The EU, in its wisdom, has created a law that is so widely crafted that it seems to apply to anyone who holds personal data on paper or on a computer. However, opinion on a phpBB discussion forum https://www.phpbb.com/community/viewtop ... &t=2419821 seems to suggest that phpBB is already 99% compliant and a "hobby" forum is unlikely to be targeted by police in each state which has delegated powers.
Summarising privacy, registration and GDPR compliance:
Don't refer in a post to someone's real name; always use the username.
Don't post someone else's email address at all if you can avoid it.
Don't post any email address in its full form, change @ to (at) as some people don't want to risk their email address being harvested by spambots and changing @ helps prevent this.
Don't post an email address that contains a real name.
If your own username contains your real name and you are concerned about privacy, a forum administrator can change it for you.
Your real name is requested on registration as the forum thinks it is useful for members to know who they are dealing with, as they may be friends or people they may meet at events. However, real names in a member's profile are hidden from forum guests. A few people have only stated a Christian name in the profile, or stated "not given" which we have accepted.
A member's email address is needed for the forum to function, but is hidden from members and guests (administrators and moderators can see it). When you email another member, you don't see the other member's email address and the other person sees an email that is sent from the forum's email address. When the receiver clicks Reply, the first person's email is revealed and when the reply is sent, the first person will see the second person's email address and a normal email conversation will start.
Location in profile is optional, but the forum considers it useful. It only needs to be a general location like country or town. House name, number, road and postcode should not be shown.
Here are some opinions from phpBB users on this discussion topic; https://www.phpbb.com/community/viewtop ... &t=2419821 Note that they are just opinions and interpretation of the law will be by the courts in future. The conclusion, generally speaking, is that "hobby" forums don't have a lot to worry about.
Note: the DLOC forum has email contact enabled by default. If disabled at registration a lot of members would not realise and be unable to receive emails from other members. A member can disable his own email contact.GDPR requires to encrypt personal data. Actually phpBB encrypts only passwords.
"(83) In order to maintain security and to prevent processing in infringement of this Regulation, the controller or processor should evaluate the risks inherent in the processing and implement measures to mitigate those risks, such as encryption."
I don't really see how this sentence requires anyone to do anything. It mentions encryption as one of the possible solutions, at least that is my understanding.
These laws applies to most of phpbb webmasters ("(18) This Regulation does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity and thus with no connection to a professional or commercial activity").
In a vanilla install of phpBB there are three possible pieces of data that may fall within GPDR
•Username - unless your board specifically requires "real" names then this cannot be directly referenced to a person.
•IP address - as the vast majority of IP addresses are dynamic then this again cannot be referenced to a person, only a location. Should IPv6 ever get implemented then this may be a different issue.
•Email address - again on its own it cannot identify an individual
I am not saying that these regulations should be ignored but as far as a "hobby" board is concerned I would argue that there is not a lot to worry about - there are far bigger fish in the sea for the authorities to get their teeth into.
In the UK, I don't know about other EU countries, we have had since 1984 various versions of the Data Protection Act which essentially is the same as GDRP where the storing of "personal identifiers" has been subject to controls - in fact at one point I had to register to keep that data. Furthermore these regulations cover the keeping of such data not only on a computer but also on paper.
Never in the last 34 years has anyone ever asked me for a copy of their data and if the same applies with GDPR that you can make a "reasonable" charge to provide that data then I doubt for one minute many will be requesting the data from a BB when they have to pay for it.
There is nothing new here, at least not in the UK, and as far as I am aware nobody has ever been prosecuted for holding data on a BB. These regulations are aimed at businesses/organisations/government departments that hold masses of personal data about all of us and the way in which that data is protected.
As I have said before I am not ignoring GDPR but neither am I over reacting to it. In my view there is very little if anything other than a brief note that is required for a vanilla phpBB install. If you modify your phpBB install to capture other data then that becomes your responsibility - not phpBB's and is outside of this discussion.
In my opinion, we need one additional box of consent for the collection and processing of data for the purposes of the forum's functionality. This is to be the field required for registration. Currently I have it done as an additional custom field. But this is not technically perfect because after changing the number of fields, everything can go bad.
How to make:
1. After registration, the email notifications are turned off by default (Edit notification option: Email - all disabled)
2. Default - Users can contact me by email: No.
3. Default - Administrators can email me information: - set up on the registration form.
4. Additional field on contact form - "Yes, I agree to the collection and processing of my data contained in this form for the purpose of answering".
It would be best if this first three items were pre-set by the user during registration. It would meet the requirements of GDPR with an informed choice of individual data processing goals.
These notes are John-B's personal thoughts and I may have to amend them if interpretation of requirements for online forums changes my assumptions. This EU law has almost made me a confirmed Brexiteer