If you would like to join the DLOC, please visit the Club's website https://www.dloc.org.uk/
Please don't post someone's email address. Some people don't want to risk it being harvested by spambots and GDPR regulations discourage it.
Always look at "ACTIVE TOPICS" which gives all posts in date & time order if you can't find a post or "Your Posts", as topics are sometimes moved.
Reg. nrs. Please add reg. nr. when posting a photo or anything about a car as this will help searches. Don't add punctuation next to nr. as this negates search.

EU General Data Protection Regulations (GDPR) as applicable to the forum

Website Comments, instructions for REGISTERING and POSTING, Chat about anything
User avatar
John-B
Site Admin
Posts: 1137
Joined: Tue Feb 09, 2016 9:10 pm
Location: Salisbury, UK
Contact:

EU General Data Protection Regulations (GDPR) as applicable to the forum

Post by John-B » Wed Mar 28, 2018 8:37 am

EU General Data Protection Regulations 2016, to be complied with by 25th May 2018.

The EU, in its wisdom, has created a law that is so widely crafted that it seems to apply to anyone who holds personal data on paper or on a computer. However, opinion on a phpBB discussion forum https://www.phpbb.com/community/viewtop ... &t=2419821 seems to suggest that phpBB is already 99% compliant and a "hobby" forum is unlikely to be targeted by police in each state which has delegated powers.

Summarising privacy, registration and GDPR compliance:

Don't refer in a post to someone's real name; always use the username.
Don't post someone else's email address at all if you can avoid it.
Don't post any email address in its full form, change @ to (at) as some people don't want to risk their email address being harvested by spambots and changing @ helps prevent this.
Don't post an email address that contains a real name.
If your own username contains your real name and you are concerned about privacy, a forum administrator can change it for you.
Your real name is requested on registration as the forum thinks it is useful for members to know who they are dealing with, as they may be friends or people they may meet at events. However, real names in a member's profile are hidden from forum guests. A few people have only stated a Christian name in the profile, or stated "not given" which we have accepted.
A member's email address is needed for the forum to function, but is hidden from members and guests (administrators and moderators can see it). When you email another member, you don't see the other member's email address and the other person sees an email that is sent from the forum's email address. When the receiver clicks Reply, the first person's email is revealed and when the reply is sent, the first person will see the second person's email address and a normal email conversation will start.
Location in profile is optional, but the forum considers it useful. It only needs to be a general location like country or town. House name, number, road and postcode should not be shown.

Here are some opinions from phpBB users on this discussion topic; https://www.phpbb.com/community/viewtop ... &t=2419821 Note that they are just opinions and interpretation of the law will be by the courts in future. The conclusion, generally speaking, is that "hobby" forums don't have a lot to worry about.
GDPR requires to encrypt personal data. Actually phpBB encrypts only passwords.
"(83) In order to maintain security and to prevent processing in infringement of this Regulation, the controller or processor should evaluate the risks inherent in the processing and implement measures to mitigate those risks, such as encryption."

I don't really see how this sentence requires anyone to do anything. It mentions encryption as one of the possible solutions, at least that is my understanding.

These laws applies to most of phpbb webmasters ("(18) This Regulation does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity and thus with no connection to a professional or commercial activity").

In a vanilla install of phpBB there are three possible pieces of data that may fall within GPDR
•Username - unless your board specifically requires "real" names then this cannot be directly referenced to a person.
•IP address - as the vast majority of IP addresses are dynamic then this again cannot be referenced to a person, only a location. Should IPv6 ever get implemented then this may be a different issue.
•Email address - again on its own it cannot identify an individual
I am not saying that these regulations should be ignored but as far as a "hobby" board is concerned I would argue that there is not a lot to worry about - there are far bigger fish in the sea for the authorities to get their teeth into.

In the UK, I don't know about other EU countries, we have had since 1984 various versions of the Data Protection Act which essentially is the same as GDRP where the storing of "personal identifiers" has been subject to controls - in fact at one point I had to register to keep that data. Furthermore these regulations cover the keeping of such data not only on a computer but also on paper.

Never in the last 34 years has anyone ever asked me for a copy of their data and if the same applies with GDPR that you can make a "reasonable" charge to provide that data then I doubt for one minute many will be requesting the data from a BB when they have to pay for it.

There is nothing new here, at least not in the UK, and as far as I am aware nobody has ever been prosecuted for holding data on a BB. These regulations are aimed at businesses/organisations/government departments that hold masses of personal data about all of us and the way in which that data is protected.

As I have said before I am not ignoring GDPR but neither am I over reacting to it. In my view there is very little if anything other than a brief note that is required for a vanilla phpBB install. If you modify your phpBB install to capture other data then that becomes your responsibility - not phpBB's and is outside of this discussion.

In my opinion, we need one additional box of consent for the collection and processing of data for the purposes of the forum's functionality. This is to be the field required for registration. Currently I have it done as an additional custom field. But this is not technically perfect because after changing the number of fields, everything can go bad.

How to make:
1. After registration, the email notifications are turned off by default (Edit notification option: Email - all disabled)
2. Default - Users can contact me by email: No.
3. Default - Administrators can email me information: - set up on the registration form.
4. Additional field on contact form - "Yes, I agree to the collection and processing of my data contained in this form for the purpose of answering".
It would be best if this first three items were pre-set by the user during registration. It would meet the requirements of GDPR with an informed choice of individual data processing goals.
Note: the DLOC forum has email contact enabled by default. If disabled at registration a lot of members would not realise and be unable to receive emails from other members. A member can disable his own email contact.

These notes are John-B's personal thoughts and I may have to amend them if interpretation of requirements for online forums changes my assumptions. This EU law has almost made me a confirmed Brexiteer :shock:

User avatar
John-B
Site Admin
Posts: 1137
Joined: Tue Feb 09, 2016 9:10 pm
Location: Salisbury, UK
Contact:

Re: EU General Data Protection Regulations (GDPR) as applicable to the forum

Post by John-B » Wed Mar 28, 2018 10:09 am

These regulations have suddenly caused people to wake up to the fact that the date for compliance is near and it appears that they apply to almost any organisation, however small.

In the village where I live we have a village shop which is set up as a charity and it is revising procedures just as the DLOC club is. The village Archive is part of the charity and has to hold an AGM so in theory it has to comply but it doesn't have members (except committee members) and has very limited financial transactions so no changes are proposed at present. Email addresses seem to be the only security issue, but they are held in password protected form.

The village has numerous clubs and societies, large clubs like the sports club, cricket club, W.I. etc. down to small clubs like the Knit & Natter group. The larger clubs that have memberships and subscriptions should comply with the new regulations but the smaller clubs probably won't bother to do anything even though lists of members and finances (on paper) should be held in a locked place.

We also have various websites including my village website which shows personal details for contact purposes, so perhaps websites should comply too.

It's all a bit confusing at present and I suspect that a lot of organisations and websites will miss the deadline.

Petelang
Posts: 212
Joined: Sat Feb 13, 2016 10:23 am
Location: Nottingham
Contact:

Re: EU General Data Protection Regulations (GDPR) as applicable to the forum

Post by Petelang » Wed Mar 28, 2018 12:01 pm

Shame we couldn't have exited the EU before this came into effect. More Brussels interference in the already over complicated lives of small groups and businesses, meanwhile, crooks and scammers in abundance get away with doing whatever the Hell they like.
I have absolutely no idea what a phpBB is, nor a "vanilla" install, so it's all Chinese to me.
I'm so glad I'm no longer in corporate management! Why does EVERYTHING in today's world have to be abbreviated?
Peter
Peter Langridge
Cloud Nine Classic Weddings, Nottingham.

User avatar
John-B
Site Admin
Posts: 1137
Joined: Tue Feb 09, 2016 9:10 pm
Location: Salisbury, UK
Contact:

Re: EU General Data Protection Regulations (GDPR) as applicable to the forum

Post by John-B » Wed Mar 28, 2018 12:18 pm

Petelang wrote:
Wed Mar 28, 2018 12:01 pm
I have absolutely no idea what a phpBB is, nor a "vanilla" install, so it's all Chinese to me.
I'm so glad I'm no longer in corporate management! Why does EVERYTHING in today's world have to be abbreviated?
Peter
phpBB is the forum software (see the bottom left of this page). Vanilla just means unedited code, using the software in its original form, ie without flavourings from standard vanilla ice cream to strawberry. We use a style or theme we_universal but it's basis is "vanilla", it's just the display which is different.

Sydsmith
Posts: 774
Joined: Sun Feb 14, 2016 11:15 pm
Location: Aberystwyth Wales

Re: EU General Data Protection Regulations (GDPR) as applicable to the forum

Post by Sydsmith » Wed Mar 28, 2018 6:03 pm

As I said on another thread which has discussed this issue, new General Data Protection Regulations GDPR were introduced into law back in 2016, we had 2 years to implement it, but unlike many new laws, there has been little if any publicity of this major change to data protection regulations.

The main change is that the 2016 law requires all who obtain store and use data to comply, the old law exempted charities and not for profit organisations.

I recon that this involves such a vast range of organisations that no matter what the intent, it will take a small army of new inspectors to enforce, that will mean only those who are blatantly in breach of the regs and are challenged will draw attention to them selves and lay themselves open to inspection, so although the date is May 25th I doubt there will be much action on behalf of the powers that be for some time to come.

Phillmore
Posts: 847
Joined: Sat Feb 13, 2016 1:25 pm
Location: Worcestershire Herefordshire border

Re: EU General Data Protection Regulations (GDPR) as applicable to the forum

Post by Phillmore » Wed Mar 28, 2018 7:12 pm

Roll on Brexit ;)
Andy

1954 Conquest Mk1, 1956 Conquest Mk2, 1957 Conquest Century Mk2, 1955 Austin A90 Westminster

Chris_R
Posts: 430
Joined: Wed Feb 10, 2016 12:48 pm
Location: Twickenham

Re: EU General Data Protection Regulations (GDPR) as applicable to the forum

Post by Chris_R » Wed Mar 28, 2018 9:57 pm

Brexit or no Brexit, it would not make any difference to GDPR regulations or their UK equivalent. GDPR is something that has been in development since 2011 and the UK has been part of that development. In fact, Britain held up and delayed its progress, along with Germany and France, each for their own national reasons. It has been a fact for a long time that nothing significant happened in the EU unless Britain, France and Germany as the 3 most powerful EU members wished it to happen so ultimately the implementation of GDPR was in part something of our own making.
GDPR applies across the world to any organisation dealing with EU citizens therefore inside or outside the EU a similar set of regulations must be implemented. The USA have implemented laws that generally mirror EU laws and so will the UK. The UK equivalent was already published last August and sets the maximum penalty at £17 million (versus the EU's €20 million). Both the new UK law and the EU regulation also include the 4% of turnover figure.
Don't imagine that after Brexit laws such as these will be any less in the UK because we're no longer in the EU, if we want to do business with the EU we will have to implement equivalency to such laws in the future to match whatever the EU decides to do and not have any input or say into their content or be able to influence implementation dates. The UK will not be able to water down UK data protection laws because that would bring us into conflict with EU law which would then potentially penalise any organisation holding data on an EU citizen e.g. a DLOC member living in the EU.

simonp
Posts: 355
Joined: Mon Mar 07, 2016 9:59 am
Location: Birmingham

Re: EU General Data Protection Regulations (GDPR) as applicable to the forum

Post by simonp » Sat Mar 31, 2018 10:00 am

Thanks for clarifying this John and appreciate the work. Have always thought this is really good forum software which seems to work well for us.

SimonP
Daimler SP 250 - "To feel its eager response as you open up is to know a new motoring adventure"(Sales brochure) The adventure continues!

Sydsmith
Posts: 774
Joined: Sun Feb 14, 2016 11:15 pm
Location: Aberystwyth Wales

Re: EU General Data Protection Regulations (GDPR) as applicable to the forum

Post by Sydsmith » Sat Mar 31, 2018 11:31 am

Having been involved in this for some months now it would be easy to say what a pain in the back side it is.

However, EU or no EU there was a great need to tighten up the regulations and give them some teeth, just look at the facebook fiasco for example. Big business will only take notice if it hits them in their profits and the scale of the potential fines now involved will encourage their legal departments to ensure the companies comply and do not flout the law.

I have done a great deal of work with the voluntary organisation I am involved with and it has not been easy to implement, but it makes sense, we hold a lot of confidential information and for those who use our services, there was until now a huge risk to their details in the systems we used, unrecognised by those who have access.

Don't knock it, it is in all our interest.

User avatar
John-B
Site Admin
Posts: 1137
Joined: Tue Feb 09, 2016 9:10 pm
Location: Salisbury, UK
Contact:

Re: EU General Data Protection Regulations (GDPR) as applicable to the forum

Post by John-B » Sat Apr 28, 2018 10:13 am

Summarising the current situation:
Your email address is invisible to members and guests but Administrators and Moderators can see it. Someone only sees your email address when they reply to an email you sent them via the forum's hidden email system.
Your real name is only visible to members who look at your profile. We would prefer this to be visible but if you want increased privacy you can edit or delete it.
Your username is visible to members and guests. If your username contains your real name and you want increased privacy, email me and I can change it for you.
Your password is invisible to everyone. You can change your password or ask an administrator to set a new password without knowing the original one.
Your location is visible to members and guests but you can change or delete it. Location only needs to be a town, county or country.

Post Reply