GDPR countdown and compliance

Discourse is amazing, the Discourse team are amazing, the Discourse Community is amazing - but I am not convinced that the GDPR issue has seen any of these at their best. One week from the deadline and it is very hard to comply with GDPR if you use Discourse.

As far as key stakeholders in my projects are concerned, Discourse makes it hard for them to meet their legal responsibilities under GDPR. Some people here seem to think there is not a problem I am making too much fuss - but the lawyers of people I am trying to engage with a product using Discourse are saying it is not good enough and they cannot allow their staff or service users to use Discourse until this is resolved. As such I am doing back-end coding to work around their concerns.

I shared my original concerns: Providing data for GDPR

Of these, I was wrong / reassured about the Discourse approach to Right to be Forgotten. I have set things up so users can choose whether to completely remove or anonymize and I explain the merits of each. I think Right to be forgotten has a big tick - thanks team.

Also mentioned there and alluded to but not explicit in @GBrowning post that started the current thread, we still have a big red cross beside the ‘Right of Access’ box. This is a separate issue to Data Portability.

Whatever people here may think, my stakeholders (NHS and major UK charities) demand that I am able to respond to data access requests in a way that is compliant with GDPR. At the moment I cannot comply with this basic requirement under GDPR using native Discourse tools.

The ‘download all posts’ simply does not cut the mustard because it does not provide all the personal data held on the database. My work around: on my backend I am coding an extraction directly from the database to try and pull together all the ‘personal information’ that must as a matter of law, be provided in response to a request. This includes IP addresses, private messages and other data that is not currently included in the download. I am finding it hard going because my knowledge of the database is limited.

As of next Friday, I could email @codinghorror making a Data Access Request and Discourse would as a matter of law have to carry out exactly the same exercise - building queries to extract all my personal data to send to me within a month. If they do not do this, the penalty could (theoretically) be 4% of your turnover.

Of course I am going to make no such request, but across the EU companies, Charities and Public Bodies are working hard to establish whether they are in a position to comply with Data Access Requests.

If they use Discourse, they cannot, unless they do some strenuous deep diving with SQL.

There might be a few other issues still worthy of more discussion (such as whether some old data no longer has legitimate use and should be deleted) but Right of Access requests are the big headache for me.

13 Likes