GDPR and EnglishForum

[Spinal]

	Quote:	mirfield
	That's what I wrote In theory, your user name could be changed to something random before the deletion, and your avatar would not be visible after deletion. But your user name would still be visible in quoted text; that could be fixed, but it would again rely on directly SQLing the database.

Sorry - missed that bit.

As for removing username, there's a faster/easier way. An admin can add the username to the banned words (like swear words), and it should replace any instance of the username with asterisks.

Still doesn't fix unstructured personal data...

[3Wishes]

	Quote:	Spinal
	...Still doesn't fix unstructured personal data...

In terms of forums, don't you think there's also an element of personal responsibility? People join forums such as ours voluntarily. They share as much or as little as they want. Even if we delete instances from EF, pages have been cached by Google bots and the like. It's very, very hard to totally erase everything you've ever posted online from all locations, forever.

Although forums will get lumped in, I think GDPR is more about 3rd party companies that collect your data. For example any time you (generic you, as in any person) go to a website, there are dozens of trackers that follow you across the internet.

Most websites have a pop-up these days that say by continuing to use the site, you consent to the use of the cookies, which pretty much includes the 3rd party trackers. But the devil is in the detail of the privacy and cookie policies. How do you know what sites are tracking you and what info they have?

By using any site you've consented to others having your "personal data", but you don't always know precisely what is collected or where it's going. If a person is that paranoid about personal data he or she should basically stay off the internet, no?

[mirfield]

	Quote:	Spinal
	As for removing username, there's a faster/easier way. An admin can add the username to the banned words (like swear words), and it should replace any instance of the username with asterisks.

Be a bit awkward for anyone seeking help with a spinal injury or enquiring about the wonderful sightseeing opportunities for a fortnight in Mirfield

[Urs Max]

	Quote:	Spinal
	It's really hard to delete/scramble personal data from unstructured data (e.g. the post content). e.g. if I say that I live in Zurich, my age is 128 years old and I'm male - that can probably uniquely identify me. Thus the content of this post, would be personal data. Good luck identifying that without manually going through all my posts.

Not in the sense of GDPR. See paragraph (15)

To paraphrase:
The processing must be automated and the data structured to facilitate easy access to the personal data in question.

	Quote:	Spinal
	Sorry - missed that bit. As for removing username, there's a faster/easier way. An admin can add the username to the banned words (like swear words), and it should replace any instance of the username with asterisks. Still doesn't fix unstructured personal data...

Have you seen ****** Tap?

Very bad idea.

[Spinal]

	Quote:	3Wishes
	In terms of forums, don't you think there's also an element of personal responsibility? People join forums such as ours voluntarily. They share as much or as little as they want. Even if we delete instances from EF, pages have been cached by Google bots and the like. It's very, very hard to totally erase everything you've ever posted online from all locations, forever. Although forums will get lumped in, I think GDPR is more about 3rd party companies that collect your data. For example any time you (generic you, as in any person) go to a website, there are dozens of trackers that follow you across the internet. Most websites have a pop-up these days that say by continuing to use the site, you consent to the use of the cookies, which pretty much includes the 3rd party trackers. But the devil is in the detail of the privacy and cookie policies. How do you know what sites are tracking you and what info they have? By using any site you've consented to others having your "personal data", but you don't always know precisely what is collected or where it's going. If a person is that paranoid about personal data he or she should basically stay off the internet, no?

Consent is actually the hardest (imho) reason for processing to deal with. If you are processing under consent, the data subject is allowed to withdraw consent with associated implications.

Much easier to have a contractual basis or legitimate interest in most cases...

That said, in terms of a site like this where you have consented and data is being processed under consent. While there may be an element of personal responsibility, the onus is on the company to protect your data.

My personal take, (I am not a/your lawyer), is that a forum like this would be looking at shifting the focus to all data being uploaded is being made public by the data subject, thus, explicitly excluded from GDPR as it is now public data.

	Quote:	Urs Max
	Not in the sense of GDPR. See paragraph (15) To paraphrase: The processing must be automated and the data structured to facilitate easy access to the personal data in question.

This assumption may be based on the scope of GDPR, which states that "this Regulation applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system."

The GDPR therefore basically refers to automated or partially automated data processing and to data processing that forms part of a filing system or are intended to form part of a filing system, even if it is not automated. The GDPR also defines the concept of a filing system, which imeans "any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis."

The Regulation also covers manual data processing when it comes to data structured based on specific criteria. On the other sied, the preamble to the GDPR (15) provides that "files or sets of files, as well as their cover pages, which are not structured according to specific criteria should not fall within the scope of this Regulation." However, please keep in mind that the laws of the Member State may extend the application of the data protection rules to unstructured files or sets of files, even if they are processed manually.
(Source: http://gdpr.blog.hu/2018/04/30/5_1_m...on_of_the_gdpr )

[Urs Max]

How is my previous post an assumption?

[Spinal]

	Quote:	Urs Max
	How is my previous post an assumption?

It's a quote from the linked site I can't edit to put quotation marks.

The crucial part from the regulation is this:

"this Regulation applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system."

Hence, processing does not need to be automated, as long as it's part of a filing system. Next, a filing system is defined as "any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis."

Therefore, you can have:
* unstructured personal data, which is processed partly or wholly by automated means (e.g. forum posts)
* structured personal data, which is not processed by automated means (e.g. a paper filing archive)
both of which would be in scope.

[mirfield]

One forum I frequent has has closed down and deleted the database.

He was running the site himself as a hobby, and it was the simple answer to all the hassle he was getting.

Sounds like a good idea.

[3Wishes]

	Quote:	Editor Bob
	Sounds like a good idea.

No, that sounds like a terrible idea!

[Medea Fleecestealer]

No, definitely not a good idea! Please don't!

[SOBEIT]

Who in EF does one contact to put a Data request in on the 25th May?

[curley]

	Quote:	SOBEIT
	Who in EF does one contact to put a Data request in on the 25th May?

You're trying to get all mods to quit by May 24th?

[dangerden]

As a software developer who was struggling to make several projects to comply with GDPR I would highlight several important aspects:

1. Any business working with EU citizens has to comply. Unless EnglishForum bans every EU citizen from the website it has to comply.
2. Personal Information is a very broad term. Cookies, google analytics, avatar, private messages between members, IP addresses, there's definitely a lot of sensitive private information collected.
3. EnglishForum has to provide an easy human-friendly description on how that data is used and protected.
4. EnglishForum has to get a clear consent upon a new user (as well as old ones) land on the site / register. It might be better to send emails to old users.
5. EnglishForum should provide a way to remove personal data of particular user upon his or her request. It is argueable whether public posts are private information and should be protected, most likely not.
6. EnglishForum should be able to explain its data protection efforts, for example tell that they do not store login, password, personal data (let's say private messages) in plain text.

That doesn't mean that if EnglishForum doesn't comply it would get into any trouble. So far everything was peaceful and no one was hurt :-) But the measures are definitely not hard to implement.

[SOBEIT]

No one hurt yet but predicted fines imposed will damage not only reputation but the pocket too.

[dangerden]

	Quote:	SOBEIT
	No one hurt yet but predicted fines imposed will damage not only reputation but the pocket too.

I guess one should be as juicy as Facebook and leak a lot of data to get a max fine.

[SOBEIT]

Have I missed EF’s privacy notice or have they chose the non-complaint route?

[curley]

	Quote:	SOBEIT
	Have I missed EF’s privacy notice or have they chose the non-complaint route?

Maybe it's only for newbies.
What do you want to complain about after 8 years? What ever it is, you partly caused it

	Quote:	SOBEIT
	Have I missed EF’s privacy notice or have they chose the non-complaint route?

Neither, they decided that no changes were necessary, that they already complied, so there's no need for a new privacy notice.