The GDPR provides for both individual claims for compensation (Article 82) and enforcement by regulatory authorities (Article 83). No doubt, there will be systems for individuals to make complaints to authorities to assist in or decide claims for compensation. As you’re probably aware, in Europe regulatory and judicial authorities tend to take a more proactive and involved role in the enforcement of law, as opposed to the more adversarial systems in common law countries (i.e. the UK and its former colonies). The level of involvement and the procedure by which claims are dealt depends on the country.
This is why I would re-emphasise that it’s important to consider who your relevant data protection authority is and to follow their guidance. If there is a claim for compensation under the GDPR, it is likely that they will be involved in some way, or that the guidance they publish will be relevant in any legal proceedings.
Nothing I laid out in my last post should be taken as saying “you should ignore the GDPR because you’re not Facebook”. Like I said in my post prior to that, I would again reiterate that GDPR compliance involves more administrative preparation rather than technical fixes. If you read any of the guidance published by the DPA’s you’ll see that they emphasise having appropriate procedures in place to deal with a request if you get one, having appropriate documentation and giving appropriate notices.
There may also be technical fixes that can be applied in certain circumstances. There may be some improvements that we could make to Discourse in the way it handles things like IP addresses. However, on my reading of the GDPR and my understanding of Discourse, I’m personally yet to see a situation in which I can clearly say there is an issue requiring a technical solution. One may well arise, or be pointed out, and we can address it then.
It’s important to keep this in perspective. Like running any business or organisation, being a forum provider can potentially involve a whole host of legal obligations that extend far beyond the GDPR. Most of which you have probably never considered before. I bet if I looked closely at any of your forums I could find a number of potential legal issues (note: for various administrative reasons, I’m not currently in a position to provide this as a formal service, and I am not actually reviewing any of your forums for legal vulnerabilities). I’ve pointed out a few regarding the default Terms and Conditions, but that’s just scratching the surface.
I don’t say this to scare you, rather to point out that in your normal course of business you swim above an in-depth consideration of your strict legal obligations (which is normally just fine). On the whole it’s a good thing that the GDPR has made people think seriously about privacy. There are some good things to be said about the suite of rights the EC has devised to handle privacy in the internet age. However, for most people, trying to engage with the GDPR at the level of the EC directive itself is risky as there are bound to be various ways in which you can misinterpret both what your obligations are and their scope.