Announcement

Collapse
No announcement yet.

GDPR and vBulletin

Collapse
This topic is closed.
X
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • #16
    Originally posted by gsk8 View Post

    I noticed that XenForo has worked to find a way to help their users bring their forums into compliance. I realize that VB no longer develops version 4, but was wondering if there is still any input and/or assistance to help the forum owners do the same?

    Further, can anyone clarify the following?

    - Does the "right to erasure" extend to posts/content a user makes on a forum (except under specific contexts where said content is personal information)?

    - If a forum owner has a legitimate interest in retaining account details (for example to log troublesome users or enforce a 1 account policy), then do we have to delete an account ?

    - What, if anything, can we had to TOS before someone registers to protect ourselves?

    - What, if anything, can we do to get current users to agree to new TOS before they can continue to post?
    I just want you to know that I am not ignoring the questions. I just don't have the answers yet. Waiting to be assigned a class on what is and what isn't necessary. Once I go through that then hopefully, I can answer your questions.
    Translations provided by Google.

    Wayne Luke
    The Rabid Badger - a vBulletin Cloud customization and demonstration site.
    vBulletin 5 Documentation - Updated every Friday. Report issues here.
    vBulletin 5 API - Full / Mobile
    I am not currently available for vB Messenger Chats.

    Comment


    • #17
      Thanks Wayne!

      Paula

      Comment


      • #18
        Originally posted by gsk8 View Post

        - What, if anything, can we do to get current users to agree to new TOS before they can continue to post?
        I'm not sure that we do need to make current members agree again.

        There is a good myth busting blog from the ICO:

        https://iconewsblog.org.uk/2018/05/0...nder-the-gdpr/

        Specifically this part:

        Myth #9 We have to get fresh consent from all our customers to comply with the GDPR.

        You do not need to automatically refresh all existing consents in preparation for the new law.


        It then goes on with more information so you really need to read the whole thing but my interpretation is that as information is necessary for your members to actually use the forum then re-consent isn't needed.

        We are using a dismissable notice to tell members that our privacy policy has been updated.

        This is just our interpretation, we are not lawyers!


        __________________________________________
        We don't stop playing because we grow old;
        we grow old because we stop playing.
        GBS

        Comment


        • #19
          Thanks! One problem, however, is that we must come up with a way to allow folks to change their mind if I understand it correctly. So even if current users did not "comply", something has to be instituted where they can delete their own accounts.This is going to get so hairy.....
          Paula

          Comment


          • #20
            In vBulletin 4, you can create a custom profile field and require that it be updated on sign-on. You can obtain consent this way. The user can then either use the contact form or remove that field to remove consent. You would then have to delete their account and all personal information. You can do this in the AdminCP. There may be a "User Delete" Addon as well. I suggest changing their username before deleting if you don't use an addon. After changing the username, update their posts under maintenance->General Update Tools. Once that is done, then delete the user. If you decide to delete their content, you can do this from the Quick Links dropdown on their user profile within the AdminCP.

            We are working on additions to the software for GDPR support and to bring vBulletin 5 compliant. I don't think it will be available for the May 25th, 2018 deadline so using a notice and other mechanisms like custom profile fields would need to be used in the interim. Definitely update your privacy policies. Ours can be found here: https://www.internetbrands.com/priva....vbulletin.com

            If you need help working with the tools in vBulletin please open a support topic in the appropriate forum.
            Translations provided by Google.

            Wayne Luke
            The Rabid Badger - a vBulletin Cloud customization and demonstration site.
            vBulletin 5 Documentation - Updated every Friday. Report issues here.
            vBulletin 5 API - Full / Mobile
            I am not currently available for vB Messenger Chats.

            Comment


            • In Omnibus
              In Omnibus commented
              Editing a comment
              You're not required to delete anything. The GDPR allows for the collection of data for statistical or historical purposes, so as long as your disclaimer says you collect data for those purposes you're in the clear.

          • #21
            Thanks.

            In Omnibus commented
            Thu 10th May '18, 3:37pm
            You're not required to delete anything. The GDPR allows for the collection of data for statistical or historical purposes, so as long as your disclaimer says you collect data for those purposes you're in the clear.
            Can you help me find where this is located? Or is this how the wording was perceived?

            Paula

            Comment


            • #22
              Originally posted by gsk8 View Post
              Thanks.



              Can you help me find where this is located? Or is this how the wording was perceived?
              It's mentioned in this pdf from the ICO overview.

              You'll have to search for "historical" to find it, it's a big document!

              https://ico.org.uk/media/for-organis...-gdpr-1-13.pdf
              __________________________________________
              We don't stop playing because we grow old;
              we grow old because we stop playing.
              GBS

              Comment


              • #23
                Hmmm....six "historicals" - all of which contain the words "scientific" and "research" in the same sentence.
                Paula

                Comment


                • #24
                  Originally posted by gsk8 View Post
                  Thanks.



                  Can you help me find where this is located? Or is this how the wording was perceived?
                  If taken in context as a reply to Wayne Luke's post, the statement that you're not required to delete anything is misleading at best. Under Article 17 individuals have the right to have personal data erased. However it is not an absolute right, there are exceptions. One exception would be to comply with a legal obligation.

                  If you determine the individual does have the right to erasure and that no exceptions apply then you must remove all personal data and at the moment that includes replicated data i.e. quotes and possibly even dynamic IPs (see Patrick Breyer vs Germany - Case 582/140).

                  I'd consider this essential reading for a better understanding of the Right to Erasure: https://ico.org.uk/for-organisations...ht-to-erasure/
                  .

                  Comment


                  • #25
                    I like to think that I'm about average in the intelligence department, but this ordeal makes me feel like I should go back to crayons and paper.
                    Paula

                    Comment


                    • #26
                      Originally posted by gsk8 View Post
                      I like to think that I'm about average in the intelligence department, but this ordeal makes me feel like I should go back to crayons and paper.
                      Same here

                      I still don't think that all posts would need to be removed.

                      If you remove all personal information from their account and turn them to "guest" and a post then reads "Hi I'm Bob, I'm looking for information about xyz" how can than that be classed as identifying them?

                      If they posted their name and address, email address or something then yes, that individual post should be removed,but not all of them.

                      But that's just my thoughts.

                      We've always had a policy that email addresses and phone numbers are removed from posts and the member advised to use PM - simply to protect them from spam.
                      __________________________________________
                      We don't stop playing because we grow old;
                      we grow old because we stop playing.
                      GBS

                      Comment


                      • #27
                        Originally posted by MrsTiggywinkle View Post
                        If you remove all personal information from their account and turn them to "guest" and a post then reads "Hi I'm Bob, I'm looking for information about xyz" how can than that be classed as identifying them?
                        That's not really a very good example because it contains some obvious personal information that would have to be removed
                        .

                        Comment


                        • #28
                          Originally posted by zappaDPJ View Post

                          That's not really a very good example because it contains some obvious personal information that would have to be removed
                          No, because it does not identify them. I know about 6 people called Bob. There must be thousands in the UK. Reading the name Bob on a forum, how could I identify which, if any, it was?
                          __________________________________________
                          We don't stop playing because we grow old;
                          we grow old because we stop playing.
                          GBS

                          Comment


                          • #29
                            Originally posted by MrsTiggywinkle View Post

                            No, because it does not identify them. I know about 6 people called Bob. There must be thousands in the UK. Reading the name Bob on a forum, how could I identify which, if any, it was?
                            It doesn't matter if every single forum member is called Bob, it still qualifies as personally identifiable information (pii). If you read GDPR Article 4(1) which covers key definitions it states:
                            ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
                            http://eur-lex.europa.eu/legal-conte...6R0679&from=EN

                            It could easily be argued that taken in isolation no pii would provide enough detail to identify a data subject but that's not how it works and the regulations are very clear on that which is why it specifies 'one or more factors'.
                            .

                            Comment


                            • #30
                              Well I'll bow to your superior knowledge but I won't lose any sleep over it. I'll cross that bridge when we come to it.

                              And any other idioms I can think of
                              __________________________________________
                              We don't stop playing because we grow old;
                              we grow old because we stop playing.
                              GBS

                              Comment

                              Related Topics

                              Collapse

                              Working...
                              X