Forum GDPR compliance?

for all subjects/topics not covered by the other forum categories
User avatar
BigEd
Posts: 1838
Joined: Sun Jan 24, 2010 10:24 am
Location: West
Contact:

Re: Forum GDPR compliance?

Post by BigEd » Fri May 25, 2018 5:37 pm

Good luck!

User avatar
danielj
Posts: 6195
Joined: Thu Oct 02, 2008 4:51 pm
Location: Manchester
Contact:

Re: Forum GDPR compliance?

Post by danielj » Fri May 25, 2018 7:27 pm

There was some swearing, and some loss of bowel control, but we're back... :D

First bug:
https://www.phpbb.com/community/viewtop ... &t=2453611

but for some reason editing it in vim on the server didn't work... Editing it on the laptop and re-uploading it seemed to fix it all :)

d.

JonC
Posts: 649
Joined: Wed May 14, 2014 9:19 pm
Location: Wakefield
Contact:

Re: Forum GDPR compliance?

Post by JonC » Fri May 25, 2018 8:06 pm

I've been heavily involved in GDPR at work.

Just to clarify some elements discussed.

* Data processing: There are 6 lawful purposes for processing, only one of which is 'Consent';
The most relevant one here is that it is 'necassery' in order for the person to use the service provided.

* Any data that is not used for this task should be removed, if and only if, there is no prior record of the person agreeing to this.
If they've already agreed and this is documented, no further action is needed.

* Information (including any program content) posted on a forum is considered to be in the public domain, GDPR does not superceded a persons responsibility to protect their own information, or be accountable for what they disclose in public. In such cases existing laws still apply.

* The other elements to consider are the 'rights' under GDPR;
- Right to Erasure (Right to be Forgotten) - If a user can delete their own account leaving no remnant data, then that right is fulfilled. The content of their posts can be left as they're in the public domain.
- Right to be Informed - People have the right to be informed as to how their data is used - This is typically included in a privacy notice.
- Right of access - People have the right to know what data is held - As far as I know, all data they supply is available in the control panel. However data retention does have to be considered.
- Right of Rectification - As longs as people can correct any personal information held (i.e. via control panel), then we have provided that right.
- Right to Restrict Processing - Doesn't really apply here as long as the data usage can be turned off (i.e. by allowing the person to disable their account or opt back out of options they previously opted in to - such as emails for PM's etc)
- Right to Object - Not really relevant as long as the person can delete or disable their account.
- Right to Data Portability - Not really relevant as long as all data is contained in the Control Panel and easily referenced.

Looking at this the only things to be addressed are;
-- A Data Retention policy - how long will you keep the data (i.e. how long before an account becomes inactive and is disabled/deleted?)
-- A Patching Policy - How you will keep their data secure (e.g. by patching every six months and using best practices for PHP etc)
-- A Privacy Notice Which includes a summary of the Data Retention and Patching Policies and how a person can exercies their rights)

Most of GDPR is just formalising bits from the DPA along with a new raft of 'sticks' to beat the big organisations who don't comply.

Jon :D
Jon
Image

User avatar
BigEd
Posts: 1838
Joined: Sun Jan 24, 2010 10:24 am
Location: West
Contact:

Re: Forum GDPR compliance?

Post by BigEd » Fri May 25, 2018 9:06 pm

That's good info - thanks!

User avatar
danielj
Posts: 6195
Joined: Thu Oct 02, 2008 4:51 pm
Location: Manchester
Contact:

Re: Forum GDPR compliance?

Post by danielj » Fri May 25, 2018 9:11 pm

All done :) In so far as retention schedule, we'll work something out...

d.

User avatar
roland
Posts: 2896
Joined: Thu Aug 29, 2013 8:29 pm
Location: Born (NL)
Contact:

Re: Forum GDPR compliance?

Post by roland » Fri May 25, 2018 9:16 pm

Two other gdpr things:
- SSL is required
- data portability: please send me all my posts so that I can move my account to forum.acornatom.nl :lol:

I tried to make use of my right to be forgotten at our national "belastingdienst" (tax authorities) but my request was denied :cry:

Thank you Daniel for taking care of this.
256K + 6502 Inside
MAN WOMAN :shock:

User avatar
danielj
Posts: 6195
Joined: Thu Oct 02, 2008 4:51 pm
Location: Manchester
Contact:

Re: Forum GDPR compliance?

Post by danielj » Fri May 25, 2018 9:17 pm

So part of the SSL setup is done, but I couldn't get the webserver to behave with it :(

d.

User avatar
hoglet
Posts: 7126
Joined: Sat Oct 13, 2012 6:21 pm
Location: Bristol
Contact:

Re: Forum GDPR compliance?

Post by hoglet » Fri May 25, 2018 9:19 pm

Daniel wrote: You have no idea how wrong that nearly went....
Pray do tell :D

Well done for pushing ahead with this =D> =D> =D> =D> =D>

User avatar
danielj
Posts: 6195
Joined: Thu Oct 02, 2008 4:51 pm
Location: Manchester
Contact:

Re: Forum GDPR compliance?

Post by danielj » Fri May 25, 2018 9:25 pm

Just that error I pointed to earlier, I edited the file as directed in the errata notes, but it wouldn't work, and kept throwing up even more errors. I was just looking at restoring the backups and going from scratch when I gave it one last shot editing the file on the laptop and uploading it, and bang! it worked, the database updated and everything fell into place :)

d.

User avatar
Rich Talbot-Watkins
Posts: 1281
Joined: Thu Jan 13, 2005 5:20 pm
Location: Palma, Mallorca
Contact:

Re: Forum GDPR compliance?

Post by Rich Talbot-Watkins » Fri May 25, 2018 9:27 pm

Heads up - since the upgrade, I can no longer navigate to any link as a popup appears saying:

You cannot access links on this board until you have accepted the Cookie Policy.

(The only way I was able to get here was by opening each link in new windows each time). Happy to accept the Cookie Policy but not sure where it is!

User avatar
danielj
Posts: 6195
Joined: Thu Oct 02, 2008 4:51 pm
Location: Manchester
Contact:

Re: Forum GDPR compliance?

Post by danielj » Fri May 25, 2018 9:28 pm

It should appear at the top of the screen? In yellow?

d.

User avatar
Rich Talbot-Watkins
Posts: 1281
Joined: Thu Jan 13, 2005 5:20 pm
Location: Palma, Mallorca
Contact:

Re: Forum GDPR compliance?

Post by Rich Talbot-Watkins » Fri May 25, 2018 9:29 pm

Alas, no! I did get a GDPR screen to accept though (which I did).

User avatar
hoglet
Posts: 7126
Joined: Sat Oct 13, 2012 6:21 pm
Location: Bristol
Contact:

Re: Forum GDPR compliance?

Post by hoglet » Fri May 25, 2018 9:30 pm

Rich Talbot-Watkins wrote:
Fri May 25, 2018 9:27 pm
Heads up - since the upgrade, I can no longer navigate to any link as a popup appears saying:

You cannot access links on this board until you have accepted the Cookie Policy.

(The only way I was able to get here was by opening each link in new windows each time). Happy to accept the Cookie Policy but not sure where it is!
I had this, and resolved it by pressing the "delete all board cookies" button at the bottom, and then logging back in again.

User avatar
danielj
Posts: 6195
Joined: Thu Oct 02, 2008 4:51 pm
Location: Manchester
Contact:

Re: Forum GDPR compliance?

Post by danielj » Fri May 25, 2018 9:33 pm

I think I've fixed that now - it was only appearing on the board index.

d.

User avatar
Rich Talbot-Watkins
Posts: 1281
Joined: Thu Jan 13, 2005 5:20 pm
Location: Palma, Mallorca
Contact:

Re: Forum GDPR compliance?

Post by Rich Talbot-Watkins » Fri May 25, 2018 9:33 pm

Yeah I already tried that. But just realised that my ad-blocker was hiding the overlay. All good now :)

User avatar
Elminster
Posts: 2054
Joined: Wed Jun 20, 2012 8:09 am
Location: Essex, UK
Contact:

Re: Forum GDPR compliance?

Post by Elminster » Fri May 25, 2018 9:35 pm

i just clicked refresh and it sorted itself out and I was able to accept stuff.

Coeus
Posts: 779
Joined: Mon Jul 25, 2016 11:05 am
Contact:

Re: Forum GDPR compliance?

Post by Coeus » Fri May 25, 2018 10:17 pm

roland wrote:
Fri May 25, 2018 9:16 pm
I tried to make use of my right to be forgotten at our national "belastingdienst" (tax authorities) but my request was denied :cry:
I read the pages from the UK ICO the other day and I still don't remember the finer details. What I do remember is this "right to be forgotten" is not absolute. I think it depends on the legal basis for which the info is being held. If it is to comply with the law or to carry out a statutory duty then this right doesn't apply. I think for category whose name I have forgotten that means "we need it to run our business" I don't think it is quite so clear so it's only when you rely on consent and the subject is withdrawing that consent that they can then expect you to delete their data without objection.

Coeus
Posts: 779
Joined: Mon Jul 25, 2016 11:05 am
Contact:

Re: Forum GDPR compliance?

Post by Coeus » Fri May 25, 2018 10:20 pm

JonC wrote:
Fri May 25, 2018 8:06 pm
- Right to Data Portability - Not really relevant as long as all data is contained in the Control Panel and easily referenced.
Iwas actually very impressed that the info on the ICO website about this talked about machine readable formats, mentioned the difference between proprietary and open and suggested some open formats such as CSV, XML and JSON. That's so different from a government office that answers to a lawyer has typically behaved in the past.

User avatar
1024MAK
Posts: 7442
Joined: Mon Apr 18, 2011 4:46 pm
Location: Looking forward to summer in Somerset, UK...
Contact:

Re: Forum GDPR compliance?

Post by 1024MAK » Fri May 25, 2018 10:26 pm

Rich Talbot-Watkins wrote:
Fri May 25, 2018 9:27 pm
Heads up - since the upgrade, I can no longer navigate to any link as a popup appears saying:

You cannot access links on this board until you have accepted the Cookie Policy.

(The only way I was able to get here was by opening each link in new windows each time). Happy to accept the Cookie Policy but not sure where it is!
My Cookie Policy is to eat all the biscuits :D
For a "Complete BBC Games Archive" visit www.bbcmicro.co.uk NOW!
BeebWiki‬ - for answers to many questions...

JonC
Posts: 649
Joined: Wed May 14, 2014 9:19 pm
Location: Wakefield
Contact:

Re: Forum GDPR compliance?

Post by JonC » Fri May 25, 2018 11:18 pm

Coeus wrote:
Fri May 25, 2018 10:20 pm
JonC wrote:
Fri May 25, 2018 8:06 pm
- Right to Data Portability - Not really relevant as long as all data is contained in the Control Panel and easily referenced.
Iwas actually very impressed that the info on the ICO website about this talked about machine readable formats, mentioned the difference between proprietary and open and suggested some open formats such as CSV, XML and JSON. That's so different from a government office that answers to a lawyer has typically behaved in the past.
Yep, the ICO has thrown quite a bit of thought at this, primarily because I suspect the drove the legislation in the first place!
Coeus wrote:
Fri May 25, 2018 10:17 pm
roland wrote:
Fri May 25, 2018 9:16 pm
I tried to make use of my right to be forgotten at our national "belastingdienst" (tax authorities) but my request was denied :cry:
I read the pages from the UK ICO the other day and I still don't remember the finer details. What I do remember is this "right to be forgotten" is not absolute. I think it depends on the legal basis for which the info is being held. If it is to comply with the law or to carry out a statutory duty then this right doesn't apply. I think for category whose name I have forgotten that means "we need it to run our business" I don't think it is quite so clear so it's only when you rely on consent and the subject is withdrawing that consent that they can then expect you to delete their data without objection.
Broadly right.

Lawful basis for processing are;
Consent
Contractual
Legal Obligation
Vital Interests
Public Tasks
Legitimate Interests

I think Legitimate Interest is the one you mean. :)
Jon
Image

User avatar
topcat96
Posts: 155
Joined: Thu Jun 26, 2008 12:17 am
Location: Somewhere wonderful!
Contact:

Re: Forum GDPR compliance?

Post by topcat96 » Fri May 25, 2018 11:42 pm

Rich Talbot-Watkins wrote:
Fri May 25, 2018 9:27 pm
Heads up - since the upgrade, I can no longer navigate to any link as a popup appears saying:

You cannot access links on this board until you have accepted the Cookie Policy.

(The only way I was able to get here was by opening each link in new windows each time). Happy to accept the Cookie Policy but not sure where it is!
You're lucky ... the board won't let me sign out without accepting the Cookie Policy first ...

I keep going around and around in circles and am beginning to think I'm stuck in the game, 3D Maze :lol: :lol: :lol:
Image

User avatar
ctr
Posts: 140
Joined: Wed Jul 16, 2014 2:53 pm
Contact:

Re: Forum GDPR compliance?

Post by ctr » Sat May 26, 2018 9:46 am

JonC wrote:
Fri May 25, 2018 8:06 pm
* Information (including any program content) posted on a forum is considered to be in the public domain, GDPR does not superceded a persons responsibility to protect their own information, or be accountable for what they disclose in public. In such cases existing laws still apply.
I think it's worth clarifying that "in the public domain" has two meanings: "it has been published" and "it is not covered by copyright". In this context you mean the former.

JonC
Posts: 649
Joined: Wed May 14, 2014 9:19 pm
Location: Wakefield
Contact:

Re: Forum GDPR compliance?

Post by JonC » Sat May 26, 2018 1:00 pm

ctr wrote:
Sat May 26, 2018 9:46 am
JonC wrote:
Fri May 25, 2018 8:06 pm
* Information (including any program content) posted on a forum is considered to be in the public domain, GDPR does not superceded a persons responsibility to protect their own information, or be accountable for what they disclose in public. In such cases existing laws still apply.
I think it's worth clarifying that "in the public domain" has two meanings: "it has been published" and "it is not covered by copyright". In this context you mean the former.
I actually meant it only to distinguish from what is considered 'personal' information. i.e. as a catch all for an area to which GDPR doesn't apply and existing laws do. :D
Jon
Image

User avatar
topcat96
Posts: 155
Joined: Thu Jun 26, 2008 12:17 am
Location: Somewhere wonderful!
Contact:

Re: Forum GDPR compliance?

Post by topcat96 » Sat May 26, 2018 3:25 pm

topcat96 wrote:
Fri May 25, 2018 11:42 pm
You're lucky ... the board won't let me sign out without accepting the Cookie Policy first ...

I keep going around and around in circles and am beginning to think I'm stuck in the game, 3D Maze :lol: :lol: :lol:
Problem solved! The built in ad blocker in my browser was stopping the cookie accept box from appearing. Once *. was white-listed, everything seems to be okay now. =D>
Image

User avatar
danielj
Posts: 6195
Joined: Thu Oct 02, 2008 4:51 pm
Location: Manchester
Contact:

Re: Forum GDPR compliance?

Post by danielj » Sat May 26, 2018 3:57 pm

Phew - we don't have ads so you're safe whitelisting us :D

d.

User avatar
1024MAK
Posts: 7442
Joined: Mon Apr 18, 2011 4:46 pm
Location: Looking forward to summer in Somerset, UK...
Contact:

Re: Forum GDPR compliance?

Post by 1024MAK » Sat May 26, 2018 4:06 pm

danielj wrote:
Sat May 26, 2018 3:57 pm
Phew - we don't have ads so you're safe whitelisting us :D

d.
Apart from the for sale section.. :lol:
For a "Complete BBC Games Archive" visit www.bbcmicro.co.uk NOW!
BeebWiki‬ - for answers to many questions...

User avatar
sweh
Posts: 1920
Joined: Sat Mar 10, 2012 12:05 pm
Location: New York, New York
Contact:

Re: Forum GDPR compliance?

Post by sweh » Mon May 28, 2018 5:15 pm

Odd; I got the GDPR interstitial again today, despite having accepted it yesterday...
Rgds
Stephen

VincentVega
Posts: 250
Joined: Thu Sep 11, 2008 9:19 pm
Contact:

Re: Forum GDPR compliance?

Post by VincentVega » Mon May 28, 2018 5:18 pm

Me too.

User avatar
danielj
Posts: 6195
Joined: Thu Oct 02, 2008 4:51 pm
Location: Manchester
Contact:

Re: Forum GDPR compliance?

Post by danielj » Mon May 28, 2018 5:21 pm

See my announcement - we've updated the privacy policy slightly to make it clear that we will email you after you've been inactive for 999 days and then delete your account within a year of that if you don't sign in again (in so far as is possible).

d.

Post Reply