Providing data for GDPR

Yes. Guaranteed that you are concerned if your forum is a commercial one (ads and whatnot), debatable if it’s a small non-commercial forum (but by debatable I mean I called a lawyer in my country and they told me that yes, I should try and be compliant).

Not exactly. There are few main challenges left (and if those are taken care of then Discourse would be in pretty good spot):

  • Agreement to your terms of service has to be explicit, not implicit. Aka via a checkbox. You need to store this data somewhere afterwards too - on when the user agreed to it. This is kinda important cuz for instance sending someone emails without their consent can cause QUITE severe repercussions (here’s an example from UK). Also - one checkbox per one type of personal data. You can’t have a generic “I agree to the terms of service” and have a 50 pages document there.
  • If your ToS changes everyone should be asked to reconfirm that they still agree.

You are at least partially covered with other points - Discourse provides means to be forgotten (although you still need to ensure that you won’t store this data forever in backups), there are ways of exporting personal data too.

Of course you also need to create your document on GDPR. Aka what you store, how important it is and how you secure it (GDPR does not actually state many official guidelines, you decide by yourself on how to accomplish a sufficient level of security for your application and only in case of a failure need to prove that this was reasonable). You can have a lawyer help you write one or you can do it yourself - eg. that all data is on a server hosted in Europe (good if you have a data processing agreement with your ISP), backups are encrypted and kept on Amazon S3 bucket (located in Frankfurt for instance), you are using a full drive encryption and you cleanse logs every 30 days (to get rid of old IP addresses and whatnot since they too fall under GDPR). Then you write that you store email addresses (explicitely), IP addresses (implicitely but only for logging/security reasons for X days), names/surnames (explicitely) and if you use marketing services - which ones and what kind of data about your users goes to them. This should be sufficient for a smaller forum.

2 Likes