# [solved] Does the GDPR apply to a forum?



## qubit (Mar 6, 2018)

UPDATE 11 March 18: question answered. See my summary *here*. Thanks everyone.

UPDATE 24 May 18: *definitive answer regarding an individual*

There isn't an appropriate section for my question, so I've put it in General Software. Mods, please feel free to move it if you think it should be somewhere else.

I've been wanting to start a forum for the longest time and this year I might actually do it. It would start off as a general discussion forum with anonymous usernames as on here, with a tech corner, a bit like a small TPU and will be run as a non-profit. It might carry front page news at some point, but that would be some way off. _However, UK law is changing, with the Data Protection Act being replaced by the much tougher *EU General Data Protection Regulations* on 25th May and I wonder if it would apply to someone like me._

I'm not a business and at most, my forum would run a few ads to help pay the bills. I've looked it over, but the website doesn't clearly spell out the scope of whom it covers, so I'm not quite sure if it applies to me. Basically, if I'm going to be under some onerous provisions with heavy penalties then I won't bother.


----------



## dorsetknob (Mar 6, 2018)

my opinion 
it may have been more appropiate posted here ( Mods may also concur and subsquently move it  editing this post also
https://www.techpowerup.com/forums/forums/programming-webmastering.52/

My Advice would be to call Someone like Godaddy and speak to "Customer/sales Serivce with enquirys as to legal responsabilitys /liabilitys
and the same to Other Hosting services
get each to send you a laid out Costed Plan ie a pre Contract Document
Hope this helps and 
ps sorry if i'm telling you i'm telling you how to teach gran-ma how to suck eggs

Pps worth Speaking to @W1zzard for Advice


----------



## qubit (Mar 6, 2018)

Thanks D, that sounds like a good place to start. If W1z can chip in too, that would be great.


----------



## Bill_Bright (Mar 6, 2018)

I think you should consult a lawyer (solicitor in the UK).


----------



## dorsetknob (Mar 6, 2018)

STEP 1.See above talk to Hosting providers
STEP 2.


Bill_Bright said:


> I think you should consult a lawyer (solicitor in the UK).


Why pay for Legal Advice untill you have confirmed if you have any POTENTIAL liabilitys


----------



## Mindweaver (Mar 6, 2018)

dorsetknob said:


> my opinion
> it may have been more appropiate posted here ( Mods may also concur and subsquently move it  editing this post also
> https://www.techpowerup.com/forums/forums/programming-webmastering.52/



I don't know if that is the right place with out asking a few questions. 

@qubit are you asking what forum to use example ZenForo, vBulletin, etc.. or are you asking where to start and how to code it? Do you want to learn HTML, CSS3, PHP, JavaScript, asp.net and need help? If so then I will move it for you buddy.


----------



## Bill_Bright (Mar 6, 2018)

dorsetknob said:


> Why pay for Legal Advice untill you have confirmed if you have any POTENTIAL liabilitys


Because it is the solicitors job to understand the laws and identify all those liabilities.

qubit has stated he will be accepting ad revenue to help pay the bills for the service he will be providing. That's a business - regardless if non-profit or not - regardless if he states it is a business or not.


----------



## qubit (Mar 6, 2018)

@Mindweaver No, it's just the legalities of setting up a forum. Regarding the technicalities such as software, servers, domains etc I can work out myself and will ask on here if I get stuck on any of it.

@Bill_Bright Wouldn't surprise me if you're right re ads and a business. Legal advice sounds like a good idea at some point. I belong to a union which should be able to get me that kind of formal advice for free. I just wanted to get a start on it here and also figured it would make a for an interesting talking point.


----------



## CAPSLOCKSTUCK (Mar 6, 2018)

just do it.

In the UK the taxman isnt even interested in the first year....they expect a loss.

Speaking purely from personal experience.


----------



## dorsetknob (Mar 6, 2018)

you have to find out potential liabilitys and the hosting company can indicate for free what they might Be

Then you pay for ( if you proceed ) Legal advice on the whole plan

There is no Point in PAYING FOR LEGAL ADVICE till the Hosting Company indicates some form of liability or not 
if @qubit gets advice from potential host that indicates for certain that he will have liability's  then he won't proceed
your Advice while appropriate if he proceeds ( would COST HIM MONEY that he may necessarily not need to spend if he does not proceed)


----------



## Tatty_One (Mar 6, 2018)

I think, in relation to the new data protection legislation it would depend on what data you were storing, if the registration process allowed a user to place a date of birth then you may come up with some problems, where as an age may not, if all you asked from a user was an anonymous username and country of origin you may get away with it but I agree it's worth getting some advice whatever the source, either that or wait unit next year when we are not part of the EU and therefore may relinquish EU GDPR


----------



## Bill_Bright (Mar 6, 2018)

Tatty_One said:


> wait unit next year when we are not part of the EU and therefore may relinquish EU GDPR


It seems pretty clear in the link qubit included, while the name may change, the meat of the law will remain the same. 





> The new Data Protection Bill going through Parliament will transpose the GDPR into UK law, and will continue to apply post-Brexit.


----------



## dorsetknob (Mar 6, 2018)

Bill_Bright said:


> It seems pretty clear in the link qubit included, while the name may change, the meat of the law will remain the same.


The devil is always in the Detail and untill such laws are passed nothing is sure 
Its well Known here in Britain that certain parts of EU law will not be carried after Britex
We will have to wait untill Britex to find out for sure ( and Subsquent relevent legal challanges)


----------



## Tatty_One (Mar 6, 2018)

Bill_Bright said:


> It seems pretty clear in the link qubit included, while the name may change, the meat of the law will remain the same.


Commercially many are not of the same opinion though, it is believed that a watered down version may well be implemented post Brexit as many flaws appear to have been identified already, suffice to say that times are uncertain and so is the longevity of this bill as it stands once we are outside of the EU.


----------



## Bill_Bright (Mar 6, 2018)

I don't know. When I lived in the UK, many of your consumer protection laws were tougher than ours in the US. You both are right and what happens in May may be watered down compared to the GDPR. But there is also the possibility of even greater protection for the consumer - which I see as a very good thing. The smarter bad guys have turned to hacking companies because they know companies have been too lax in protecting consumer's information.  

The bad guys have been extremely successful at using socially engineered malware distribution methods to trick [poorly trained] company employees into clicking on a very legitimate looking but malicious link designed to exploit known but unpatched!!!!  vulnerabilities! And it has worked because executive management, CIOs and IT departments have failed to properly train employees to not be "click-happy". They have failed to impress upon IT personnel the need to apply security patches in a timely manner to minimize exposure of known vulnerabilities. And they have failed to invest essential resources in time, training and personnel to ensure a robust information protection plan is in place, is top notch, and remains top notch. 

Take the Equifax hack of 145 million accounts (including 15 million in the UK). The vulnerability was discovered and a patch developed and distributed to Equifax 2 full months before the hack occurred. They were even notified by US CERT of the vulnerability and patch. But they failed to apply the patch - in violation of their own 48 hour patch time requirement. They still don't know exactly how the bad guys got in because they failed to implement the essential monitoring tools. They don't even know how the bad guy was able to download the massive amounts of data on145 million people and remain undetected - again, because they failed to implement the essential monitoring tools. 

And all that critical, highly sensitive data wasn't even encrypted!     

I am all for less regulation but sadly, we have seen over and over - and over! - again companies' negligence - unwilling to invest in robust security - to include extensive employee training. I realize companies basically get $0.00/£0.00 on their IT security investment, but that's just become the cost of doing business in this bad guy infested digital age.

***

As far as the website host, pretty sure you have to sign an agreement absolving them of all liability - unless clearly their fault. I did for my business site with GoDaddy. 

At least before going live, if you are going to run a site that contains any personal data, you need to contact a lawyer/solicitor, and get some good insurance!


----------



## Sasqui (Mar 6, 2018)

qubit said:


> I'm not a business and at most, my forum would run a few ads to help pay the bills. I've looked it over, but the website doesn't clearly spell out the scope of whom it covers, so I'm not quite sure if it applies to me. Basically, if I'm going to be under some onerous provisions with heavy penalties then I won't bother.



It doesn't spell out who it applies to because it applies to *anyone* that collects data electronically.

It's intended to protect people from identity theft and maintain privacy.  There are numerous laws in the US that are analogous, the one that comes to mind is *HPPA*  That said, the US is wayyyy far behind the EU/UK in protecting personal data... *Equifax Breach*   and the US government is not looking out for people, they are looking out for business. 

Basically, if you are collecting and/or using any personal information (and they spell it out), you are responsible for protection of that data from breach and intentionally or non-intentionally giving it away including derivatives or analysis that may give away personal data that can identify a specific individual.

Here's a snippet from GDPR:

*The key elements of the GDPR*
*Personal data*
The GDPR applies to personal data. This is any information that can directly or indirectly identify a natural person, and can be in any format.  The Regulation places much stronger controls on the processing of special categories of personal data. The inclusion of genetic and biometric data is new.
*Personal data*

Name
Address
Email address
Photo
IP address
Location data
Online behaviour (cookies)
Profiling and analytics data
*Special categories
of personal data*
Race
Religion
Political opinions
Trade union membership
Sexual orientation
Health information
Biometric data
Genetic data


----------



## Bill_Bright (Mar 6, 2018)

Sasqui said:


> *Equifax Breach* and the US government is not looking out for people,


They are not doing enough but again, the US CERT (part of US Homeland Security) did warn Equifax well before the breach. But Equifax failed to act on it. This one is 100% Equifax. 

Now what needs to happen is the government needs to fine the heck out of Equifax, and perhaps criminally charge their execs. That may get the attention of other businesses and get them to tighten up their security and training.

From that list, you will have their email address and IP address you will need to protect - assuming you will have them create accounts.


----------



## Sasqui (Mar 6, 2018)

Bill_Bright said:


> Now what needs to happen is the government needs to fine the heck out of Equifax, and perhaps criminally charge their execs. That may get the attention of other businesses and get them to tighten up their security and training.



This conversation is somewhat off topic...  *Congress voted to disallow class action lawsuits against Equifax*.  Another shining example of our GOP leadership, with VP Pence making the deciding vote:   https://techcrunch.com/2017/10/24/c...-other-companies-with-arbitration-agreements/


----------



## Bill_Bright (Mar 6, 2018)

Best to keep the political commentary to yourself or this thread will be shutdown.


----------



## the54thvoid (Mar 6, 2018)

@qubit - I work for a Local Authority Trust and we have been primed for the new data protection rules.  The elements that will concern you as a data processor and a data holder will be the security and clarity of what information you will hold and what will be done with it.  If you take our e-mail addresses and allow 3rd party 'spam' without our consent - you will be doomed.  If you do not hold our e-mails on secure servers with adequate encryption and they are stolen - you are doomed.

In short:

1 - Data must be held securely and safely.
2 - What you do with said data must be clearly explained.
3 - You must ensure when we sign up we agree to your terms and conditions and said conditions adhere to the new GDPR.
4 - Any unauthorised dissemination of personal data (e-mail, name connected with other data etc) will get your ass sued.



Bill_Bright said:


> Best to keep the political commentary to yourself or this thread will be shutdown.



If that were the case, certain forum members avatars should be banned (not aimed at you).


----------



## Sasqui (Mar 6, 2018)

Bill_Bright said:


> Best to keep the political commentary to yourself or this thread will be shutdown.



Commentary aside, it's *fact*, not fake news.  Just an example of how US elected leaders are beholden to donors not their constituents



the54thvoid said:


> In short:
> 
> 1 - Data must be held securely and safely.
> 2 - What you do with said data must be clearly explained.
> ...



Well said.  The best policy is not to store any personal information, unless you have a reason to


----------



## jsfitz54 (Mar 6, 2018)

the54thvoid said:


> I work for a Local Authority Trust and we have been primed for the new data protection rules. The elements that will concern you as a data processor and a data holder will be the security and clarity of what information you will hold and what will be done with it. If you take our e-mail addresses and allow 3rd party 'spam' without our consent - you will be doomed. If you do not hold our e-mails on secure servers with adequate encryption and they are stolen - you are doomed.
> 
> In short:
> 
> ...



Does, is this going,  to apply if Servers are in one location and the Storefront is in a different location as well, non-profit or not?
If all the components are off-shore? "qubit" as an administrator only.


----------



## the54thvoid (Mar 6, 2018)

jsfitz54 said:


> Does, is this going,  to apply if Servers are in one location and the Storefront is in a different location as well, non-profit or not?
> If all the components are off-shore? "qubit" as an administrator only.



It's not about profit or business use.  It's simply about data retention and protection of personal data.  If qubit is the administrator, he is the designated person in charge of the data (regardless of where it is kept) therefore he will be liable.  Also, the regulations cover FOI requests as well so qubit will need to be able to retrieve requests made by his customers on what data he stores about them.  In normal use, there would be no issue as long as the data is used for the stated purpose and held according to the requiremnets of the law.


----------



## jsfitz54 (Mar 6, 2018)

the54thvoid said:


> It's not about profit or business use. It's simply about data retention and protection of personal data. If qubit is the administrator, he is the designated person in charge of the data (regardless of where it is kept) therefore he will be liable. Also, the regulations cover FOI requests as well so qubit will need to be able to retrieve requests made by his customers on what data he stores about them. In normal use, there would be no issue as long as the data is used for the stated purpose and held according to the requiremnets of the law.



Is there any way "qubit" can limit or circumvent or eliminate personal legal exposure?

Edit:  "qubit" is a volunteer at a non-profit.


----------



## Tatty_One (Mar 7, 2018)

jsfitz54 said:


> Is there any way "qubit" can limit or circumvent or eliminate personal legal exposure?
> 
> Edit:  "qubit" is a volunteer at a non-profit.


I work for a large national charity and our volunteers are not exempt from legal exposure.


----------



## FordGT90Concept (Mar 7, 2018)

If you use GDPR-compliant forum software, it should cover most of the bases (especially consent and notice).


----------



## Mindweaver (Mar 7, 2018)

I mean how big of a forum are you expecting qubit? 1 or 2 hundred million users? I mean are we talking user count Facebook size or something smaller? I mean I already have you in jail over this GDPR. I know it's in place for people like you.. heheh j/k I think everyone is over thinking this forum. Just use the KISS method. Something like Username, password and maybe age verification. Once, your forum start generating real money then look into how to expand it and seek help from a real Laywer not users on a tech forum.. I mean really that will hold up in court. -you, "No really a guy on TPU told me it was ok..."..


----------



## dorsetknob (Mar 7, 2018)

Mindweaver said:


> "No really a guy on TPU told me it was ok..."..


 Wot we are a respectfull lot


----------



## qubit (Mar 7, 2018)

Lots of great responses here people.  I'll hopefully have time to reply properly this evening. If not, tomorrow evening.

@Mindweaver Look, nothing less than 20 million users is good enough for me, muhahaha! But seriously, it could be that this applies down to even one user for all I know. Also, as someone said, it might depend on what registration info I ask for. EDIT: In practice, if I have 100 users after a couple of months I'll probably be doing well, lol.


----------



## jsfitz54 (Mar 7, 2018)

Tatty_One said:


> I work for a large national charity and our volunteers are not exempt from legal exposure.



Any thoughts on if it's run as a private members club?


----------



## dorsetknob (Mar 7, 2018)

Private members Club or even if its just a Family only website   i expect data laws still Apply
I'm afraid that's the way things are rolling these days


----------



## Bill_Bright (Mar 7, 2018)

jsfitz54 said:


> Edit: "qubit" is a volunteer at a non-profit.


It is not a "non-profit" unless legally set up as a non-profit organization and properly registered with and recognized by the Charity Commission (in the UK), IRS (in the US), and so forth depending on the country you live in.

You can't just claim an organization you start is a "non-profit" - even if it never makes a penny in profits.

The exception _might be_ if absolutely no money exchanges hands for any services rendered by that organization. That means no ad money, no donations accepted, no fees charged or accepted, including "in-kind" exchanges, etc. 100% of all expenses would have to come out of your own pocket.

I say "_might be_" because that is a very gray area so guess what? You need to consult a lawyer or solicitor.



Mindweaver said:


> Once, your forum start generating real money then look into how to expand it and seek help from a real Laywer not users on a tech forum.


So it is okay to take the advice from "users on a tech forum" before the company starts generating real money??? And only after it starts making money do you seek legal advice to learn how you should have set it up correctly in the first place???  Ummm, no! 

You are starting a business. Learn how to do it right from day 1. 

“_It’s better to beg for forgiveness than to ask for permission_” does *not* work when taxes (for profits or write-offs) and legal liabilities are involved.


----------



## Mindweaver (Mar 7, 2018)

Bill_Bright said:


> So it is okay to take the advice from "users on a tech forum" before the company starts generating real money??? And only after it starts making money do you seek legal advice to learn how you should have set it up correctly in the first place???  Ummm, no!
> 
> You are starting a business. Learn how to do it right from day 1.
> 
> “_It’s better to beg for forgiveness than to ask for permission_” does *not* work when taxes (for profits or write-offs) and legal liabilities are involved.


Clearly, I said it was not ok to take legal advice from a tech forum. Plus, he is asking about a forum and not how to start a money making "business". This thread is starting to get way out of hand and off topic. If it keeps going in this direction I'll close the thread. Stay on topic


----------



## Bill_Bright (Mar 7, 2018)

Mindweaver said:


> Plus, he is asking about a forum and not how to start a money making "business".


Except he specifically stated in his opening post he does plan to accept money from ads to help pay the bills. That's a business so it is part of the topic. 

Whether it makes a profit, a loss or breaks even, that's really immaterial because of the potential tax issues that will arise. And if any personally identifiable information is collected (to include email addresses and IP addresses) then potential liability issues could arise too. 

While I have taken some business courses, and have my own LLC for my little computer repair shop (which, BTW, cost me less than $800 to set up), I sure am not a lawyer or an expert on taxes, LLCs or non-profits. 

Unless someone on this site steps up and claims to be such an expert and offers to give such legal advice, any advice we give - except to see a real expert - is just a waste of everyone's time, especially qubit's since he will be the one stuck with any fees or fines or both, should some issue arise.

I am not trying to run this thread OT. I just don't want qubit to get into any legal troubles for something that could have easily, and inexpensively been prevented from the get go. That's all I'm saying.


----------



## qubit (Mar 7, 2018)

Mindweaver said:


> Clearly, I said it was not ok to take legal advice from a tech forum. Plus, he is asking about a forum and not how to start a money making "business". This thread is starting to get way out of hand and off topic. If it keeps going in this direction I'll close the thread. Stay on topic


Everyone: this is a really interesting and helpful thread for me, with some great replies and I'll read through it properly within the next 24 hours and give a proper reply, so please don't do anything that could trigger a thread closure like MW has said, or other mod action.


----------



## Tatty_One (Mar 7, 2018)

jsfitz54 said:


> Any thoughts on if it's run as a private members club?


I doubt that it would be given Charitable status by the Charities commission and if so we would likely have to hand back about £60 Mil worth of donations and also pay a lot more VAT


----------



## jsfitz54 (Mar 8, 2018)

Tatty_One said:


> I doubt that it would be given Charitable status by the Charities commission and if so we would likely have to hand back about £60 Mil worth of donations and also pay a lot more VAT



I did not mean your charity, sorry for the confusion.

I meant this for qubit's plan, the OP.  That's what I meant by "if *it's* run as private members club?"


----------



## qubit (Mar 11, 2018)

Ok peeps, my reply is a bit later* than billed, but I've finally read through the whole thread and I'm really grateful for all the helpful replies.

Here's the takeway that I've gotten from all your responses.

- Ask hosting company and lawyer about the legalities and do it before setting anything up
- Possible insurance policy against getting sued or other legal action
- Type of data stored matters - some of the data types listed by Sasqui, eg IP address, email address etc will certainly be used by any forum software. I do plan to have people register anonymous accounts, like on TPU, which will use this data
- Technical security against intruders matters. I was already very aware of this already and won't go ahead with it until this sorted and proper database backups are in place. This is also a critical requirement
- Brexit could change the picture dramatically over time, just to keep things "interesting"  so I'll have to keep a close eye on this. _Please don't start talking brexit/politics though which could get this thread shut down. It's a factor, so I mention it here_
- After all this, according to @the54thvoid, the full weight of the GDPR would apply to me, so the project may never take off.  Time to shoot the messenger...

Again, I'll certainly be taking professional legal advice before creating a live forum.

Finally, a special thanks to @Bill_Bright for stressing the importance over several posts and in detail, of understanding the legalities and of covering my ass so I don't get nailed. 

*All my real life friends know that my timekeeping for anything is often terrible.  If I promise to come over between, say, 8:30-9pm, I'll probably be there at 9:30pm...


----------



## sandramorgan (Apr 18, 2018)

Trying to simplify GDPR is something I've been trying to get my head around the past few months! I found this useful free GDPR Checklist download here that's helped me as a small business owner, you may also find useful https://www.infinitygroup.co.uk/gdpr-checklist/


----------



## qubit (Apr 18, 2018)

Wicked, thankyou. Getting pro legal advice is something that takes time and I still haven't gotten round to yet.


----------



## qubit (May 24, 2018)

Ok, I've finally got my definitive answer and it's not what I wanted to hear: as I suspected, the GDPR _does_ apply to an individual who's running a forum in a non-profit manner, even with no ads. This means that all the onerous conditions and sanctions will apply.

As I'm just one guy with shallow pockets who wants to run a hobby forum, that dream is now gonna have to die as I don't want to be liable for potentially getting sued with possible heavy sanctions applied to me. You can just imagine a disgruntled member who's just been banned wanting to get their own back at me through the GDPR for the kind of trouble that this can cause.

The answer is definitive, because today I asked a couple of people at work who manage the GDPR for the organisation (a fairly large one) who are experts in this. This saved me the expense and inconvenience of going to a lawyer.

I may resurrect this dream one day if my circumstances change, but don't hold your breath.

I see that TPU has now become GDPR compliant with that consent screen that came up the other day before I could go any further, so W1z and his management team now also have that responsibility on their shoulders.

*MODS, please don't close the thread, as I want to people to be able talk about this if they want.*


----------



## Vayra86 (May 24, 2018)

It really doesn't matter. Everyone who handles personal data and aggregates it in a database is subject to GDPR. And rightly so.

The intent of GDPR is precisely that: everyone who has access to other peoples' personal and privacy sensitive data is subject to the same principles. The idea of this is to effect a change in how we think about data and privacy because the way it is now realistically is boundless and causing lots of issues, the half of which we haven't even remotely seen or considered.

But then again complying to GDPR really isn't rocket science. Especially if you are right now starting something new, it is MUCH easier to comply to GDPR standards than it is coming from an existing database with all its quirks, flaws and lost safeguards over time. The longer a database exists the higher the risk that somewhere along the way some critical information is leaked; either intentionally or unintentionally, even just simply because you make use of the data and because people tend to ask for help on things.


----------



## FordGT90Concept (May 24, 2018)

GDPR is regulation, regulations have cost, and GDPR has implementation costs that serve as an impediment to free speech.  Feels @qubit, feels.  Hopefully the GDPR noose will loosen some day so small sites like you're aiming to make will become feasible again.


----------



## Bill_Bright (May 24, 2018)

I am all for free speech but not at the expense of others - especially if that speech involves falsehoods. 

Freedom of speech does not imply the freedom to say whatever you want, whenever you want, wherever you want. 

Freedom isn't free. My right to privacy supersedes your right to expose my private information while I maintain my status as a private citizen. And for sure, you should not be able to profit from my personal information I did not give you permission to have or use.  

The intent of freedom of speech is to give free people to right to protest their governments and unfair practices imposed on those free people by their governments and other "organizations" - not fellow "private" citizens.


----------



## qubit (May 24, 2018)

@Vayra86 Sure, GDPR is great if you're the user who's organisation has data on you, but not so when you're a small operator. Of course it's not rocket science, but the fact that a user can demand all data held on them and in particular this right to be forgotten are problematic. Imagine a user with 5000 posts who's been banned or had some other infraction imposed on them demanding that all their posts be deleted. They now have that right and could compel the forum in law, which would put big holes in the forum threads. It could well happen to TPU at some point, so what do they do then?

Thanks @FordGT90Concept, I hope this becomes more practical at some point for me without worrying about liability too much.

What I'll do is let the situation stabilize and then take stock, whenever that will be. It could well be that there will be services that are willing to take on this responsibility and liability for a monthly fee and it's likely that forum software itself will be hardened and tuned to be GDPR compliant. All this put together might mitigate the risk and liability sufficiently that I'll be satisfied with the level it's at and would consider doing this again. I reckon it's gonna be longer than shorter though before this happens, if it does.

@Bill_Bright Sure, it's great for protecting us against the likes of Facebook and Cambridge Analytica and it's those kinds of abuses which have rightly helped shaped this regulation. It's just unfortunate that it places a big burden of liability on someone wanting to start up a small hobby forum such as me, as I've explained above. Can't be helped, I guess.


----------



## Bill_Bright (May 24, 2018)

qubit said:


> It's just unfortunate that it places a big burden of liability on someone wanting to start up a small hobby forum such as me, as I've explained above. Can't be helped, I guess.


Yes, it does put the burden on you, but I don't really see that as such a burden as it appears at first glance. You can minimize your risks by minimizing the amount of personal information you collect. For example, I assume your real name is not qubit. I also assume you have not provided your phone number, street address or your SSN/IN. If you don't collect those, you don't have to worry about protecting that data. 

What do need to ensure is you do due diligence in keeping your software current and data safe. If you demonstrate a lack of concern or care, like Equifax did, then you need to worry - unless you can afford their shysters... err... I mean nice lawyers.


----------



## qubit (May 24, 2018)

Bill_Bright said:


> Yes, it does put the burden on you, but I don't really see that as such a burden as it appears at first glance. You can minimize your risks by minimizing the amount of personal information you collect. For example, I assume your real name is not qubit. I also assume you have not provided your phone number, street address or your SSN/IN. If you don't collect those, you don't have to worry about protecting that data.
> 
> What do need to ensure is you do due diligence in keeping your software current and data safe. If you demonstrate a lack of concern or care, like Equifax did, then you need to worry - unless you can afford their shysters... err... I mean nice lawyers.


Did you know that even a username is considered to be personal data under the GDPR? An IP address, too. This wasn't the case before.

Sure, storing a minimum amount of data will help to shield against liability and the due diligence, but the risk is still there and the other things I've mentioned are still an issue. As I said, I'll look at this again when the new system has settled down.

Oh and why do you think my real name isn't qubit?!  I'm a quantum animal.


----------



## Bill_Bright (May 24, 2018)

I understand IP address, but user names are a bit different. Bill Bright is my real name so for sure that. But if there is no link between a made up and a real name, I have my doubts that is enforceable.

But governments, especially in free societies, need small businesses to succeed. So they just won't put such restrictions on them to prevent them from even starting to get off the ground. If you make a sincere effort to protect your client's data, your liabilities will limited too. You might still be forced out of business if hacked, but clients cannot come take your first born.


----------



## FordGT90Concept (May 24, 2018)

GDPR is written to protect companies like Facebook and Google.  Now, instead of facing litigation like they should, they'll just point to GDPR and say "we complied."

The point of this thread isn't to debate policy; however, that's probably better placed in The Lounge on its own thread.


----------



## MrGenius (May 24, 2018)

Bill_Bright said:


> I am all for free speech but not at the expense of others...


Define "expense". If it hurts your feelings, or offends you, I shouldn't be allowed to say it? Wrong. That's precisely why the freedom to speak my opinions is protected.


Bill_Bright said:


> Freedom of speech does not imply the freedom to say whatever you want, whenever you want, wherever you want.


As long as you're not breaking any laws by doing so, it most certainly does imply such freedom.


Bill_Bright said:


> The intent of freedom of speech is to give free people to right to protest their governments and unfair practices imposed on those free people by their governments and other "organizations" - not fellow "private" citizens.


Talk about falsehoods. Like I said, I'm free to speak whatever, about *whomever*, whenever, and wherever I want. So long as I keep said speech within the bounds of the law. That speech being about or directed at a government,  an "organization", or a "private" citizen is totally irrelevant. 

Listen, I get your points. But you're crossing some definitive lines and being a little hypocritical in doing so.


----------



## DeathtoGnomes (May 24, 2018)

I hate to admit it but this is a great quote. Where did you find it ?



Bill_Bright said:


> Freedom isn't free. My right to privacy supersedes your right to expose my private information while I maintain my status as a private citizen. And for sure, you should not be able to profit from my personal information I did not give you permission to have or use.


-----------


qubit said:


> Did you know that even a username is considered to be personal data under the GDPR? An IP address, too. This wasn't the case before.
> 
> Sure, storing a minimum amount of data will help to shield against liability and the due diligence, but the risk is still there and the other things I've mentioned are still an issue. As I said, I'll look at this again when the new system has settled down.
> 
> Oh and why do you think my real name isn't qubit?!  I'm a quantum animal.


From my understanding they decided to protect IP and usernames to keep them from being associated with each other, so the witch hunts could stop.


----------



## Vayra86 (May 25, 2018)

qubit said:


> @Vayra86 Sure, GDPR is great if you're the user who's organisation has data on you, but not so when you're a small operator. Of course it's not rocket science, but the fact that a user can demand all data held on them and in particular this right to be forgotten are problematic. Imagine a user with 5000 posts who's been banned or had some other infraction imposed on them demanding that all their posts be deleted. They now have that right and could compel the forum in law, which would put big holes in the forum threads. It could well happen to TPU at some point, so what do they do then?
> 
> Thanks @FordGT90Concept, I hope this becomes more practical at some point for me without worrying about liability too much.
> 
> ...



What they do is put a similar thing to 'low quality post' in place that becomes a placeholder with a message on it that says 'Comment removed under GDPR' or something along those lines. Done. So there are holes in threads? Who cares? This person wanted to be forgotten. How does that damage the rest of the world or the forum and its readers? If that person was a valuable asset to the community, he is not forgotten anyway, only in a digital sense. The only bit that is annoying is that you need to actually build and implement such a feature, along with an easy way to effectively remove a user entirely from your database. Which is why its much easier for a startup to implement this from the start than it is for existing databases.

The biggest issue with GDPR and business is not the fact that it needs to be implemented (in a good way), it is the good old data hunger that companies have that they can no longer satisfy. And I think that also affects people like you, who start to realize what a tremendous amount of value is represented in all that data of all those users. Its no longer a free for all with anyone's data now. That takes some getting used to. And that is a very healthy learning process in my view. Not just for companies but for the users.


----------



## FordGT90Concept (May 25, 2018)

Entities can't collect what they aren't given.  What GDPR does that's frankly weird is mandate that websites allow the complete deletion of a user.  In other words, a retraction of everything the user did and said online.  What if that data is criminal in nature?  GDPR compels a website to destroy evidence which is, in turn, a criminal act.

There's also the issue of websites that share data with third parties be it advertisers, payment processors, or research firms.  GDPR can't possibly be expected to reach every single party the data was shared with, especially when the data is anonymized.

GDPR strikes me as a "feel good" policy that punishes the lawful (through regulation and litigation) and has no impact on the lawless (would require search warrants on servers to prove any wrong doing which isn't going to happen).

EU seems to forget that maintaining data has financial costs: websites that have no vested interest in keeping the data will delete it simply to reduce costs regardless of GDPR.


For those saying GDPR is fantastic, enjoy your $322 billion tax.


----------



## btabke (May 25, 2018)

> What GDPR does that's frankly weird is mandate 
> that websites allow the complete deletion of a user. 

Yes, it is a mess.

a) If you delete a user name (with out blocking reuse) a username can be recycled and thus someone can imposter someone else (already happened on another forum yesterday)
b) Almost all modern software allows people to quote one another - there is no way to delete that sub-quoting really
c) Most forums are strictly anonymous. Anon signup - general anon email (gmail/hotmal/yahoo ...etal)
d) Most forums are spidered and cached by third parties including public caching systems, search engines, and even foreign governments.
e) Most of us in the US are required by law to retain data that may be used in legal actions. (say someone slanders someone else in a forum and then asks to have their data deleted - that could be illegal in the US to delete)
f) IP addresses are not Personally identifiable. Tor networks... vpns... private vpns... proxy caches. etal - all mean that you don't know who is a user and who is not. How many Yahoo emails can you sign up? 
g) Email addresses are not Personally identifiable. How many Yahoo emails can you signup in one hour?  There are hundreds of free email providers - including some that expire in 10mins.


>GDPR strikes me as a "feel good" policy

I totally agree. However; getting websites and software makers to rethink privacy is a net plus for everyone. I do like that the focus is on the end user for a change.

The problem I see is that it is just another thing to drive small websites out of business by raising the bar that only big corporate sites can match.


----------



## FordGT90Concept (May 25, 2018)

btabke said:


> d) Most forums are spidered and cached by third parties including public caching systems, search engines, and even foreign governments.


Even archive.org which has a library-like intent that is completely counter to GDPR.


----------



## bonehead123 (May 25, 2018)

I'm no lawyer, but the company I work for is based in the UK, with 20k+ employees worldwide, and they have more lawyers than most people have hairs on their bodies 

In April, we all had to attend a mandatory training class on the act, and this morning, everyone got a very seriously-toned email stating the it was now in effect as of _*TODAY (may 25)*_, and that if we had not taken the class yet, to get with the program by COB.

They made it very clear that ANY and ALL personal data WILL be protected in every way possible, and that ALL possible usage scenarios would be disclosed the person providing the information prior to it's collection.  This includes our employees, customers, clients, vendors, 3rd party contractors etc etc...

It was also made clear to everyone that the penalties for leakage, misuse, or other breaches would include the maximum allowable monetary fines as well as immediate termination of employment !

So it would seem to be a very serious issue to ensure compliance with the act...


----------



## qubit (May 26, 2018)

Vayra86 said:


> What they do is put a similar thing to 'low quality post' in place that becomes a placeholder with a message on it that says 'Comment removed under GDPR' or something along those lines. Done. So there are holes in threads? Who cares? This person wanted to be forgotten. How does that damage the rest of the world or the forum and its readers? If that person was a valuable asset to the community, he is not forgotten anyway, only in a digital sense. The only bit that is annoying is that you need to actually build and implement such a feature, along with an easy way to effectively remove a user entirely from your database. Which is why its much easier for a startup to implement this from the start than it is for existing databases.


You miss the point. It's not the technicalities of implementing a delete-all feature, which isn't too complicated. It's that the forum content is no longer under my control as an admin. I don't want any holes in my forum due to messed up threads, so I don't want someone with a grudge to compel me to delete data from it.

If you remember, W1z implemented a 24 hour timeout on users editing their posts, after which they're locked. This is specifically, because some user was deleting all their posts which was messing up the forum, so I'm not the only one who cares about this. Now he'll have to comply if they demand it.

Can you see the problem now?


----------



## ShannonApple (Jun 27, 2018)

You know, I was just reading through this thread. I co-run a small non profit forum community. We've had discussions about this ourselves and I've chatted with other forum owners too.

You know that user with the 5000 posts that wants his account deleted? He doesn't have the right to make you delete all 5,000 of his posts that could potentially wreck your site and in turn remove hundreds of other people's posts if he is the thread starter. Anyone could have posted that same exact thread. What gives him that right to remove someone else's posts? What he does have the right to is the removal of all personally-identifying information.

If you delete an account, generally their posts remain.  So you could change the name before deleting the account, but also remove any personal threads/posts that they may have made identifying their business or anything personal about them such as where they live. Then delete it.

Someone gained access and deleted my admin account on an old vBulletin forum. I was able to restore all of my posts (10 years worth) onto a new account using some database commands and only because my posts remained on the site as "deleted user." My user number also remained. At least that's how vBulletin behaves on deletion of an account with 50 or more posts.

Alternatively, you would be complying by changing the username, removing the users email from your database, (can be done in admin panel), change the account pw, remove all information from the profile and signature. Run a check on threads created and remove any thread/post that's specifically about them. All done.

That's more or less how I've interpreted it. I guess it's important to put all of that into your ToS though so that they understand what they are agreeing to on sign up.


----------



## Tatty_One (Jun 27, 2018)

I would figure, unless posts disclosed personal information then there should be no infringement in any case so absolutely no right to have them removed, a forum username does not identify the human and if that human is happy to use their real name as a forum username it makes no difference in any case as "personal information" requires more than just a name...... well that's the way I read it and I have already had to do 4 days of training on this very subject.... possibly bad training!


----------



## qubit (Jun 27, 2018)

I so wanna reply properly guys, but I'm at work, so can only make quickie forum posts sneeked in between work tasks...

Proper reply later!


----------



## ShannonApple (Jun 27, 2018)

Tatty_One said:


> I would figure, unless posts disclosed personal information then there should be no infringement in any case so absolutely no right to have them removed, a forum username does not identify the human and if that human is happy to use their real name as a forum username it makes no difference in any case as "personal information" requires more than just a name...... well that's the way I read it and I have already had to do 4 days of training on this very subject.... possibly bad training!


Haha! Regardless, I'd change the name anyway. I've done it for people even before this law came out. A username in itself can be identifying if they use the same one everywhere.


----------



## Bill_Bright (Jun 27, 2018)

Tatty_One said:


> I would figure, unless posts disclosed personal information then there should be no infringement in any case so absolutely no right to have them removed


There is no right to have them removed because every (pretty sure "every") site I have joined, I agreed to the terms of the site and those include the fact anything I post becomes the property of the site. So it is no longer mine to demand they be removed. 

Also, in most cases (I am one of the few exceptions), most users do not use their real names as their user names, or include personally identifiable information in their profiles (or signatures) when creating their accounts. So except for appeasing a spoiled brat having a puerile temper tantrum, there is no need pay any attention to such requests.


----------



## dorsetknob (Jun 27, 2018)

W1zz already solved this


ShannonApple said:


> posts remained on the site as "deleted user."





ShannonApple said:


> Alternatively, you would be complying by changing the username,


BY Changing the User name  to Deleted User
All his Forum Threads and Posts were then Displayed as Deleted user ( when i find *.* ill post link )


----------



## sepheronx (Jun 27, 2018)

I was looking at the title thinking "GDPR? They haven't existed since 1991".


----------



## Tatty_One (Jun 27, 2018)

ShannonApple said:


> Haha! Regardless, I'd change the name anyway. I've done it for people even before this law came out. A username in itself can be identifying if they use the same one everywhere.


The legislation however requires 2 linked pieces of personal data, so a name/username on it's own is not covered by the legislation, add an age or date of birth for example to the name and then the "controller" is required to take the measures stipulated by the legislation.


----------



## Bill_Bright (Jul 3, 2018)

Time then to just ask for the year of birth and not the date of birth. 

Not sure name and user name should be lumped together, unless like me, they are one in the same.


----------



## FordGT90Concept (Jul 4, 2018)

Year isn't enough to determine age unless you get the floor of the value and block all content.  People who just turned the minimum age would be barred from the website for just under a year.


----------



## Bill_Bright (Jul 4, 2018)

Better than forever. That said, except for a very select few government, banking, and insurance websites, I have never had to provide proof of my birth date. And as far as I know, members providing positive proof of their identities and birthdates is not a requirement on sites like TPU.

This is another reason I don't think tech forum admin/owners (where anonymity is common) will be held to such high accountability standards as feared.


----------



## FordGT90Concept (Jul 4, 2018)

United States has a blanket 13 years of age consent requirement.  Younger than that requires parent/guardian approval because the user agreement is not bindable.

No, never have to prove it.  It's just a legal escape clause if they saw something they shouldn't have and legal proceedings follow.  The website operator can point to the user agreement and the fact that the user had to agree to it to access the website.  If they lied in agreeing, the website operator can't be held liable for anything the user saw/did that was age inappropriate.


----------



## Bill_Bright (Jul 4, 2018)

Right but even 13 is an arbitrary number. A 13 - 17 year old person cannot, on their own, enter into a legally binding agreement.


----------



## Tatty_One (Jul 4, 2018)

FordGT90Concept said:


> *United States has a blanket 13 years of age consent requirement.*  Younger than that requires parent/guardian approval because the user agreement is not bindable.
> 
> No, never have to prove it.  It's just a legal escape clause if they saw something they shouldn't have and legal proceedings follow.  The website operator can point to the user agreement and the fact that the user had to agree to it to access the website.  If they lied in agreeing, the website operator can't be held liable for anything the user saw/did that was age inappropriate.



Right and GDPR has just brought the EU onto that, previously it was under 12's required parental consent.


----------

