GDPR and vBulletin

Collapse
This topic is closed.
X
X
 
  • Time
  • Show
Clear All
new posts
  • Wayne Luke
    vBulletin Technical Support Lead
    • Aug 2000
    • 73979

    #16
    Originally posted by gsk8

    I noticed that XenForo has worked to find a way to help their users bring their forums into compliance. I realize that VB no longer develops version 4, but was wondering if there is still any input and/or assistance to help the forum owners do the same?

    Further, can anyone clarify the following?

    - Does the "right to erasure" extend to posts/content a user makes on a forum (except under specific contexts where said content is personal information)?

    - If a forum owner has a legitimate interest in retaining account details (for example to log troublesome users or enforce a 1 account policy), then do we have to delete an account ?

    - What, if anything, can we had to TOS before someone registers to protect ourselves?

    - What, if anything, can we do to get current users to agree to new TOS before they can continue to post?
    I just want you to know that I am not ignoring the questions. I just don't have the answers yet. Waiting to be assigned a class on what is and what isn't necessary. Once I go through that then hopefully, I can answer your questions.
    Translations provided by Google.

    Wayne Luke
    The Rabid Badger - a vBulletin Cloud demonstration site.
    vBulletin 5 API

    Comment

    • gsk8
      Senior Member
      • Jun 2003
      • 482
      • 4.2.x

      #17
      Thanks Wayne!

      Paula

      Comment

      • Mrs.T
        Senior Member
        • Nov 2007
        • 1210
        • 6.0.X

        #18
        Originally posted by gsk8

        - What, if anything, can we do to get current users to agree to new TOS before they can continue to post?
        I'm not sure that we do need to make current members agree again.

        There is a good myth busting blog from the ICO:



        Specifically this part:

        Myth #9 We have to get fresh consent from all our customers to comply with the GDPR.

        You do not need to automatically refresh all existing consents in preparation for the new law.


        It then goes on with more information so you really need to read the whole thing but my interpretation is that as information is necessary for your members to actually use the forum then re-consent isn't needed.

        We are using a dismissable notice to tell members that our privacy policy has been updated.

        This is just our interpretation, we are not lawyers!


        Comment

        • gsk8
          Senior Member
          • Jun 2003
          • 482
          • 4.2.x

          #19
          Thanks! One problem, however, is that we must come up with a way to allow folks to change their mind if I understand it correctly. So even if current users did not "comply", something has to be instituted where they can delete their own accounts.This is going to get so hairy.....
          Paula

          Comment

          • Wayne Luke
            vBulletin Technical Support Lead
            • Aug 2000
            • 73979

            #20
            In vBulletin 4, you can create a custom profile field and require that it be updated on sign-on. You can obtain consent this way. The user can then either use the contact form or remove that field to remove consent. You would then have to delete their account and all personal information. You can do this in the AdminCP. There may be a "User Delete" Addon as well. I suggest changing their username before deleting if you don't use an addon. After changing the username, update their posts under maintenance->General Update Tools. Once that is done, then delete the user. If you decide to delete their content, you can do this from the Quick Links dropdown on their user profile within the AdminCP.

            We are working on additions to the software for GDPR support and to bring vBulletin 5 compliant. I don't think it will be available for the May 25th, 2018 deadline so using a notice and other mechanisms like custom profile fields would need to be used in the interim. Definitely update your privacy policies. Ours can be found here: https://www.internetbrands.com/priva....vbulletin.com

            If you need help working with the tools in vBulletin please open a support topic in the appropriate forum.
            Translations provided by Google.

            Wayne Luke
            The Rabid Badger - a vBulletin Cloud demonstration site.
            vBulletin 5 API

            Comment


            • In Omnibus
              In Omnibus commented
              Editing a comment
              You're not required to delete anything. The GDPR allows for the collection of data for statistical or historical purposes, so as long as your disclaimer says you collect data for those purposes you're in the clear.
          • gsk8
            Senior Member
            • Jun 2003
            • 482
            • 4.2.x

            #21
            Thanks.

            In Omnibus commented
            Thu 10th May '18, 3:37pm
            You're not required to delete anything. The GDPR allows for the collection of data for statistical or historical purposes, so as long as your disclaimer says you collect data for those purposes you're in the clear.
            Can you help me find where this is located? Or is this how the wording was perceived?

            Paula

            Comment

            • Mrs.T
              Senior Member
              • Nov 2007
              • 1210
              • 6.0.X

              #22
              Originally posted by gsk8
              Thanks.



              Can you help me find where this is located? Or is this how the wording was perceived?
              It's mentioned in this pdf from the ICO overview.

              You'll have to search for "historical" to find it, it's a big document!

              Comment

              • gsk8
                Senior Member
                • Jun 2003
                • 482
                • 4.2.x

                #23
                Hmmm....six "historicals" - all of which contain the words "scientific" and "research" in the same sentence.
                Paula

                Comment

                • zappaDPJ
                  Senior Member
                  • Jun 2007
                  • 675

                  #24
                  Originally posted by gsk8
                  Thanks.



                  Can you help me find where this is located? Or is this how the wording was perceived?
                  If taken in context as a reply to Wayne Luke's post, the statement that you're not required to delete anything is misleading at best. Under Article 17 individuals have the right to have personal data erased. However it is not an absolute right, there are exceptions. One exception would be to comply with a legal obligation.

                  If you determine the individual does have the right to erasure and that no exceptions apply then you must remove all personal data and at the moment that includes replicated data i.e. quotes and possibly even dynamic IPs (see Patrick Breyer vs Germany - Case 582/140).

                  I'd consider this essential reading for a better understanding of the Right to Erasure: https://ico.org.uk/for-organisations...ht-to-erasure/
                  .

                  Comment

                  • gsk8
                    Senior Member
                    • Jun 2003
                    • 482
                    • 4.2.x

                    #25
                    I like to think that I'm about average in the intelligence department, but this ordeal makes me feel like I should go back to crayons and paper.
                    Paula

                    Comment

                    • Mrs.T
                      Senior Member
                      • Nov 2007
                      • 1210
                      • 6.0.X

                      #26
                      Originally posted by gsk8
                      I like to think that I'm about average in the intelligence department, but this ordeal makes me feel like I should go back to crayons and paper.
                      Same here

                      I still don't think that all posts would need to be removed.

                      If you remove all personal information from their account and turn them to "guest" and a post then reads "Hi I'm Bob, I'm looking for information about xyz" how can than that be classed as identifying them?

                      If they posted their name and address, email address or something then yes, that individual post should be removed,but not all of them.

                      But that's just my thoughts.

                      We've always had a policy that email addresses and phone numbers are removed from posts and the member advised to use PM - simply to protect them from spam.

                      Comment

                      • zappaDPJ
                        Senior Member
                        • Jun 2007
                        • 675

                        #27
                        Originally posted by MrsTiggywinkle
                        If you remove all personal information from their account and turn them to "guest" and a post then reads "Hi I'm Bob, I'm looking for information about xyz" how can than that be classed as identifying them?
                        That's not really a very good example because it contains some obvious personal information that would have to be removed
                        .

                        Comment

                        • Mrs.T
                          Senior Member
                          • Nov 2007
                          • 1210
                          • 6.0.X

                          #28
                          Originally posted by zappaDPJ

                          That's not really a very good example because it contains some obvious personal information that would have to be removed
                          No, because it does not identify them. I know about 6 people called Bob. There must be thousands in the UK. Reading the name Bob on a forum, how could I identify which, if any, it was?

                          Comment

                          • zappaDPJ
                            Senior Member
                            • Jun 2007
                            • 675

                            #29
                            Originally posted by MrsTiggywinkle

                            No, because it does not identify them. I know about 6 people called Bob. There must be thousands in the UK. Reading the name Bob on a forum, how could I identify which, if any, it was?
                            It doesn't matter if every single forum member is called Bob, it still qualifies as personally identifiable information (pii). If you read GDPR Article 4(1) which covers key definitions it states:
                            ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;


                            It could easily be argued that taken in isolation no pii would provide enough detail to identify a data subject but that's not how it works and the regulations are very clear on that which is why it specifies 'one or more factors'.
                            .

                            Comment

                            • Mrs.T
                              Senior Member
                              • Nov 2007
                              • 1210
                              • 6.0.X

                              #30
                              Well I'll bow to your superior knowledge but I won't lose any sleep over it. I'll cross that bridge when we come to it.

                              And any other idioms I can think of

                              Comment

                              Related Topics

                              Collapse

                              Working...