's the only way to avoid to delete all the posts from an user.

The plugin should create a new page with a simple form to ask for this right, and a confirm email must to be sent, just to be sure that this user wants to use this right to erasure.


Right to restrict processing

Just simple as read what the user wants, and restrict it if we can. Nothing to add here to the plugin.


Right to data portability

As in the 'Right of access' part, we must collect al the data and assemble it in an electronic format, just to be able to send him/her through e-mail.

The plugin should create a new page with a simple form to ask for this right, and a confirm email must to be sent, just to be sure that this user wants to use this right to data portability.

The default formats to provide personal data could be open formats such as CSV, XML and JSON.


Right to object

Just simple as read what the user wants, and restrict it if we can. Nothing to add here to the plugin.


About plugins:

We know that there are many plugins that store personal data from an user in the Forum's Database.

I propose to 'mark' the plugins/mods as "GDPR Compliant" in MyBB's Mods section, and only the plugins that are able to show/delete/block the personal data they collect we'll have this 'badge'. Of course the plugin that doesn't store any data will have this mark by default.

If a forum's admin uses plugins that are not "GDPR Compliant", it'll be his/her problem, not MyBB's fault.

Just my 2 cents... (sorry for this long post)
Pages: 1 2 3 4 5 6 7 8 9 10 11 12 13 14