Major Problem for GDPR: Deleting member does NOT attribute posts to Guest!

**In Omnibus** · Sat 29 Sep '18, 4:23am

What happens if you do a SQL search for a null value for the username field?

**djbaxter** · Sat 29 Sep '18, 4:51am

Nothing in the user table. No rows returned for userid = 0 or username = "NULL" or username = NULL or username = "" or username = "Guest"

But I discovered that in the post table still has username = {original username} and userid = 0 attached to that post

So now what? Do I do an update for all posts matching those criteria?

Even if that works for current posts, that won't prevent it happening for future GDPR requests.

There currently is no Guest Account because Guest posting isn't allowed. Could that be the problem? If so, how do I create a Guest account?

**djbaxter** · Sat 29 Sep '18, 5:23am

Step 1 is to update the post table to change {old username} to GDPR or something... userid can stay at 0... not sure of the SQL syntax for that update, though. Do you know?

Then I thought of this as a procedure for the future:

Create a new user account called GDPR (or whatever) and set that as a banned usergroup
Instead of deleting a user who requests deletion under the GDPR, merge the user with GDPR.

That should retain the data for the GDPR user (which is bogus) and then remove the actuak user's account.

Are there any drawbacks to this? Am I missing anything? The goal is to get rid of identifying information for the GDPR request.

**djbaxter** · Sat 29 Sep '18, 5:27am

Would this work without destroying the post table?

UPDATE `post` SET `username`='GDPR',`userid`=55631 WHERE `username`='olduser' AND `userid`=0

**djbaxter** · Sat 29 Sep '18, 5:36am

Actually that worked.

**Mark.B** · Sat 29 Sep '18, 6:19am

This is default vB4 behaviour. vB4 is end of life and thus has not had any changes for GDPR added to it.

I don't know if there are third party products that may assist.

**djbaxter** · Sat 29 Sep '18, 6:35am

Originally posted by Mark.B

This is default vB4 behaviour. vB4 is end of life and thus has not had any changes for GDPR added to it.

I don't know if there are third party products that may assist.

None that work. DBTECH has one which doesn't work and doesn't appear to be supported.Yilman has one that has its own limitations.

**djbaxter** · Sat 29 Sep '18, 6:48am

In Omnibus re: "The best solution is to include in your terms of use that data will not be deleted under any circumstances."

That would be nice but unfortunately if the site is in the EU it really isn't an option.

**djbaxter** · Sat 29 Sep '18, 2:46pm

Here's the procedure that I have now set up to delete an account requested under the GDPR:

Set up a new dummy account from the AdminCP that doesn't belong to anyone. I called it GDPR.
Make a new usergroup (I called ours GDPR Deleted Accounts) and assign the dummy account to that usergroup. Make the new usergroup a banned users account.
When a GDPR request is received, first require some confirmation of ownership of that account. In our first case, I sent an email to the account attached to the account to confirm that the owner could receive email there.
Once ownership is confirmed, do not use delete the account to remove the member. Instead, merge the account to be deleted with the GDPR account.
Finally, Update User Titles and Ranks and Rebuild Thread Information to erase the deleted member's name from "last post by" and similar labels.

**jagtpf** · Wed 22 May '19, 6:52am

I've had this problem too - even if you delete according to the manual, it retains the username but redefines them as 'guest'.

The only way I've been able to 'satisfy" GDPR is to use prune to remove all posts - I had to get rid of 18k worth of threads/posts and even then I think a few didn't get removed. Of course it causes all sorts of issues with counts which have to be adjusted.

**jagtpf** · Wed 22 May '19, 6:54am

Originally posted by djbaxter

Here's the procedure that I have now set up to delete an account requested under the GDPR:

Set up a new dummy account from the AdminCP that doesn't belong to anyone. I called it GDPR.
Make a new usergroup (I called ours GDPR Deleted Accounts) and assign the dummy account to that usergroup. Make the new usergroup a banned users account.
When a GDPR request is received, first require some confirmation of ownership of that account. In our first case, I sent an email to the account attached to the account to confirm that the owner could receive email there.
Once ownership is confirmed, do not use delete the account to remove the member. Instead, merge the account to be deleted with the GDPR account.
Finally, Update User Titles and Ranks and Rebuild Thread Information to erase the deleted member's name from "last post by" and similar labels.

Does this remove posts from the database?

**djbaxter** · Wed 22 May '19, 7:12am

Originally posted by jagtpf

Does this remove posts from the database?

No. It just attributes them to the dummy user instead of the original user.

**Wayne Luke** · Wed 22 May '19, 8:53am

1) Change the user's name to something like "Guest-3021931".
2) Update Post Information under General Update Tools.
3) Delete user.

**jagtpf** · Wed 22 May '19, 10:58pm

Originally posted by Wayne Luke

1) Change the user's name to something like "Guest-3021931".
2) Update Post Information under General Update Tools.
3) Delete user.

Technically that would work, but they could argue their posts are still on the Forum - and accessible to anyone who knew what a thread title was - plus you would at the same
time as changing their name, also have to delete all the entries in their profile including email and IP address.
It's not a single one button operation.

vBulletin 4 End of Life

Major Problem for GDPR: Deleting member does NOT attribute posts to Guest!

[Forum] Major Problem for GDPR: Deleting member does NOT attribute posts to Guest!

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Related Topics