GDPR compliance solution - pls critique

gdpr

#1

I have read some of the GDPR threads here, doesn’t seem like we have a consensus as to how to handle the compliance at the moment.

Here’s what I am planning to do with the forum I manage for the time being until a better solution comes along. It is an ALL OR NOTHING approach if people want to use the forum, can someone please read and offer your feedback?

  1. For new users who register on or after May 25 - make it mandatory on sign up page that the following 5 boxes must all be checked before someone can create a new account

-terms of use
-privacy
-agree to receive email digest
-agree to IP address being stored
-agree to cookies

Have I missed anything? What else can I add?

  1. For existing users who wish to login to the forum on or after May 25, there will be a popup asking the user to check all 5 boxes before they can continue to use the forum, if they do not check all 5 boxes, they cannot login.

I am not sure how to implement this, if somone can help me with this step, please let me know, I can open a project in Marketplace to compensate you for your time.

  1. Users who wish to terminate their account and obtain an export of all their personal data and activities - I am not sure how to handle this as of now, will deal with it when I receive the request. My site is small, I know Discourse already provide means for users to download his posts or activities to a certain extent, worst comes to worst I will manually print out all the user’s posts and email him/her on a request by request basis.

Have I missed anything else that needs to be addressed under GDPR compliance?

Would appreciate any feedback and advice from the veteran posters here.

Thank you
Needhelp


Legal Tools Plugin
(jj11909) #2

I know in our installation we needed to edit our privacy policy to add in a few things. We needed a section on our responsible data controller as well as updating google analytics and a few other things.

One thing we have had come down as a thing needed in the future is the deletion and purging of accounts older than a specific timeframe. According to what I have been told by our HQ, we can only store data for as long as needed or a reasonable timeframe. Meaning, if a user hasn’t logged into the site do we really expect them to? At that point their data should be purged. Most places agree 5 years is reasonable.

Have you or anyone else discussed my the account purging?


(Luke S) #3

Don’t. Do. This. Leave it as optional, and set the user digest preference based on whether they check the box. Or Just default to off. The first thing I do with a new forum is turn off all emails except transactional. (Password reset or similar) It really, really annoys me when a website/forum makes email subscription a requirement to access the basic part of the service.


(Richard - DiscourseHosting.com) #4

The GDPR specifies the right to be informed. It doesn’t say anywhere that you should get permission on the ToS and privacy statements. The current links at the bottom of the signup screen are sufficient.

In my opinion the email digest is an integral part of the Discourse experience and that means that you do not need explicit permission because the processing is lawful “for the performance of the contract” that comes into existence when someone signs up.
This is my opinion and I know some people think differently. In that case just set the default email digest frequency to never.

Storing IP addresses is a legitimate interest of the forum owner and do not require permission from the user. You cannot even ask for permission here since you are collecting this information even for anonymous visitors.

Cookies and GDPR are (usually) not related. Other laws may apply here but (if you are not using Google Analytics) all cookies used by Discourse are so-called functional cookies and do not require extra permission.

In cases where the GDPR requires consent from a user that consent must be freely given, i.e. you cannot deny anything (apart for the functionality that is directly related to the permission) to the user when they do not agree. Forcing someone to check a checkbox in order to agree to something before they can continue is a violation of the GDPR law.

For the Privacy Policy, a global notice or a pinned post that users can dismiss will be a perfectly good method to inform your users of any changes in the Privacy Policy once they come up. You will only need to inform them, after all.
Please note that this might not be sufficient for future changes in your ToS but that is outside of GDPR scope depending on the exact changes.

Please note that these are two separate things. People can request an export at any time.

The functionality in Discourse regarding this is insufficient at this moment. This is not just about posts (that part is covered) but about likes, profile views, reading times, IP addresses etcetera.

At this moment we are working on an article for DiscourseHosting customers* that includes a verbose list of things you need to do (and things you don’t need to do). We will publish this on our website once it’s usable enough so it will be available to non-customers as well.

*) please note that we are not affiliated with Discourse.org


#5

Got it :slight_smile:

There are now a lot of threads Topics on GDPR … which is the ‘official’ one? One that gives us the final analysis from the Discourse team with a statement of readiness and any definitive steps forums are advised to take on top other than just upgrading to a certain version or above?


(Sam Saffron) #6

When you buy shoes do they automatically comply with all jaywalking laws in all countries? Do you buy jaywalking compliant shoes? Do you expect a book with the shoes you but with jaywalking rules for every country?

The software in not compliant or non-compliant it is your role as the person hosting a forum to be compliant.


#7

As a consumer I would definitely want to buy the shoes that automatically stop you from veering into traffic, those would be some fancy shoes :wink:

But on the other hand I can see how it would make you liable for people trying to pass the blame along the lines of “but your honour, it was the shoes fault for not stopping me from running directly in front of this car” :smiley:

Discourse already contains an admirable amount of functionality to make it GDPR-friendly, which I think should be more than good enough. I’m not sure if forcing users to click more buttons during the account creation is actually a good experience for anyone besides the lawyers who wrote this directive… The important part to me is that the settings exist, are exposed for end users and are easy to change.


(Sam Saffron) #9

I strongly disagree with that, there are laws requiring gun manufacturers to include safety latches, selling a gun without that is breaking a law.

Selling software without a magic, 1 click gdpr magic happiness extreme mode, is perfectly legal and acceptable


#10

@RGJ Thanks Richard, much appreciated for the feedback. I am already a customer of Discoursehosting, look forward to seeing the article.

Glad that you guys are making an effort to help your customers navigate through this.


#11

Agree 100%. Nobody is asking for a 1 click GDPR compliance button, just want to compare notes with others who are also facing the same issue to see what can be done to minimize our exposure.

We are all in it together to a large extent. What works for my forum will very likely work for others too.


#12

Neither article 15 nor article 20 of GDPR requires making absolutely all data available self-serve with a button. If someone really wants to demand absolutely all data that you have about them, article 15 makes clear that you can actually charge administrative fees for the special effort that might require.

Make sure you have a policy that makes it clear that users can reach out to you with requests to exercise their GDPR rights.


(Richard - DiscourseHosting.com) #13

Yes, @HAWK I absolutely agree with you, there is no need for this to make this a self-serve functionality - although it would be cool if there was some set of queries that could be ran by a forum admin.

I was responding to the remark of @needhelp who implied that the ‘download activity’ button would suffice here.


(Richard - DiscourseHosting.com) #14

No, it says that

For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs


(Richard - DiscourseHosting.com) #15

It’s not completely finished yet but I think the main processes are described well enough already, so I’m sharing the link with you.

https://www.discoursehosting.com/your-discourse-forum-and-the-gdpr/

We’ll add some more information about the legal / contractual / subprocessor stuff later this week.


(Kane York) #16

Read it over, looks great! Definitely will be saving that link to give to people.

A couple suggested edits on my first read:

For the mailing list example, the field text should say something more like “E-mail me updates about our $THING (read more)” and change Required At Signup to Show at Signup + editable afterwards.

Show an example of the query where the usernames + emails are exported only if the answer is Yes, because that’s what most of this will be used for!

Some people might try to object to the Trust Level processing - mention that the remedy for that is to lock their trust level & do manual upgrade reviews on request.


#17

@RGJ THANK YOU so much for taking a stab at this and doing it in plain simple English!!!

This helps tremendously.

I have to go over your article a couple more times, there are tons of useful info. For the time being, I do have a couple of questions/comments:

  1. I would argue that email digest is not an integral part of the service. Not receiving email digest will not affect a user’s participation in the forum. If we assume that a user who signs up an account is also interested in receiving email digest by default, this sounds more like bundling and a seperate consent should be created according to GDPR IMO.

  2. In your article, you wrote this about IP “You must make sure that you are only storing data for a reasonable time. You can argue that you will keep IP addresses around for a day or five but convincing someone that 50-day old logs are still needed to prevent DoS attacks will be pretty hard.”

Do we already have the ability to remove IP records in Discourse now or are you suggesting that we need to come up with a way to restrict how many days IP addresses are stored ?

Thanks again for the article, much appreciated!

Needhelp


(Richard - DiscourseHosting.com) #18

Thank you @riking and @needhelp for your feedback, I have processed your remarks.

I think the work on that is not completely completed at this moment.