MyBB Community Forums

Hi,

Is some one, by any chance, planing on writing any specific plugins considering the EU General Data Protection Regulation (GDPR)  implementation, happening this very May?


You can read more about GDPR here -> GDRP.

THANKS A LOT FOR ANY KIND OF FEEDBACK

Short summary can be found below (I got that from our Legal Department):

The aim of the GDPR is to protect all EU citizens from privacy and data breaches in an increasingly data-driven world

We must ensure the possibility to carry out the data subject rights e.g.:

·         Right to Access (the right for data subjects to obtain from the data controller confirmation as to whether or not personal data concerning them is being processed, where and for what purpose. Further, the controller shall provide a copy of the personal data, free of charge, in an electronic format. This change is a dramatic shift to data transparency and empowerment of data subjects.

·         Right to be Forgotten (the right to be forgotten entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data. The conditions for erasure, as outlined in article 17, include the data no longer being relevant to original purposes for processing, or a data subjects withdrawing consent. It should also be noted that this right requires controllers to compare the subjects' rights to "the public interest in the availability of the data" when considering such requests.)

·         Data Portability ( the right for a data subject to receive the personal data concerning them, which they have previously provided in a 'commonly use and machine readable format' and have the right to transmit that data to another controller). 


[url=https://en.wikipedia.org/wiki/General_Data_Protection_Regulation][/url]

That's way too much legalese for me. I don't see how this affects forums and what a plugin could do here.

You can cover it all by updating the registration agreement the user agrees to when signing up, if it even needs an update. As long as you're transparent about what you do with data, and carry out people's requests, you'll be fine. The ICO aren't going to fine the owner of a forum anyway.

The only problem is the consent to the processing of data when we take data from users (in a standard forum we take information from users, mainly IP and email).
With the gpdr law you have to say who is the responsible and the owner of the treatment and above all give evidence of consent to the treatment (for example a database table with the word "user xyc has consented to the treatment flagging the relative checkbox").
So some checkbox or button that registers that the user has agreed to provide their data (IP and email) for the use of the service (the forum).
Mybb believe that doesn't register in the database the consent only cookies, but the cookie law is another thing.

(2018-04-25, 08:52 AM)niere8 Wrote: [ -> ]The only problem is the consent to the processing of data when we take data from users (in a standard forum we take information from users, mainly IP and email).
With the gpdr law you have to say who is the responsible and the owner of the treatment and above all give evidence of consent to the treatment (for example a database table with the word "user xyc has consented to the treatment flagging the relative checkbox").
So some checkbox or button that registers that the user has agreed to provide their data (IP and email) for the use of the service (the forum).
Mybb believe that doesn't register in the database the consent only cookies, but the cookie law is another thing.

i have no understanding of what u mean i have autism

The GDPR applies to all EU organisations – whether commercial business, charity or public authority – that collect, store or process EU residents’ personal data, even if they’re not EU citizens.

The GDPR defines personal data as any information or type of data that can directly or indirectly identify a natural person’s identity. This can include information such as Name, Address, Email, Photos, System Data, IP addresses, Location data, Phone numbers, and Cookies.

For other special categories of personal data, there are more strict regulations for categories such as Race, Religion, Political Views, Sexual Orientation, Health Information, Biometric and Genetic data.

What are the penalties for non-compliance?
Organizations can be fined up to 4% of annual global turnover for breaching GDPR or €20 Million. This is the maximum fine that can be imposed for the most serious infringements.

There is a tiered approach to the fines whereby a company can be fined 2% for not having their records in order (Article 28), not notifying the supervising authority and Data User about a security breach or for investigating and assessing the breach.

In fact, all Mybb forum admins need a plugin that send an email to all registred users to reconfirm the registration by accept the new GDPR terms. Practically we must to explain what kind of dates we collect , where are stored (including the name of Host service), the person from the board that is responsable with GDPR policy issues, how to delete all user data (not the posts but username, email etc.), how many time we keep the backups etc.

Basically, the plugin must send to all users a link to a new landing page in forum where they can read and press "Accept new rules", and that's all.

Maybe we can do all this things with the existing Mybb functions, without manual process each (re)confirmation?

I think emails aren't a problem, we can use mass mail to send the email to all users.
The problem is, technically, how to add information?

For example, when a new user registers at the forum, in the registration form there should be a checkbox to consent to the processing of data (normally IP and email address, if they do not ask for other sensitive data).

The most important thing, moreover, is to register this consent, ie there must be a table or something where it says "user X gave consent", it serves as evidence to say that the user has agreed to give his information (IP, email etc.) and he knows for what we will use them (mainly for the use of the service, that's our forum).

Write down whatever you need in "Forums - Registration Agreement" and thats it.
Users gonna click "I Agree" anyway. Hence the solution is in-built.

It's ok for new users, but how to force all existing users to click I Agree or I don't Agree ? That's the problem. And where to click this options?
Lets'say that we need a reset of old agreement and force all existing users to read and agree (or not) the new gdpr rules. Wthout this acceptations they would not continue to log in and post with the specific user.... That's the scenario we search. So, how to make this without a plugin?