Simple Machines Community Forum

SMF Support => SMF 2.0.x Support => Topic started by: kitz on April 11, 2018, 01:35:54 PM

Title: SMF & GDPR Personally Identifiable Information
Post by: kitz on April 11, 2018, 01:35:54 PM
With GDPR fast approaching, I was doing a data audit on what information is held by the forum software.  I have searched the forum but aside from this thread (https://www.simplemachines.org/community/index.php?topic=557199.msg3948478) can't really find much info, but surely it must be a headache for other community based forum owners too and I'm surprised that no one else has brought the topic up.

Obviously there is no getting around IPs and email addresses, but I noticed that the software allows input of birthdate and Gender both of which come under scrutiny for GDPR
TBH I don't want or need this data and TBF I'd rather not even store it any more.  We are a family friendly forum and age is of no consequence and gender is of no relevance.    How are other forum owners treating these 2 items?



I really would appreciate other forum owners feedback on how they are dealing with GDPR.  We are non profit making and struggle as it is to cover hosting costs so consulting a lawyer isn't really a valid answer. :(
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: Kindred on April 11, 2018, 01:42:30 PM
those items are not required by default...  and gender can already be disabled



personally, I plan to completely ignore the idiocy that is GDPR.  The US has enough idiocy at the moment and I am not going to trouble myself with craziness from across the pond.

as for SMF as a whole...   we are considering what can/should be done.

I don't see how gender can be considered PII, though...

when a user deletes and account, I believe that gender, location and birthdate are deleted as well... So, you should be covered, there.

IP and email address are stored in each post, though... even from deleted accounts. (unless you let the individual delete all of their posts, which is not reasonable and would not be done on my sites, even if I was planning to follow GDPR, IMO)
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: kitz on April 11, 2018, 02:11:08 PM
Thank you for the prompt response.

Quote
gender can already be disabled

Thanks, wasn't aware that gender could be disabled.  Just found the option by enabling Advanced Profile Fields.

Could DOB be added in there too?

Quote
I plan to completely ignore the idiocy that is GDPR.

Unfortunately some of us can't because we're in the EU :/

Quote
I don't see how gender can be considered PII,

Race, ethnicity, gender, bio-data, sexual orientation and religion are all included.
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: kitz on April 11, 2018, 02:50:06 PM
I've noticed that despite turning the field off, existing data still remains in the table.
I'd therefore like to completely clear the data - presumably if I run the following SQL statements... these are the defaults and this will work?  *

Code: [Select]
UPDATE `smf_members` SET `gender`= 0

UPDATE `smf_members` SET `birthdate`= 0001-01-01


I'd also like to clear Location but am unsure what to enter in the field as I don't think its null or space can anyone advise what value is in use please

Code: [Select]
UPDATE `smf_members` SET `location`= <value>

---
*bearing in mind I never, ever usually do anything in the SMF database.
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: vbgamer45 on April 11, 2018, 02:52:51 PM
I would do
Code: [Select]
UPDATE `smf_members` SET `location`= ''
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: Rock Lee on April 11, 2018, 03:46:22 PM
I am from Argentina and the hysteria generated by all this is something hypocritical but the bureaucracy needs to generate money for itself by doubt and it does not have to be understood that it applies to corporations or with a minimum of people that can be used for specific purposes. I do not have the exact number, because they do not say it with clarity apparently, but being something small I would not have to give importance to it and I believe when registering an account is aware of this ... at least the sources in Spanish that I have read pages in English can give more accurate answers.


Regards!

PD: Excuse my bad English
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: ormuz on April 12, 2018, 02:40:55 PM
leaving some examples being done on other softwares.

https://xenforo.com/community/resources/gdpr-for-xenforo-2.6320/
https://pt.wordpress.org/plugins/wp-gdpr-compliance/
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: Kindred on April 12, 2018, 02:41:55 PM
you might want to note that neither of those references is being done by the software authors.... they are add-ons/mods.
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: hugbear on April 23, 2018, 08:11:45 PM
I think the biggest issue SMF has regarding GDPR is with „the right to Data Portability”(*) since I haven't found any way for a user to export his/her own data. Are there any plans to provide means to deal with such requests?


(*) The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: Wellwisher on April 24, 2018, 10:14:14 PM
Just been doing my own research about GDPR. No doubt SMF will need to be compliant. All I can say is thank god for Brexit in the U.K. I am so glad U.K will be out of the E.U and along with it, E.U'S B.S rules and regs on the internet. Can't wait to remove cookie consent and this law when we leave the E.U.  :laugh:



Title: Re: SMF & GDPR Personally Identifiable Information
Post by: SpacePhoenix on April 25, 2018, 05:10:02 AM
personally, I plan to completely ignore the idiocy that is GDPR.  The US has enough idiocy at the moment and I am not going to trouble myself with craziness from across the pond.

The you'll need to be prepared to ban and maybe also delete any member of your personal forum who lives in the EU otherwise you'll be foul of the GDPR
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: Gwenwyfar on April 25, 2018, 06:00:34 AM
personally, I plan to completely ignore the idiocy that is GDPR.  The US has enough idiocy at the moment and I am not going to trouble myself with craziness from across the pond.

The you'll need to be prepared to ban and maybe also delete any member of your personal forum who lives in the EU otherwise you'll be foul of the GDPR
If half the world ignores the GDPR... how do they go about trying to enforce it for so many people? They take down the internet? You're going to build sites around being afraid of all the silly laws over the place?

The country I live in has much of that. Technically, some retarded laws are broken by most of the population, so there's little they can do about it. And no one really cares because they are just stupid and there's enough bureaucracy as it is.

SMF as a software may need to address it, but I'm also personally giving it the finger ;)
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: drewactual on April 25, 2018, 08:39:38 AM
so far as i see it it's nothing but an effort to clear the clutter (in their eyes).  sites with large financial backing will be the only ones capable of operating sooner or later, allowing easier control of what information is available when and where.  i can foresee a circumstance where anything any of these remaining sites have to pass anything they script through a filter operated by a central government before it can be 'shared' with the public. 

it's 1984 on the animal farm, wile Atlas is shrugging.
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: shinglis on April 25, 2018, 10:53:52 AM
Like everyone else, doing my own research and where practicable I will try to comply but if the software does not allow it, I do not intend to change software just because it's not GDPR compliant.  Given the limited amount of user data I store (i.e email address) I don't predict many requests to export and if I have a request it will have to be via forum admin.

if as forum admin of approx 300 users I get chased down under GDPR rules it will be a sad day for the internet and it's users.

Title: Re: SMF & GDPR Personally Identifiable Information
Post by: Kindred on April 25, 2018, 12:24:07 PM
do note that username, email address and IP address are all considered personal data by the idiocy that is the GDPR
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: SpacePhoenix on April 25, 2018, 01:50:58 PM
Like everyone else, doing my own research and where practicable I will try to comply but if the software does not allow it, I do not intend to change software just because it's not GDPR compliant.  Given the limited amount of user data I store (i.e email address) I don't predict many requests to export and if I have a request it will have to be via forum admin.

if as forum admin of approx 300 users I get chased down under GDPR rules it will be a sad day for the internet and it's users.


personally, I plan to completely ignore the idiocy that is GDPR.  The US has enough idiocy at the moment and I am not going to trouble myself with craziness from across the pond.

The you'll need to be prepared to ban and maybe also delete any member of your personal forum who lives in the EU otherwise you'll be foul of the GDPR
If half the world ignores the GDPR... how do they go about trying to enforce it for so many people? They take down the internet? You're going to build sites around being afraid of all the silly laws over the place?

The country I live in has much of that. Technically, some retarded laws are broken by most of the population, so there's little they can do about it. And no one really cares because they are just stupid and there's enough bureaucracy as it is.

SMF as a software may need to address it, but I'm also personally giving it the finger ;)
Just been doing my own research about GDPR. No doubt SMF will need to be compliant. All I can say is thank god for Brexit in the U.K. I am so glad U.K will be out of the E.U and along with it, E.U'S B.S rules and regs on the internet. Can't wait to remove cookie consent and this law when we leave the E.U.  :laugh:

I just done a quick google search and found this:

https://www.gdprandbeyond.com/blog-post/data-privacy/gdpr-affect-non-european-companies/

Quote
he EU General Data Protection Regulation (GDPR) will come into place in less than one year’s time. The regulation, which replaces the 1995 Data Protection Directive, makes changes to the way data is handled and processed in the EU. It includes fines of up to the greater of €20 Million or 4 percent of corporate annual turnover for firms that do not comply.

The GDPR covers companies operating within the EU. But there are questions about firms residing outside the bloc: For example, what exactly does the regulation mean for businesses based in the US? And will the UK need to adhere to GDPR after Brexit?

The short answer is: the regulation will affect firms both inside and outside of the EU. In fact, any company dealing with EU businesses’, residents’, or citizens’ data will have to comply with the GDPR.

The guidance makes clear that all organisations handling such data will be required to comply, regardless of jurisdiction, says Jamal Elmellas, chief technology officer at Auriga Consulting.

(there's more to the article, I've just quoted only the 1st 4 paragraphs of it
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: The QE2 Story Forum on April 25, 2018, 03:27:55 PM
Just been doing my own research about GDPR. No doubt SMF will need to be compliant. All I can say is thank god for Brexit in the U.K. I am so glad U.K will be out of the E.U and along with it, E.U'S B.S rules and regs on the internet. Can't wait to remove cookie consent and this law when we leave the E.U.  :laugh:

But they've already said GDPR will apply to us even after Brexit (we're adopting it, it was in the Queen Speech) and also you have to do it if ANY of your members are EU citizens.
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: Wellwisher on April 25, 2018, 04:02:18 PM
But they've already said GDPR will apply to us even after Brexit (we're adopting it, it was in the Queen Speech) and also you have to do it if ANY of your members are EU citizens.

Yes you're right this defo bites...

Quote
The short answer is: the regulation will affect firms both inside and outside of the EU. In fact, any company dealing with EU businesses’, residents’, or citizens’ data will have to comply with the GDPR.
Source: https://www.gdprandbeyond.com/blog-post/data-privacy/gdpr-affect-non-european-companies/
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: Gwenwyfar on April 25, 2018, 05:34:54 PM
I know, what I just said had that in mind ;)
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: Bigguy on April 25, 2018, 07:20:28 PM
Just a silly question but my site is not a business. From the link two posts up it says:

Quote
For example, what exactly does the regulation mean for businesses based in the US?

If your site is NOT a business do you still have to comply. I would think so after it says:

Quote
In fact, any company dealing with EU businesses’, residents’, or citizens’ data will have to comply with the GDPR.

But that still refers to companies....what about the wee tiny small forum owner not doing business with anyone, just sittin around chattin.
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: CoreISP on April 25, 2018, 10:37:45 PM
I'll reply to this thread with a bit more details later (lack o' time now), all I will say now is that we (SM) are looking in to GDPR and once the advisory report (with the help of our legal representation) is ready for submission to and review by the SMF team, SMF may potentially end-up making tools available to make compliance easier for our users. (Unlikely that such a thing will be available before the 25th though.)


I'm now replying from a personal view and for discussion sake. The content of this post does not (necessarily) represent the ideas or interpretations of GPDR by Simple Machines, and as always: if you want to be sure you're in compliance or want to know if you even have to comply: call a lawyer, they're the ones that will truly know and can judge your situation best... Hopefully. :P


Quote
We are a family friendly forum and age is of no consequence

Actually, I believe it *is* of consequence to some extent.
Quote
Where point (a) of Article 6(1) applies, in relation to the offer of information society services directly to a child, the processing of the personal data of a child shall be lawful where the child is at least 16 years old. Where the child is below the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child.

So it would appear that you at least need to store that someone said they were 16. And if they said no, you either have to decline access or ask for parental consent. If you ask for parental consent, it seems that you need to make an effort to verify that someone indeed gave consent and was authorised to do so.
Quote
The controller shall make reasonable efforts to verify in such cases that consent is given or authorised by the holder of parental responsibility over the child, taking into consideration available technology.

Which is why Microsoft for example is now demanding $0.50 USD credit card payments from the consenting parent to verify it's them.
It's why WhatsApp will simply be asking if they're 16 or not rather than getting consent and declines if below 16. (Shifts responsibility; the child lying about age is already one point behind on WhatsApp in any argument, should one arise.)
 
 

Quote
But that still refers to companies....what about the wee tiny small forum owner not doing business with anyone, just sittin around chattin.

Good question. That's a tricky one. Note that having ads or a paid subs will likely automagically need you to comply as I bet that makes it commercial. Donations are perhaps a gray area;
Quote
This Regulation does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity and thus with no connection to a professional or commercial activity. Personal or household activities could include correspondence and the holding of addresses, or social networking and online activity undertaken within the context of such activities. However, this Regulation applies to controllers or processors which provide the means for processing personal data for such personal or household activities.
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: petb on April 26, 2018, 09:02:23 AM
Thanks a lot I appreciate that.
It would be really nice if the German SMF Admins are helped here by SMF site.

Very helpful would be e.g. the possibility to deactivate "all" unwanted profile fields, including date of birth, etc., just all the fields that are not necessary for the use of the forum.

In my opinion, only the login details (login name and password) or perhaps the email address if used for verification are necessary.

Also, there is currently no way for users to request a renewed consent to the terms of use and to save this consent.
That would also be very helpful.
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: Kindred on April 26, 2018, 12:15:31 PM
there is a way to require users to re-read and re-accept changes terms
https://custom.simplemachines.org/mods/index.php?mod=3279
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: petb on April 26, 2018, 12:45:28 PM
Great, thank you.  :)

Another Point is the cookie information.
Any hint about this?
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: Bigguy on April 26, 2018, 03:35:20 PM
Quote
Good question. That's a tricky one. Note that having ads or a paid subs will likely automagically need you to comply as I bet that makes it commercial. Donations are perhaps a gray area;

Well there won't be any of that on my site but I guess to be safe I should comply with it as best I can. Thanks for the info.
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: vbgamer45 on April 26, 2018, 04:08:13 PM
I am planning to do a plugin that will address a couple of the GDPR issues.
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: Bigguy on April 26, 2018, 04:13:27 PM
That sounds awesome.
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: petb on April 26, 2018, 04:37:03 PM
Yes, that would be great.
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: Conay on April 26, 2018, 06:24:30 PM
For our forum we updated the ToS (though I'm not sure the 'User Agreement Update' mod works on my forum) in order to detail stuff about GDPR, and released this statement:

Quote
As our service provider is based in the UK and we serve individuals within the European Union (including, for now, the UK), we will, from 25 May 2018, be bound by the General Data Protection Regulations (GDPR, Regulation (EU) 2016/679 (http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32016R0679)). The GDPR will apply to [site] as a Data Controller.

Our lawful basis for processing data is consent. All users are required to agree to terms and conditions prior to registering for the forum, and we provide an EU cookie notice at the first contact.

Following the GDPR, each individual has the right to: be informed, access, rectification, erasure, restricted processing, data portability and object. This post will outline how we intend to allow members to exercise their rights under this Regulation.

Quote from: Your rights
The right to be informed

The right to be informed encompasses our obligation to provide ‘fair processing information’, typically through a privacy notice. It emphasises the need for transparency over how we use personal data.

In terms of personal data, the only data we collect is data in which you supply, with the exception of your IP address, hostname and your most recent click. As we are an anonymous forum, little personal data is collected and we do not require you to provide any additional personal data, with the exception of your email address. We also collect your IP address/hostname (in the event of a ban needing to be placed on your account, for the purposes of dealing with hacking, and if we are required to contact your ISP), and your username (for post identification). Further, the forum automatically uses a cookie, a text file containing bits of information (such as your username and password), in your browser's cache. This is ONLY used to keep you logged in/out. The software does not collect or send any other form of information to your computer.

Any formal requests should be made to [email]. All emails must come form the email associated with your account.

The right of access

The right of access means you have the right to: confirmation that their data is being processed and access to your personal data.

Your data is being processed. All data we have is accessible via your profile. If you want us to provide you with additional information (such as your IP address), then please use the contact email above.

The right to rectification

This gives you the right to have your personal data rectified. Personal data can be rectified if it is inaccurate or incomplete.

The right to erase

The right to erasure is also known as ‘the right to be forgotten’. The broad principle underpinning this right is to enable you to request the deletion or removal of personal data where there is no compelling reason for its continued processing.

On the forum, this can be dealt with by requesting to delete your account. A deletion will have to be approved by an administrator (to protect against accounts being deleted maliciously). Posts can be individually deleted, and can be deleted en masse. A full deletion requires a request being sent to the email above.

The right to restrict processing

You have a right to ‘block’ or suppress processing of personal data. When processing is restricted, we are permitted to store the personal data, but not further process it.

Our data processing is as restricted as possible. Processing generally requires you to act on our website, therefore not using the website will cease such processing.

The right to data portability

This allows you to obtain and reuse your personal data for your own purposes across different services. This allows you to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability.

Ultimately all posts you make, unless made in a restricted forum where you have lost access, and other information you provide are all accessible. If you wish for us to send you the data we hold, a request should be made to the email above.

The right to object

You have the right to object to processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling), direct marketing (including profiling), and processing for purposes of scientific/historical research and statistics.

We do not generally process data for these purposes.

More information on your rights can be found here.

Data breaches

In accordance with GDPR, if we become aware of a data breach, we are obliged, within 72 hours, to notify any users involved. As we do not believe such a breach would result in a risk to the rights and freedoms of individuals, breaches will not be reported to the supervisory authority.

Children

The GDPR contains new provisions intended to enhance the protection of children’s personal data. As we do not identify individual's beyond their IP address, username and email address, we do not believe any action is required.

Other provisions

As our data processing does not possess a high risk to the rights and freedoms of individuals, we are not required to undertake a Data Protection Impact Assessment (DPIA), nor are we required to appoint a Data Protection Officer (DPO). We reserve the right to reveal information we hold about you (or any other related information collected on this service) in the event of a formal complaint or legal action arising from any situation caused by your use of this forum, in accordance with the laws of the United Kingdom.

We will consider on an ongoing basis all other requirements.

It would be really useful for SMF to make some small adjustments (i.e. allowing users to anonymise their posts when they delete their account), but I'm honestly not sure beyond that if there's much that can be done - though the default ToS should be updated, too

Our updated ToS (we reduced the size of the existing ToS and added the following at the end):
Quote
Data Protection

You have the right to: be informed, access, rectify, erase, restrict processing, data portability and object. Details on your rights, in a accordance with the EU General Data Protection Regulations, can be found [link to above statement].

The only data we collect is data in which you supply, with the exception of your IP address, hostname and your most recent click. As we are an anonymous forum, little personal data is collected and we do not require you to provide any additional personal data, with the exception of your email address. We also collect your IP address/hostname (in the event of a ban needing to be placed on your account, for the purposes of dealing with hacking, and if we are required to contact your ISP), and your username (for post identification). Further, the forum automatically uses a cookie, a text file containing bits of information (such as your username and password), in your browser's cache. This is ONLY used to keep you logged in/out. The software does not collect or send any other form of information to your computer.

We reserve the right to reveal information we hold about you (or any other related information collected on this service) in the event of a formal complaint or legal action arising from any situation caused by your use of this forum, in accordance with the laws of the United Kingdom. In accordance with GDPR, if we become aware of a data breach, we are obliged, within 72 hours, to notify any users involved.
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: CoreISP on April 26, 2018, 07:40:20 PM
@Conay
Anonimising postcontent is pretty much impossible to automate.
You can change the username, but if someone ends their post with “regards, - full name”: tough luck.
However, it appears that post content may not be subject to the right to be forgotten persuant Article 17, notably sectio 3. relevant quotes:
Quote
Paragraphs 1 and 2 shall not apply to the extent that processing
is necessary:
for exercising the right of freedom of expression and information;
for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: Conay on April 26, 2018, 09:26:42 PM
@Conay
Anonimising postcontent is pretty much impossible to automate.
You can change the username, but if someone ends their post with “regards, - full name”: tough luck.
However, it appears that post content may not be subject to the right to be forgotten persuant Article 17, notably sectio 3. relevant quotes:
Quote
Paragraphs 1 and 2 shall not apply to the extent that processing
is necessary:
for exercising the right of freedom of expression and information;
for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing

Perhaps the exemption applies, but to offer the option to anonymise usernames (i.e. switch their username to 'Deleted user #X') along with a warning in the description that any identifiable information in posts themselves won't be deleted would be helpful.
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: CoreISP on April 26, 2018, 10:18:06 PM
Technically that’s possible already by first changing their username before deleting the account.
It’s an extra step as of right now, but not super difficult.
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: drewactual on April 27, 2018, 09:23:43 PM
of interest or maybe not... I keep getting emails from googs, as i'm sure most of y'all with analytics kickin' on your pages have also...

they don't seem to have much concern about sites that don't cater to Europe or Switzerland, going as far as to state ".... if you're not doing business with EU or Switzerland, you can ignore the remainder of this message."

it seems to me after several notices of changes in their product due to the GDPR, 'they' aren't concerned unless you're expressly doing 'business' inside the EU's (and Switzerland- don't forget Switzerland!!! googs certainly doesn't) jurisdiction.
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: Bigguy on April 27, 2018, 09:45:06 PM
What's googs ??
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: drewactual on April 27, 2018, 09:57:48 PM
google
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: Bigguy on April 27, 2018, 10:04:08 PM
Lmao, ok. thought I would ask. :)
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: vbgamer45 on April 29, 2018, 03:41:30 PM
GPDR Helper For SMF 2.0.x

Warning does not guarantee GPDR compliance. No warranty provided.

Includes:
Allows member to export their data. Their profile and post information
On member deletion clears IP address and email from posts and assigns a new username to all old posts.
Includes a privacy policy page, adds link in the footer e and adds a section for consent on registration
Stores the date/time that the privacy policy was changed and option to force to reagree
Stores the date/time that the registration agreement was changed and option to force to reagree
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: @rjen on April 29, 2018, 03:58:14 PM
GPDR Helper For SMF 2.0.x

Warning does not guarantee GPDR compliance. No warranty provided.

Includes:
Allows member to export their data. Their profile and post information
On member deletion clears IP address and email from posts and assigns a new username to all old posts.
Includes a privacy policy page, adds link in the footer e and adds a section for consent on registration
Stores the date/time that the privacy policy was changed and option to force to reagree
Stores the date/time that the registration agreement was changed and option to force to reagree

Thanks!

Would it be possible to also include custom profile fields in teh export from the profile?
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: vbgamer45 on April 29, 2018, 04:00:43 PM
Will look into it.
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: @rjen on April 29, 2018, 04:51:17 PM
A user cannot decline the updated agreements.
I would suggest decline option added results in the user be logged off immediately
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: vbgamer45 on April 29, 2018, 06:23:02 PM
Quick update must fix
1.0.1
!Bug fix error on registration if there is registration error. Requires uninstall of old version


A user cannot decline the updated agreements.
I would suggest decline option added results in the user be logged off immediately
Good idea!
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: @rjen on April 30, 2018, 03:22:50 AM
Couple of error messages upon review of the agreements..

https://test.fjr-club.nl/index.php?action=gpdr;sa=registeragreement;save=1
8: Undefined index: admin_menu_name
Bestand: /home/deb77453/domains/fjr-club.nl/public_html/test/Sources/gpdr2.php
Regel: 280


https://test.fjr-club.nl/index.php?action=gpdr;sa=privacypolicy;save=1
8: Undefined index: admin_menu_name
Bestand: /home/deb77453/domains/fjr-club.nl/public_html/test/Sources/gpdr2.php
Regel: 280
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: vbgamer45 on April 30, 2018, 08:39:09 AM
Couple of error messages upon review of the agreements..

https://test.fjr-club.nl/index.php?action=gpdr;sa=registeragreement;save=1
8: Undefined index: admin_menu_name
Bestand: /home/deb77453/domains/fjr-club.nl/public_html/test/Sources/gpdr2.php
Regel: 280


https://test.fjr-club.nl/index.php?action=gpdr;sa=privacypolicy;save=1
8: Undefined index: admin_menu_name
Bestand: /home/deb77453/domains/fjr-club.nl/public_html/test/Sources/gpdr2.php
Regel: 280
Fixed for next update
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: a10 on April 30, 2018, 02:26:40 PM
Have tested on my test-forum. Looks like it will be excellent. Great work. Thanks.
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: Shambles on April 30, 2018, 02:43:34 PM
Splendid work vbgamer45, splendid work.

Quote
Fixed for next update
Will you be creating a formal mod for this?
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: vbgamer45 on April 30, 2018, 03:09:11 PM
Well it is a formal mod right now that you can install via the package manager. I have submitted to the mod site too.
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: Shambles on April 30, 2018, 03:19:53 PM
Lovely. thanks. I tried the version you attached to reply #40 but it contains the admin_menu_name index error, so I will await the fixed version :)

You're good at this. Did anyone tell you?
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: vbgamer45 on April 30, 2018, 03:26:55 PM
I am good at getting things done :) Just need time is the main issue.
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: @rjen on April 30, 2018, 03:28:40 PM
I started translating this to Dutch, and in doing so I noticed that some of the text strings are both in the language file AND included in the update of Modifications.english.php files ?

On purpose?

Find attached the translated language files. I am not sure if it has added value to translate the privacy_template.txt since it is not language specific, and most likely everyone will tailor this to his own forum anyway...
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: vbgamer45 on April 30, 2018, 03:29:31 PM
Yes done on purpose so there is not need to an extra language file.
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: The QE2 Story Forum on April 30, 2018, 03:31:52 PM
One point I'd like to make on the right to be deleted - I do not believe this requires that you delete every post  they've ever made, no matter how much they insist on it - what it does require, is that you delete their personal data (name, email address and anything else that could identify them).     For most forums, deleting a user and every post they've ever made could cause complete havoc.
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: @rjen on April 30, 2018, 03:33:47 PM
Yes done on purpose so there is not need to an extra language file.

Ok, then I will need to add these strings myself in the mdofications.dutch files...
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: vbgamer45 on May 01, 2018, 06:05:40 PM
Recommend uninstall of old version first.

1.0.2
+Added support for SMF 1.1.x
+Added option to decline changes to the privacy policy and agreement page
!Fixed extension for post export data as .txt file
!Fixed undefined error on view privacy policy page
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: Shambles on May 02, 2018, 03:32:31 AM
Thanks VB - I'll give this a whirly when I get home from this madhouse they call "work".

Cheers
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: wiebke on May 02, 2018, 03:35:47 AM
Thanks!
I have another request for this helpfull mod, though - a possibility to delete IP from posts. Either some weeks after post is made or delete them manually for posts of a certain age/posts made by guests. Would love to have something like this!
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: vbgamer45 on May 02, 2018, 07:32:19 AM
Right now the ip is cleared when the member is deleted if you have that option enabled.
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: wiebke on May 02, 2018, 07:43:10 AM
Yes, I saw that and it's great work. But if the member wans to stay active, I would like to be able deleting the IP on older topics. Especially on those, where the member already have been deleted.
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: @rjen on May 02, 2018, 07:50:00 AM
Recommend uninstall of old version first.

1.0.2
+Added support for SMF 1.1.x
+Added option to decline changes to the privacy policy and policy and agreement page
!Fixed extension for post export data as .txt file
!Fixed undefined error on view privacy policy page

Can I somehow find (in the database) what users have not (yet) accepted the agreement?
We will need to remove these users' data within a certain period of time, since we are not allowed to keep their personal data...

Furthermore: If a user does not accept the agreement they cannot access the forum anymore, so they can also not access their profile to download the recorded data.
Is it possible to allow them to at least access their profile without accepting the privacy policy?
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: vbgamer45 on May 02, 2018, 08:03:51 AM
Yes in the database there are fields in the smf_themes table
gpdr_policydate - privacy policy date
gpdr_agreementdate - member agreement date


Access to the profile not sure. I could. Or just give them the option to download data?
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: @rjen on May 02, 2018, 08:08:51 AM
Yes in the database there are fields in the smf_themes table
gpdr_policydate - privacy policy date
gpdr_agreementdate - member agreement date


Access to the profile not sure. I could. Or just give them the option to download data?

The option to download data is the minimum requirement.
Profile access would be nice: this way we can still allow them to remove personal details themselves...
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: vbgamer45 on May 02, 2018, 08:14:17 AM
I am concerned if would be ok for them to still modify there profile/account information while not agreeing to the agreements
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: @rjen on May 02, 2018, 08:54:29 AM
I am concerned if would be ok for them to still modify there profile/account information while not agreeing to the agreements

I agree. Changing profile is debatable. Allowing them to SEE their actual profile (apart from downloading the data) would be best.

For new users it is fine: they do not comply, so they cannot register and they have nothing to check.

The problem is that we have an existing user base that have been using the forum and have (sometimes extensive) profiles. Now the Law changes and they can decide to no longer agree with us holding the data. With the new Law we should still allow they to at least SEE what data we have (many users are not that familiar with .csv downloaded files).

Of course the admin can delete the account later on (and all data) so then we'll have to include in the privacy statement that they will need to request data to be deleted if they want so...


Title: Re: SMF & GDPR Personally Identifiable Information
Post by: vbgamer45 on May 02, 2018, 09:36:18 AM
I could do txt files for both. I was going by what twitter was doing. But they use pdf for most of their data which I think is even less open
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: CoreISP on May 02, 2018, 09:44:35 AM
PDF, I'm not even sure if you can make a machine interpret the content normally?
In which case, I wonder if PDF is even an acceptable interchangeable format and would be more inclined to say it'd have to be something like CSV.

Yes, I saw that and it's great work. But if the member wans to stay active, I would like to be able deleting the IP on older topics. Especially on those, where the member already have been deleted.

Maybe I understand wrong, but if a member wants to stay active, that means they keep giving you their consent.
In which case, I don't think they have the right to selectively ask you to "forget" things. You can't demand to only selectively give consent for an agreement. It's an all or nothing scenario, either you give consent or you retract consent; they can't demand "I give you consent for section A to E but not for sections F to K" - that's not how it works. That means everyone could potentially get a tailored agreement, that'd be disastrous.

Moreover, collecting IP's of active users is a genuine processing case to keep track of spam and account changes...
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: wiebke on May 02, 2018, 10:51:06 AM
Ah, okay. Didn't consider that.
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: Shambles on May 03, 2018, 12:56:49 PM
Seems to work pretty well - congrats.

If I may, can I suggest changing all internal "GPDR" strings to "GDPR"?

Also, in the settings screen, even if "Enable the privacy policy" is unchecked, any other checked option seems to enable the whole feature.

Thanks again.
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: vbgamer45 on May 03, 2018, 01:15:36 PM
Seems to work pretty well - congrats.

If I may, can I suggest changing all internal "GPDR" strings to "GDPR"?
Thanks again.
Bah, yeah that is a big one
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: vbgamer45 on May 03, 2018, 01:40:14 PM
1.0.3
!Spelling fixes for GDPR
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: Shambles on May 03, 2018, 01:54:50 PM
Lol, nice :D

I guess we can live with the package name as it is :P
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: vbgamer45 on May 03, 2018, 02:00:07 PM
Yeah will take more time to change that.
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: Bigguy on May 03, 2018, 04:07:50 PM
I know this is not supported for 2.1 and I may not get any help with it if I install it. I'm probably going to try though. I found 3 errors when trying to install in 2.1 I can alter the code to make it work that way. My only question before I do try to install it is: Is it going to play nice with the database. I think it would but I just wanted to get your opinion if I could before I go ahead.
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: vbgamer45 on May 03, 2018, 04:08:41 PM
Yes it will play nice with the database. I do plan to port it to 2.1 one day.
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: Bigguy on May 03, 2018, 04:14:03 PM
I figured you were going to but I also knew it was not going to be right away or anything. I didn't want it to seem like I was bein pushy or anything. Thanks, I'll give it a try then. :)
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: petb on May 03, 2018, 05:00:01 PM
Maybe I understand wrong, but if a member wants to stay active, that means they keep giving you their consent.
In which case, I don't think they have the right to selectively ask you to "forget" things. You can't demand to only selectively give consent for an agreement. It's an all or nothing scenario, either you give consent or you retract consent; they can't demand "I give you consent for section A to E but not for sections F to K" - that's not how it works. That means everyone could potentially get a tailored agreement, that'd be disastrous.
Sure?

I think they are allowed to say, for example "email = yes" and "date of birth = no" and similar things.
But i also think the forum owner must not accept that.

He has the right to deny the usage of the forum and can say:
Usage only allowed if the forum got the right to store all data,
which finally ends in deleting the account if the user only want a partial deleting of his data.
???
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: a10 on May 03, 2018, 05:48:16 PM
PM \ personal messages, what is their status ?
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: vbgamer45 on May 03, 2018, 05:59:15 PM
Status? I do not export those currently but could be done.
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: Wellwisher on May 04, 2018, 07:59:23 PM
Status? I do not export those currently but could be done.

You might find a check list more helpful mate.

https://www.marketingprofs.com/chirp/2018/34693/a-marketers-checklist-are-you-ready-for-gdpr-compliance-infographic
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: lurkalot on May 05, 2018, 05:59:45 AM
1.0.3
!Spelling fixes for GDPR

Thanks, nice mod, and will no doubt take a lot hassle away from SMF admins.

I did notice something though regarding the renaming process, the actions are still showing the incorrect spelling

action=gpdr;sa=privacypolicy
action=gpdr;sa=privacypolicy;reagree=1
action=gpdr;sa=registeragreement;reagree=1
etc.

That caused me a slight head scratching moment when trying to hide my blocks and panels in Tinyportal.
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: vbgamer45 on May 05, 2018, 08:50:04 AM
Yeah I have to redo those at some point. I flipped the letters in a bunch of spots.
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: lurkalot on May 05, 2018, 08:51:19 AM
Yeah I have to redo those at some point. I flipped the letters in a bunch of spots.
Thanks.  I sent you a pm.  ;)
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: Portugal on May 06, 2018, 05:33:09 PM
Very thanks vbgamer45 for that wonderful work. Well if ive sme sugest to implement on that, i will post here :)
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: Si6776 on May 07, 2018, 06:53:53 AM
The right to erase

The right to erasure is also known as ‘the right to be forgotten’. The broad principle underpinning this right is to enable you to request the deletion or removal of personal data where there is no compelling reason for its continued processing.

On the forum, this can be dealt with by requesting to delete your account. A deletion will have to be approved by an administrator (to protect against accounts being deleted maliciously). Posts can be individually deleted, and can be deleted en masse. A full deletion requires a request being sent to the email above.

Your new ToS is excellent, but there seems to be a somewhat grey area around the removal of all posts should a member wish to delete their account.  If indeed, this is not a requirement, providing the member has been fully anonymised, would it be slightly misleading to say that posts can be deleted 'en masse', as how would you distinguish 'en masse'  from 'all posts'?  I would be inclined to remove the 'en masse' part, and add something along the lines of:

Quote
... In the case of a full deletion, please note that post content is not subject to the ‘right of erasure’. All posts from a deleted account will be anonymised so no trace will be left to the post author, however, any identifiable information in posts themselves won't be deleted.

How sure are we that post content isn't subject to the rights of erasure?
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: Si6776 on May 07, 2018, 07:09:07 AM
One more quick question - with regards the user downloading their own data, presumably they wouldn't be able to do so once an account has been deleted?  Are we (forum admins) then under any liability to provide them with their data?  I would assume not, but clarification would be good, for the ToS.  :)
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: vbgamer45 on May 07, 2018, 08:25:22 AM
I would say if the acount is deleted then they have no data left on them. Posts are ok to leave in the forum. Just have to remove personal information
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: Si6776 on May 07, 2018, 08:58:53 AM
Brilliant, thanks.  :)
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: feline on May 08, 2018, 11:30:52 AM
I would say if the acount is deleted then they have no data left on them. Posts are ok to leave in the forum. Just have to remove personal information
You have to note that in quotes from other users the name is stay alive !!
So it's better to remove the complete topic, not only the post from this user ...
Alternately you can check any message of quotes from this user and rename this ...

Feline
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: vbgamer45 on May 08, 2018, 11:33:14 AM
Removing the topic would be overkill. Yes the name should be removed from quotes. I have to find a good way to do that. that is not find and replace based. 
Also people can mention the persons name in a topic's post.
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: feline on May 08, 2018, 11:38:25 AM
Yes, it is overkill .. but until we have no other chance, it's better to drop the topic.
Same for export the data for GDPR ... better to remove the username in quotes

Feline
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: hugbear on May 08, 2018, 12:40:57 PM
Don't admins have 30 days to comply with GDPR-based requests? I would think that's plenty time to search and edit out usernames from quotes. Deleting topics with hundreds of posts just because a quoted user wants to be forgotten is overkill. Might as well retire the entire forum, it's less of a hassle...
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: Si6776 on May 08, 2018, 04:24:41 PM
Unless someone has actually used their real name, I can't see how even quoted posts could contain PII (Personally Identifying Information), as all they would contain is a user name.  Who uses their real full name on forums?
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: Portugal on May 08, 2018, 04:36:39 PM
Well... about username ive an idea, in fact i think to implement this on my forum a few years ago... its to change the information displayed... it means, change the username, to number of member, i think that solves the problem for GDPR. May it works... :)
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: SpacePhoenix on May 09, 2018, 01:44:24 AM
Well... about username ive an idea, in fact i think to implement this on my forum a few years ago... its to change the information displayed... it means, change the username, to number of member, i think that solves the problem for GDPR. May it works... :)

Say a member's user id is 1234 and they get deleted, the poster name for any posts that they make could be changed to something like "Member1234" and their user title could be changed to "No Longer Registered". Deleting all posts by a deleted member is in no way practical as for most forum software, deleting post #1 probably deletes the entire thread. If that former member has started many threads then that could result in many threads and posts disappearing from a given forum.

Deleting the changing the member name in quotes to, using the above example "Member1234" will be a case of working out the correct regular expression for use with a php function like preg_filter, using one example (opening and closing [ ] removed to make it quote as intended

Quote
quote author=Portugal link=topic=559841.msg3971698#msg3971698 date=1525811799

The bit:

Quote
author=Portugal link

would have to have the member's name changed to something like "Member 1234" Things like mentions (on any forum (of any software)) that uses mentions should be easy to do. Where a member's name has just been typed in normally i can't see a viable alternative to just using the forum's search facility to search for instances of the ex-members name.

Here's a thought, say a member gets deleted from a forum (might not necessarily be running SMF), they get deleted, then the server craps itself and the forum gets restored to a backup from before the member gets deleted. Would the owners of the forum have to go through the deletion process again (could well be different people admins from those that maintain the server and/or software), or would the ex member have to re-submit their request for removal
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: Ravey76 on May 10, 2018, 08:31:16 AM
Great work, vbgamer45! Thanks a lot for it, it comes just in time

In case someone needs a GERMAN translation of it - here it is ...

By the way, "General Data Protection Regulation (GDPR)" means in german "Datenschutz-Grundverordnung (DSGVO)"
... just in case you want to change the name of your app for the german users
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: vbgamer45 on May 10, 2018, 09:07:55 AM
Thanks
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: @rjen on May 11, 2018, 07:18:55 AM
1.0.3
!Spelling fixes for GDPR

Installed it , and when I export data I am getting these erros in the log...

https://www.fjr-club.nl/index.php?action=profile;area=exportdata;u=3
2: Invalid argument supplied for foreach()
Bestand: /home/deb77453/domains/fjr-club.nl/public_html/Themes/default/Profile.template.php
Regel: 1204

https://www.fjr-club.nl/index.php?action=profile;area=exportdata;u=3
8: Undefined index: profile_fields
Bestand: /home/deb77453/domains/fjr-club.nl/public_html/Themes/default/Profile.template.php
Regel: 1204

The code in question.

Code: [Select]
1198: if (!empty($context['profile_fields']))
1199: echo '
1200: <dl>';
1201:
1202: // Start the big old loop 'of love.
1203: $lastItem = 'hr';
==>1204: foreach ($context['profile_fields'] as $key => $field)
1205: {
1206: // We add a little hack to be sure we never get more than one hr in a row!
1207: if ($lastItem == 'hr' && $field['type'] == 'hr')
1208: continue;

By the way: I am NOT getting the custom profile fields in the download...
(FYI: using PHP7.1)
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: vbgamer45 on May 11, 2018, 09:15:34 AM
If you make money in any way. Such as ads they would say you do.
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: @rjen on May 11, 2018, 09:32:45 AM
If you make money in any way. Such as ads they would say you do.

Is this in response to my bug report?

If so, the 'ads' on my site are not making me any money: Out site is a bikers' club site: the company's mentioned on our site are providing members of the club a discount on purchases....
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: petewadey on May 12, 2018, 04:06:08 AM
Thanks vbgamer45. Good work. I've added this to my site and it works fine. I now just need to email all my members to ask them to log on to except the agreement.
I'm very curious why this forum hasn't done anything about GDPR yet? As it holds the same personal data as mine or anyone else's Simple Machines Forum?
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: lurkalot on May 12, 2018, 04:48:56 AM

Installed it , and when I export data I am getting these erros in the log...

https://www.fjr-club.nl/index.php?action=profile;area=exportdata;u=3
2: Invalid argument supplied for foreach()
Bestand: /home/deb77453/domains/fjr-club.nl/public_html/Themes/default/Profile.template.php
Regel: 1204

https://www.fjr-club.nl/index.php?action=profile;area=exportdata;u=3
8: Undefined index: profile_fields
Bestand: /home/deb77453/domains/fjr-club.nl/public_html/Themes/default/Profile.template.php
Regel: 1204


Getting the same two errors on my site.  ;)
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: Illori on May 12, 2018, 06:16:57 AM
I'm very curious why this forum hasn't done anything about GDPR yet? As it holds the same personal data as mine or anyone else's Simple Machines Forum?

we are in the process of consulting a lawyer for what we need to do.
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: petewadey on May 12, 2018, 06:19:52 AM
I'm very curious why this forum hasn't done anything about GDPR yet? As it holds the same personal data as mine or anyone else's Simple Machines Forum?

we are in the process of consulting a lawyer for what we need to do.

Thanks. I will wait and see the outcome.
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: Si6776 on May 12, 2018, 06:13:40 PM
Does the GDPR Helper record when members agree to the User Agreement and Privacy Policy?  If not, is there any way to do this, or is the fact that they have to have consented to access the forum enough?
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: Bigguy on May 12, 2018, 10:16:45 PM
I have over 1000 posts on my site. When I try to download my content I get this error:
Quote
More than 1000 messages in selected range please make your range smaller to export
If I make the range smaller how do I download ALL my data. ??? An error comes with this:
Code: [Select]
Invalid argument supplied for foreach()Profile.template.php Line 1473
I am sorry if this post is in the wrong place. If it needs to be moved that's cool.
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: vbgamer45 on May 12, 2018, 10:25:08 PM
Does the GDPR Helper record when members agree to the User Agreement and Privacy Policy?  If not, is there any way to do this, or is the fact that they have to have consented to access the forum enough?
Yes it does.

I have over 1000 posts on my site. When I try to download my content I get this error:
Quote
More than 1000 messages in selected range please make your range smaller to export
If I make the range smaller how do I download ALL my data. ??? An error comes with this:
Code: [Select]
Invalid argument supplied for foreach()Profile.template.php Line 1473
I am sorry if this post is in the wrong place. If it needs to be moved that's cool.
So you would do in portions with a start and end index.
If the forum has 100k messages and you posted 2000 times. I would try first a starrt index of 1 and end index of 50000 then repeat for the second part a start index of 50000 and end index of 100000
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: Bigguy on May 13, 2018, 12:04:31 AM
I'll give that a shot, thanks. :)
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: petewadey on May 13, 2018, 04:00:19 AM
Has the GDPR Helper unticked members "Allow users to email me" by default, or has that always been the case? It makes sense if it does.
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: Si6776 on May 13, 2018, 04:47:19 AM
Does the GDPR Helper record when members agree to the User Agreement and Privacy Policy?  If not, is there any way to do this, or is the fact that they have to have consented to access the forum enough?
Yes it does.

Sorry to be thick, but where would this record be, should we be asked for it?
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: @rjen on May 13, 2018, 06:25:08 AM
Does the GDPR Helper record when members agree to the User Agreement and Privacy Policy?  If not, is there any way to do this, or is the fact that they have to have consented to access the forum enough?
Yes it does.

Sorry to be thick, but where would this record be, should we be asked for it?

See this reply: https://www.simplemachines.org/community/index.php?topic=559841.msg3970969#msg3970969

But getting at the data now requires a query in PHP admin.
It would be nice to have a list of this data present in the admin menu as well, for easy access should this be requested in future...
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: Si6776 on May 13, 2018, 06:45:50 AM
Does the GDPR Helper record when members agree to the User Agreement and Privacy Policy?  If not, is there any way to do this, or is the fact that they have to have consented to access the forum enough?
Yes it does.

Sorry to be thick, but where would this record be, should we be asked for it?

See this reply: https://www.simplemachines.org/community/index.php?topic=559841.msg3970969#msg3970969

But getting at the data now requires a query in PHP admin.
It would be nice to have a list of this data present in the admin menu as well, for easy access should this be requested in future...

Thanks, I missed that.  I agree, it would be good to have this available in the Admin Control Panel. 
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: jppialasse on May 14, 2018, 12:01:02 PM
PDF, I'm not even sure if you can make a machine interpret the content normally?
In which case, I wonder if PDF is even an acceptable interchangeable format and would be more inclined to say it'd have to be something like CSV.

Yes, I saw that and it's great work. But if the member wans to stay active, I would like to be able deleting the IP on older topics. Especially on those, where the member already have been deleted.

Maybe I understand wrong, but if a member wants to stay active, that means they keep giving you their consent.
In which case, I don't think they have the right to selectively ask you to "forget" things. You can't demand to only selectively give consent for an agreement. It's an all or nothing scenario, either you give consent or you retract consent; they can't demand "I give you consent for section A to E but not for sections F to K" - that's not how it works. That means everyone could potentially get a tailored agreement, that'd be disastrous.

Moreover, collecting IP's of active users is a genuine processing case to keep track of spam and account changes...

Sorry for the late answer to this post in the thread, but an option to delete IP, from ALL posts, after a certain amount of time is a legitimate option, even before GDPR.

If you take the situation in France, you can and even have to collect IP as a provider of services and keep them up to one year. After that you have to anonymize the IP ( for reference :  "La loi du 21 juin 2004 pour la confiance dans l'économie numérique et le décret  du 25 février 2011". ) .   Also with the GDPR, there is an emphasize on the fact that data has to be kept for the time it is useful for its initial purpose.

So I am ok with the fact that the ip are used to fight against SPAM, but what about an IP logged 12 years ago ? What is its purpose today ? Knowing that the user was in Barbados in July 2006 is a little intrusive, isn't it ? The geoiplookup might even not be accurate with possibles changes.

In other words we do not have a legitimate reason to keep them as SMF currently do and it should be purged after X months ( have to be set depending on your local legislation)
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: Si6776 on May 14, 2018, 12:21:04 PM
PDF, I'm not even sure if you can make a machine interpret the content normally?
In which case, I wonder if PDF is even an acceptable interchangeable format and would be more inclined to say it'd have to be something like CSV.

Yes, I saw that and it's great work. But if the member wans to stay active, I would like to be able deleting the IP on older topics. Especially on those, where the member already have been deleted.

Maybe I understand wrong, but if a member wants to stay active, that means they keep giving you their consent.
In which case, I don't think they have the right to selectively ask you to "forget" things. You can't demand to only selectively give consent for an agreement. It's an all or nothing scenario, either you give consent or you retract consent; they can't demand "I give you consent for section A to E but not for sections F to K" - that's not how it works. That means everyone could potentially get a tailored agreement, that'd be disastrous.

Moreover, collecting IP's of active users is a genuine processing case to keep track of spam and account changes...

Sorry for the late answer to this post in the thread, but an option to delete IP, from ALL posts, after a certain amount of time is a legitimate option, even before GDPR.

If you take the situation in France, you can and even have to collect IP as a provider of services and keep them up to one year. After that you have to anonymize the IP ( for reference :  "La loi du 21 juin 2004 pour la confiance dans l'économie numérique et le décret  du 25 février 2011". ) .   Also with the GDPR, there is an emphasize on the fact that data has to be kept for the time it is useful for its initial purpose.

So I am ok with the fact that the ip are used to fight against SPAM, but what about an IP logged 12 years ago ? What is its purpose today ? Knowing that the user was in Barbados in July 2006 is a little intrusive, isn't it ? The geoiplookup might even not be accurate with possibles changes.

In other words we do not have a legitimate reason to keep them as SMF currently do and it should be purged after X months ( have to be set depending on your local legislation)

Does it have any bearing that only Admins can see IPs?  Also, I've been with my ISP for 11 years, and have always had the same fixed IP address, so it's quite possible that older IPs could still be attached to a current user.  The only way around this that I can see would be to delete all users who haven't logged in for a given period of time.  But, at the moment the legislation surrounding forums is quite woolly, so I'm not about to start deleting swathes of members, until I know that I have to.
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: jppialasse on May 14, 2018, 02:39:14 PM

Does it have any bearing that only Admins can see IPs?  Also, I've been with my ISP for 11 years, and have always had the same fixed IP address, so it's quite possible that older IPs could still be attached to a current user.  The only way around this that I can see would be to delete all users who haven't logged in for a given period of time.  But, at the moment the legislation surrounding forums is quite woolly, so I'm not about to start deleting swathes of members, until I know that I have to.
It is still an issue as you shall not keep data for longer than they are intended to be used.

The easy solution I see, is for all posts older than X months/years, replace the ip by 127.0.0.1 or another local loop IP in  smf_members and smf_messages  and for all elements also older than this amount of time   just flush the lines from  smf_log_errors smf_log_floodcontrol
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: vbgamer45 on May 14, 2018, 02:43:52 PM
What is the time period for that intended use? I would argue at times it could be a long time if you have ever encounter a legal issue.
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: Si6776 on May 14, 2018, 02:58:36 PM
It would be difficult to define a period of use.  If someone joins a forum, seeing as that's what we're talking about here, it's not usually stipulated how long they will be a member for, therefore the 'period of use' can only be determined as indefinite, or until the member closes their account. 

I guess it could be argued that any members who don't re-consent could be considered no longer active members, but it's all ifs buts and maybes.  My understanding is that data does not have to be deleted unless there is a request to do so.  So, who is to decide whether and when to delete a member through inactivity?

Also, what happens in the event of a deceased member?  They obviously can't request that their account and data is deleted, so should forum owners take that decision upon themselves?
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: Kindred on May 14, 2018, 03:48:21 PM
I disagree with your contention, jppialasse - and I would disagree with the removal of IP being a standard feature in SMF.

The GDPR allows the user to request the removal when the account is deleted.... other than that... nope, it stays!
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: petb on May 14, 2018, 04:04:55 PM
........... as you shall not keep data for longer than they are intended to be used.
I agree with this point.
The EU requires the data to be deleted as soon as they are no longer needed to fulfill the service.
The EU generally says that only data may be stored which are essential for the service to be granted.
Since the IP address for the operation of the forum is not mandatory (?) It should not be stored at all.
Why does the forum need the IP?
There is no legal obligation to keep an IP.
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: vbgamer45 on May 14, 2018, 04:09:11 PM
I disagree there is a legal need to keep an ip address if someone posts/uploads something. You  will need to turn off over some information.
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: Si6776 on May 14, 2018, 04:12:15 PM
........... as you shall not keep data for longer than they are intended to be used.
I agree with this point.
The EU requires the data to be deleted as soon as they are no longer needed to fulfill the service.
The EU generally says that only data may be stored which are essential for the service to be granted.
Since the IP address for the operation of the forum is not mandatory (?) It should not be stored at all.
Why does the forum need the IP?

Every website uses an IP address to connect to the user.  IP addresses are essential on forums to manage bans, guard again spammers / hackers, and in case there is a legal request for information.
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: petb on May 14, 2018, 04:21:21 PM
There is no obligation to collect data to make it easier for criminal authorities to identify disturbers.
Because that would put any user under criminal suspicion, which may not be synonymous.

For a long time, there have been initiatives that investigate exactly storing the IP addresses as illegal.
Why else were there e.g. the Telekom allowed only a storage time of 80 days?
Only because they were granted that they are needed for 80 days for settlements or their complaint by the participant, as proof of the settlement.

There have been many discussions that the IP is just not needed for flatrates. Etc. etc..
And the whole thing is exacerbated by the GDPR now.

........... as you shall not keep data for longer than they are intended to be used.
I agree with this point.
The EU requires the data to be deleted as soon as they are no longer needed to fulfill the service.
The EU generally says that only data may be stored which are essential for the service to be granted.
Since the IP address for the operation of the forum is not mandatory (?) It should not be stored at all.
Why does the forum need the IP?

Every website uses an IP address to connect to the user.  IP addresses are essential on forums to manage bans, guard again spammers / hackers, and in case there is a legal request for information.
If this is listed as a reason, then it is worth considering which law is rated higher.
The right to your own data or the possible defense against interferers?
Since it is clear what a judge will say, "the potential risk of possible interference weighs less"
And to ward off interferers hackers, etc., the IP may indeed be saved!
But just "not burdensome long" in a post by a user.
And that's the point here.

It is not necessary to save the IP for the post of a user.
If it interferes, the user account can be locked.
No IP storage is necessary for this.

Storing the IP detached from the user name to prevent further interference via firewalls, acceslists, etc. is another matter.
The context of storage is important.
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: Si6776 on May 14, 2018, 04:28:34 PM
So, how are dynamic IP addresses dealt with?  And how do you deal with users who, like myself, access the forum from different locations, and therefore, have different IP addresses all the time?
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: Si6776 on May 14, 2018, 04:32:06 PM
The law has to be 'reasonable', and if it states that a person can request to have their data removed, then we obviously would comply with that request, and all of their personal data, including IP address, would be removed from posts.  But if they don't request it, then I don't see why it should be removed, unless there is a specific timeframe legislated for 'orphaned' data removal.
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: petb on May 14, 2018, 05:17:34 PM
So, how are dynamic IP addresses dealt with?  And how do you deal with users who, like myself, access the forum from different locations, and therefore, have different IP addresses all the time?
Yes, this makes it difficult for prosecution, so it is also not sure that the IP is always sufficient for identification and that is also a reason why it should not be saved for a post.


The law has to be 'reasonable', and if it states that a person can request to have their data removed, then we obviously would comply with that request, and all of their personal data, including IP address, would be removed from posts.  But if they don't request it, then I don't see why it should be removed, unless there is a specific timeframe legislated for 'orphaned' data removal.
If even a player as big as Telekom can not store IP addresses forever, why should a forum operator be allowed to do so?
Always provided the storage is not mandatory, e.g. at a pay system to create bills, etc. And even then the operator can be expected to make his billing so timely that the IP addresses are deleted in a reasonable time.

Initiatives against the storage of IP addresses have been illuminating the issue for years and I can not reproduce everything that they cite.
But I see that their comments by the DGSVO get more substance.

To put it bluntly, I find that all very stupid, but it is how it comes.
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: Si6776 on May 14, 2018, 05:36:17 PM
I'd further dispute whether an IP address can be seen in law as 'personally identifiable information'.  All it indicates is the device that the post came from.  That doesn't explicitly identify the person who operated the said device at any given time.
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: hugbear on May 14, 2018, 08:15:27 PM
IMHO the IP is NOT Personally Identifiable Information since a forum owner has no legal means to compell the user's ISP to provide the identity of the user.
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: Kindred on May 14, 2018, 08:20:31 PM
and I disagree with your contention, Petb... The IP address is required information for all users. It gets stored for as long as you are a user. period. end of story....  I disagree with any contention that it should or must be deleted unless the account itself is deleted


However, hugbear and si6776 00 the GDPR does actually set out the IP as considered PII.

Just makes it more clear that the politicians are complete idiots

Title: Re: SMF & GDPR Personally Identifiable Information
Post by: Ben_S on May 16, 2018, 07:53:12 AM
I'd further dispute whether an IP address can be seen in law as 'personally identifiable information'.  All it indicates is the device that the post came from.  That doesn't explicitly identify the person who operated the said device at any given time.

You can dispute it all you like, but it doesn't change the fact it has been ruled as personal data in court - https://www.whitecase.com/publications/alert/court-confirms-ip-addresses-are-personal-data-some-cases.

GDPR is quite clear that an IP address should be considered as personal data.
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: hugbear on May 16, 2018, 10:48:54 AM
[IP] has been ruled as personal data in court
That paper states quite clearly that the court has ruled that IP is PII in some cases, like when the operator has access to both the IP and the ID of the user (i.e. ISPs). On the other hand, on forum that has no way of getting both information, IP is not considered PII:
Quote
Where a piece of information (such as an IP address) does not directly identify a person, that piece of information will nevertheless be personal data in the hands of any party that can lawfully obtain sufficient additional data to link the information to a person's real world identity.
On the other hand, that same piece of information will not be personal data in the hands of a party that has no legal means of obtaining sufficient additional data to make such a link.
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: Kindred on May 16, 2018, 10:54:09 AM
unless, like most people, they have used their ISP account name as their email address or even as their forum account name -- in which case, the IP, in combination with those is now PII.


So - unless you have some way to check whether a user has used their ISP account name when they signed up or for their email address, you must ASSUME that the IP is part of the PII
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: Si6776 on May 16, 2018, 11:08:42 AM
Essentially though, the IP is required to administer the user's forum account, so unless a user requests an account deletion, forums have a legal basis for storing IP addresses, don't they?  There doesn't seem to be anything specific about the length of time data can be stored, as yet.
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: Kindred on May 16, 2018, 11:24:37 AM
exactly...

when the account is requested to be deleted, we have to remove the username, email address and IP address.
We can keep the posts.

Until the account deletion request is submitted, though, we can keep IP for as long as the forum runs. There is no hard time period and anyone who argues that we don't need the IP after X period can go pound sand.
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: hugbear on May 16, 2018, 01:03:41 PM
they have used their ISP account name as their email address or even as their forum account name
I don't quite get it. However, my „getting it” bears no relevance to this:

Say a user decides to willingly identify himself to the public by entering revealing personal info into various fields (username, profile fields, public posts etc.). In this case, the IP is clearly linked to his real-life identity, but those pieces of information are already in the open. As you pointed out, in this case the IP is required for the proper function of the forum, so - no deletion.

At some point though, this user requests that his account be deleted and points out all the personal info to be removed. After the admin conforms to his request and his account becomes anonymized,  all links between his IP(s)  and his RL ID will have been severed! Therefore, deletion of IPs becomes pointless.  :)
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: Si6776 on May 16, 2018, 01:09:04 PM
At some point though, this user requests that his account be deleted and points out all the personal info to be removed. After the admin conforms to his request and his account becomes anonymized,  all links between his IP(s)  and his RL ID will have been severed! Therefore, deletion of IPs becomes pointless.

In that case, so would keeping it.  :)
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: hugbear on May 16, 2018, 01:21:45 PM
Not quite. Maybe the forum owner, his helpers, members of the forum or guest can no longer ID him. But law enforcing agencies, with the proper lawful auhorisation, can correlate the IP/timestamp with information from the ISP to build evidence.

However, that's besides the point. The point is that after anonymization, the IP ceases to be PII. Therefore there's no longer any reason for it's deletion to be enforced.
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: jppialasse on May 16, 2018, 03:41:22 PM
What is the time period for that intended use? I would argue at times it could be a long time if you have ever encounter a legal issue.

for IP in France this is one year according to the local regulation. The current situation make it difficult for a person to ask for the information, and penalties were difficult to enforce and fees were small. With enforcement of GDPR, there are chances this will be more frequent, and the fees are really higher.

Driving for 10 years 50 km/h higher than the limit without being fine is not a proof you can keep on driving fast. The longer you do it wrong the highest the chances you get caught.

This is one year in France but maybe some other countries have no regulation or ask for 24 months or anything else. So this could be just an option to enforce with an amount of time to be set. So if the option is present it is up to the admin to enable itaccodring to his local regulation.
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: jppialasse on May 16, 2018, 03:45:40 PM
I disagree with your contention, jppialasse - and I would disagree with the removal of IP being a standard feature in SMF.

The GDPR allows the user to request the removal when the account is deleted.... other than that... nope, it stays!
You can disagree with me, but the regulation states you can not keep the IP for more than one year if you are in France. This is whether the user is still a member, or opt out. With BDPR enforce, we have to give the user all personal data we have about him, so he will know that we have IP for more than one year, again still in France. other country may or may not have regulation on IP conservation.

I do not speak of making deletion of IP a standard feature of SMF enforced by default, I speak about adding the option to comply with local regulation. With his GDPR add on, this could be a great opportunity.
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: Kindred on May 16, 2018, 04:58:30 PM
OK, how about this: I disagree with your interpretation of the regulation...

Title: Re: SMF & GDPR Personally Identifiable Information
Post by: kitz on May 16, 2018, 06:19:26 PM
@vbgamer45

Thank you so much for this mod.   I've installed it this evening and one of the first things I notice is this on the footer.   
I presume this is because I'm using a template other than the default.   

Can anyone give me guidance please on the best way to fix this please?

Title: Re: SMF & GDPR Personally Identifiable Information
Post by: Bigguy on May 16, 2018, 06:39:54 PM
Could be just a css fix. (I think)
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: kitz on May 16, 2018, 10:15:02 PM
Could be just a css fix. (I think)

I have tried to look into this and sort it myself but really don't know what I am doing when it comes to modifications.  My forum is based on 'Core Theme' which is (or at least used to be) extremely popular.

From what I can see it's the insertion of <br> within a list which is causing the problem.  As soon as you enter a line break it all scrambles.

Code: [Select]
<div id="footerarea" class="headerpadding topmargin clearfix">
  <ul class="reset smalltext">
    <li class="copyright"> <span class="smalltext" style="display: inline; visibility: visible; font-family: Verdana, Arial, sans-serif;"><a href="https://forum.kitz.co.uk/index.php?action=credits" title="Simple Machines Forum" target="_blank" class="new_win">SMF 2.0.15</a> | <a href="http://www.simplemachines.org/about/smf/license.php" title="License" target="_blank" class="new_win">SMF &copy; 2017</a>, <a href="http://www.simplemachines.org" title="Simple Machines" target="_blank" class="new_win">Simple Machines</a><br />
      <a href="https://forum.kitz.co.uk/index.php?action=gpdr;sa=privacypolicy">Privacy Policy</a> </span></li>
    <li><a id="button_xhtml" href="http://validator.w3.org/check?uri=referer" target="_blank" class="new_win" title="Valid XHTML 1.0!"><span>XHTML</span></a></li>
    <li><a id="button_rss" href="https://forum.kitz.co.uk/index.php?action=.xml;type=rss" class="new_win"><span>RSS</span></a></li>
    <li class="last"><a id="button_wap2" href="https://forum.kitz.co.uk/index.php?wap2" class="new_win"><span>WAP2</span></a></li>
  </ul>
</div>

Like I say, I know nothing about mod packages, but would it not be more correct for the package to insert the privacy policy as a new list item <li> rather than just inserting a <br> which can have varying behaviour depending on browser type.

Something like:
Quote
Search for 'blahblah'
Replace with <li class="copyright"><a href="https://forum.kitz.co.uk/index.php?action=gpdr;sa=privacypolicy">Privacy Policy</a></li>
may work better for all forums not just those using the Curve Theme.

Apols if I'm barking up the wrong tree...  so after I've just tried to find out what's wrong..  now I still have no clue what I should be changing in my files or rather which files I should be editing.   
My concern is if I do a manual edit then it will complicate things if there is a future update to the GDPR mod and or I need to uninstall.  :(




Title: Re: SMF & GDPR Personally Identifiable Information
Post by: Conay on May 16, 2018, 10:50:18 PM
The right to erase

The right to erasure is also known as ‘the right to be forgotten’. The broad principle underpinning this right is to enable you to request the deletion or removal of personal data where there is no compelling reason for its continued processing.

On the forum, this can be dealt with by requesting to delete your account. A deletion will have to be approved by an administrator (to protect against accounts being deleted maliciously). Posts can be individually deleted, and can be deleted en masse. A full deletion requires a request being sent to the email above.

Your new ToS is excellent, but there seems to be a somewhat grey area around the removal of all posts should a member wish to delete their account.  If indeed, this is not a requirement, providing the member has been fully anonymised, would it be slightly misleading to say that posts can be deleted 'en masse', as how would you distinguish 'en masse'  from 'all posts'?  I would be inclined to remove the 'en masse' part, and add something along the lines of:

Quote
... In the case of a full deletion, please note that post content is not subject to the ‘right of erasure’. All posts from a deleted account will be anonymised so no trace will be left to the post author, however, any identifiable information in posts themselves won't be deleted.

How sure are we that post content isn't subject to the rights of erasure?

Thanks for this, I much prefer that phrasing. Admittedly my initial inclination was that I didn't actually mind users deleting all their posts, but having spoken to other admins the consensus appears to be against that.

Separately I've actually updated a huge part of the ToS having looked at a number of different companies and how they've approached it. IANAL so it's been quite a challenge figuring out what needs to be said in as few words as possible.
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: SpacePhoenix on May 17, 2018, 01:31:18 AM
What would happen under GDPR if a user (not necessarily on a site running SMF) gets banned, then requests deletion under GDPR? Would that leave them free to create a new account and make it impossible to ban people who create multiple accounts?
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: Aleksi "Lex" Kilpinen on May 17, 2018, 01:31:40 AM
One small thing I'd like to mention here - the GDPR actually has a lot of stipulations to allow completely ignoring most of the demands set out in the GDPR. Like, you can keep any data legally collected to protect a legal interest of your own as long as the data is relevant and necessary to protect that legal interest. To protect a legal interest ( such as securing the forum, technically make possible a service, gaining ad revenue, etc.. ) you are not required to get explicit consent, because in the GDPR consent and legal interests afe 2 different justifications for keeping data. You are also not required to fulfill the data portability and accessibility parts of the GDPR if it would be technically unfeasable or require an unproportionate  effort. Also the whole thing mostly applies to registered business entities, not so much private forum owners.

Or this is my understanding of the GDPR at the moment, after spending some time going through material from different sources, including the original text of the GDPR.
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: kitz on May 17, 2018, 05:44:28 AM
Could be just a css fix. (I think)

I have tried to look into this and sort it myself but really don't know what I am doing when it comes to modifications.  My forum is based on 'Core Theme' which is (or at least used to be) extremely popular.

From what I can see it's the insertion of <br> within a list which is causing the problem.  As soon as you enter a line break it all scrambles.


OK I've played around with the css and found an acceptable solution which fixes this.
In index.css On or around line 1285 amend code to as follows

Code: [Select]
#footerarea ul li.copyright
{
display: block;
font-size: small;
line-height: 1;
padding: 0em;
}



Hopefully this will help others who are also using Core based Themes.
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: Louis on May 17, 2018, 07:35:39 AM
Let me jump on the IP and mail addresses stored with posts once more...

Do these two fields (poster_email and poster_ip) serve any special purpose within SMF? Or could they just be omitted?
I would expect all spam protection etc taking place before storage in smf_messages table - and thus finally populating the fields should no longer be necessary. Esp. as messages seem to be linked to author via the ID_member field....
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: Conay on May 17, 2018, 07:37:20 AM
What would happen under GDPR if a user (not necessarily on a site running SMF) gets banned, then requests deletion under GDPR? Would that leave them free to create a new account and make it impossible to ban people who create multiple accounts?

I would argue they still have the right to deletion/being anonymised on their posts, however the forum would have the right to keep a record of email address, IP address and hostnames to keep the ban. You as a forum owner have a legitimate interest in maintaining this data. I include this (partially) in my forum's PP:

Quote
We have two principle bases for processing your data:
  • Consent: You are required to agree to terms and conditions prior to registering on the forum, which gives us explicit consent to process your data. You are also required to check a box to confirm you are happy with our privacy policy and our use of cookies.
  • Legitimate interest: For some data we collect, such as IP addresses and forum posts, we have a legitimate interest in collecting such data, including:
    • Providing a safe and enjoyable user experience, and
    • Protecting our users.
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: Louis on May 17, 2018, 07:48:32 AM
Yes in the database there are fields in the smf_themes table
gpdr_policydate - privacy policy date
gpdr_agreementdate - member agreement date
Why is that in the themes table? Shouldn't it be part of smf_settings? After all, GDPR is valid independently from the current theme.

Even nicer would be to have it in the individual members record, something like a last_acceptance_privacy and last_acceptance_tos, perhaps even with Y/N result. Taking that a step further would open possibilities to restrict those users (who have not accepted the most recent policies) to the "export data" area and let them delete their forum account (or request deletion from a forum admin)....
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: vbgamer45 on May 17, 2018, 08:03:17 AM
In  the themes data since it i is user member data. And it required no edits to database tables.  the settings table would not work for this.
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: Si6776 on May 17, 2018, 08:08:56 AM
I'm getting lots of emails from companies basically saying "this is our new privacy policy, but you don't have to do anything to carry on as you were".  One of them was from my local authority, with which I do contract work for.  So, the email seems to imply that previous consent is enough to continue with consent, as long as there is an obvious option to remove consent. This is for newsletters, communications, etc.

Are we all running round in circles trying to find ways to get members to re-consent to T&C's and PPs, when previous consent is actually enough, as long as they are notified that the policies have been changed?
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: Louis on May 17, 2018, 08:50:03 AM
In  the themes data since it i is user member data. And it required no edits to database tables.  the settings table would not work for this.
But it still results in new acceptance after a theme change as the user options are stored per user per theme. Probably not much to worry about.....
I'll keep it in the back of my head for a future wishlist ;)


Are we all running round in circles trying to find ways to get members to re-consent to T&C's and PPs, when previous consent is actually enough, as long as they are notified that the policies have been changed?
IIRC GDPR requires explicit proof of consent (actually as a documented opt-in) in case of disputes. I'm no lawyer so I cannot judge whether these "if you don't act upon this mail we assume you're fine with the new agreements" are really GDPR compliant - I have some doubts, but time will tell...
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: akalebic on May 17, 2018, 09:28:13 AM
So the GDPR compliance is already implemented on many sites (non SMF) and it is pretty much clear how it should look. I visited several bigger companies and for sure their lawyers already swallowed the rules. So the SMF is for sure non compliant and therefore the it can be very costly especially if is run by companies. The penalties for companies can go up to 20 millions € or 4 percent of profit income whichever is greater.  So definitely is not for joking.
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: vbgamer45 on May 17, 2018, 09:32:44 AM
So the GDPR compliance is already implemented on many sites (non SMF) and it is pretty much clear how it should look. I visited several bigger companies and for sure their lawyers already swallowed the rules. So the SMF is for sure non compliant and therefore the it can be very costly especially if is run by companies. The penalties for companies can go up to 20 millions € or 4 percent of profit income whichever is greater.  So definitely is not for joking.
Is there anything that I am missing from my addon?
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: akalebic on May 17, 2018, 09:37:07 AM
Is there anything that I am missing from my addon?

Where I can see your add-on in action?
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: vbgamer45 on May 17, 2018, 09:38:32 AM
Is there anything that I am missing from my addon?

Where I can see your add-on in action?
https://www.smfhacks.com
Details: https://www.smfhacks.com/index.php?action=downloads;sa=view;down=207
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: Conay on May 17, 2018, 11:36:30 AM
Is there anything that I am missing from my addon?

Where I can see your add-on in action?
https://www.smfhacks.com
Details: https://www.smfhacks.com/index.php?action=downloads;sa=view;down=207

Firstly this is a really useful modification, I've installed it on my forum and really it seems like the final bit of work that needed for compliance.

The only thing I'd probably recommend adding is the inclusion of known IP addresses/hostnames, etc. to the info downloaded. I don't know if PMs are included, but if not they should be. But really this is minor adjustments.
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: @rjen on May 17, 2018, 12:06:36 PM
I am still missing the custom profile fields in the download . Some of those are PII in my case..
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: Kindred on May 17, 2018, 12:25:43 PM
personally, I don't think that PMs should be or need to be part of the download.
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: kitz on May 17, 2018, 12:34:24 PM
I'm getting lots of emails from companies basically saying "this is our new privacy policy, but you don't have to do anything to carry on as you were".  One of them was from my local authority, with which I do contract work for.  So, the email seems to imply that previous consent is enough to continue with consent, as long as there is an obvious option to remove consent. This is for newsletters, communications, etc.

Are we all running round in circles trying to find ways to get members to re-consent to T&C's and PPs, when previous consent is actually enough, as long as they are notified that the policies have been changed?

Actually you have a valid point.  I just looked at the emails that I've gotten from some very large organisations who would have resources to proper legal representation and the vast majority just say along the lines of "We've updated our privacy policy. Please take a look at our updated Privacy Policy and Cookies Policy."    or "We are committed to protecting your personal details and to giving you access to them. To find out more, please read our Viewer Promise, including our Privacy Policy and Terms & Conditions"  Thats it.
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: kitz on May 17, 2018, 12:40:41 PM
I don't know if PMs are included, but if not they should be. But really this is minor adjustments.

Why?  They're not public - they are private between person a and person b. Why would PMs ever need to be portable?
TBF I'd rather keep PM's totally private and I have no inclination of ever wanting to see what correspondence has taken place between 2 people.   
Are we now starting to go overboard?
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: Si6776 on May 17, 2018, 12:52:33 PM
I'm getting lots of emails from companies basically saying "this is our new privacy policy, but you don't have to do anything to carry on as you were".  One of them was from my local authority, with which I do contract work for.  So, the email seems to imply that previous consent is enough to continue with consent, as long as there is an obvious option to remove consent. This is for newsletters, communications, etc.

Are we all running round in circles trying to find ways to get members to re-consent to T&C's and PPs, when previous consent is actually enough, as long as they are notified that the policies have been changed?

Actually you have a valid point.  I just looked at the emails that I've gotten from some very large organisations who would have resources to proper legal representation and the vast majority just say along the lines of "We've updated our privacy policy. Please take a look at our updated Privacy Policy and Cookies Policy."    or "We are committed to protecting your personal details and to giving you access to them. To find out more, please read our Viewer Promise, including our Privacy Policy and Terms & Conditions"  Thats it.

Exactly.  And large organisations are probably more at risk of heavy fines for non-compliance than a small tin-pot forum, so they're not likely to try to circumvent any legal requirements. 

I'm fairly sure that these new regulations are being implemented so as to give the EU a big stick with which to beat the likes of Google, Facebook, etc.  In my opinion, the risks of them sending expensive lawyers to chase after individuals and small concerns are pretty low, so whilst we need to be compliant, and not complacent, I don't think we need to make hard work of it.  Providing we have basic compliance in place by the 25th May, anything else can be looked at on an ongoing basis.
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: kitz on May 17, 2018, 01:03:19 PM
personally, I don't think that PMs should be or need to be part of the download.

I would tend to agree.   See
https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-data-portability/

Title: Re: SMF & GDPR Personally Identifiable Information
Post by: kitz on May 17, 2018, 01:21:45 PM
As a follow up to the above and a classic example of data portability.   

I've just this minute logged into my Asda account to do my weekly shop and I see Asda taking advantage of the new data portability rules and what they are intended for.

This is brand new and the first time I've seen it

Quote
Import your favourites

Add your favourite products from another supermarket to your Asda account and speed up your shop

...  and talking of such, I cant recall getting any notification from Asda about their new policy.  I shall have to check but  I certainly have not said 'yes' to anything.

-------------
ETA - nope no email about a new policy.   I did however get a "Asda uses cookies" pop up when I logged in.   Now considering I use them every week I will have given cookie consent on previous occasions, so it looks like they may have forced a new cookie within the past week.   

Title: Re: SMF & GDPR Personally Identifiable Information
Post by: hugbear on May 17, 2018, 01:27:22 PM
Technically, personal messages in SMF, while definitely not public, are not private either. The forum software does not guarantee that a controller's representative (i.e. the website admin) can't access the content of PMs. Just nit-picking...
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: Kindred on May 17, 2018, 01:40:50 PM
right... nor does anything guarantee that your emails won't be read, in transit, by the NRA and Carnivore...

see Kitz's other statements, just above yours.   PMs are not portable - therefore, they don't count.
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: hugbear on May 17, 2018, 02:03:25 PM
Right, I wasn't critical of the way SMF handles PMs, just pointing out the difference.

I don't think the size of the organization counts for much but rather what's being done with the PII in custody of the controller. If such information is being misused (e.g. sold to marketers or profilers), probably the consequences would be much harsher than if it's just collecting dust in the database of a stamp collector's forum. After all, misuse of PII is what this regulation is trying to protect users from.
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: Kindred on May 17, 2018, 03:31:32 PM
they just don't actually understand anything and therefore are going about the process in an idiotic way that actually makes no sense
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: Louis on May 17, 2018, 04:02:52 PM
I don't think the PMs should be in focus for export - at least not now (nor in the near future).
This is opening Pandora's box. Making PMs exportable raises the same questions as deletion of all messages a user ever wrote in the forum: what if a PM contains a quote from another user's PM? Is the exporting user by any means entitled to "own" that quote - or is the quote rather property of the original author?
Let some judges go that route first before making any software mods - in worst case any SMF admin could always manually extract things directly from the database.


On the other hand I would as well vote for individual profile fields being included in the export - after all they are part of the user's profile and most probably not just there to fill some empty space on the page. Even without GDPR that would be a nice feature.
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: Conay on May 17, 2018, 07:15:02 PM
Fair enough - it's a bit of a legal minefield but it's important these things are discussed. I don't know if anyone's tried downloading Facebook/Twitter data and whether it contains DMs, if not then not including PMs would be going against general practice.
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: Aleksi "Lex" Kilpinen on May 17, 2018, 11:10:29 PM
Any website selling anything can basically cite contractual necessity, and base their rights to the data on legal interests alone - so websites like Asda mentioned earlier do not actually need to ask any consent if you have bought something from them.
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: kitz on May 18, 2018, 04:38:22 AM
I've just noticed something about the mod and that is the fact that you can only export your own data.   Should admin (and only admin) not be able to export someone else's Data Information.

There may be times where say a user has been banned, but still has the right to request what information is held about them. 
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: Kindred on May 18, 2018, 09:52:00 AM
no. IMO the admin should NOT be able to export anyone's data.
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: Aleksi "Lex" Kilpinen on May 18, 2018, 10:13:16 AM
no. IMO the admin should NOT be able to export anyone's data.
Actually, why not if PMs are not included? I think for full compliance, it might in some cases be needed for an admin to do the actual export.
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: Si6776 on May 18, 2018, 10:18:52 AM
no. IMO the admin should NOT be able to export anyone's data.
Actually, why not if PMs are not included? I think for full compliance, it might in some cases be needed for an admin to do the actual export.

If a banned member wants to export their data, they could be downgraded to a partial ban, so that they can still log into their account, and therefore export their own data, but cannot actually post anything.
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: Aleksi "Lex" Kilpinen on May 18, 2018, 10:25:01 AM
no. IMO the admin should NOT be able to export anyone's data.
Actually, why not if PMs are not included? I think for full compliance, it might in some cases be needed for an admin to do the actual export.

If a banned member wants to export their data, they could be downgraded to a partial band, so that they can still log into their account, and therefore export their own data, but cannot actually post anything.
Well, true.. Could do it that way as well.
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: kitz on May 18, 2018, 02:19:27 PM
TBF I'm not even sure if forum posts nvm PMs apply to the right to data portability. 

I've spoken to 2 people who have been dealing with GDPR, one of whom has had quote extensive legal advice and been delivering training to others.   I've had her look over my site as she offered free advice to small businesses who were customers of hers.  The only thing I still need to cover is a statement about the right to erasure and how I would go about this as I havent yet changed my ToS, but the previous example provided earlier in this thread covers everything. 

quote from ico

Quote
Information is only within the scope of the right to data portability if it is personal data of the individual that they have provided to you.

The idea is basically to be able to transfer personal data you may have given you such as email/phone nos to another organisation but could also include elsewhere as in the case of shopping lists, tracking data such as locations you've visited (read google traffic and location data) and data from smart meters (ie gas/electricity suppliers) so that you can easily move your data between one supplier and another. 


She didn't think forum post's applied for portability but suggested I ring the ico if I wanted to double check.   I hung on to their phone line listening to their "We are experiencing extremely high volume of calls to our helpline" for an hour before I hung up. :(
Their phone no is 0303 123 1113 if anyone else wants to try.


---------------
PS   After several convo's with her and not even taking into account data portability this is what she said after checking out my site and Privacy Policy

Quote
I reckon you’re covered - detail is good, the main point of GDPR is explicit and transparent explanation on the use of the subjects data and the opportunity for the subject to choose to not share their data with you based on that explanation so I don’t think you can be too detailed ! If you’ve explained everything and they’ve opted in then you’re not going to be liable. And yeah once they leave guest account them - boom - oh one thing - add a line at the bottom stating that they can opt out of the forum at any time and data will be anonymised- that’s a big one, making it clear you are offering the option to change their mind even if prior consent was given.
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: kitz on May 18, 2018, 02:41:28 PM
In view of the above can I ask a request from @vbgamer45 please.

Would it be possible from within the admin CP > GDPR Helper > Settings to break down the setting  "Allow members to export their own data" into 2 distinct settings

Despite not having had it switched on for long and not even making it public that its there,  I've already had one query about the Export post function in that nothing came up for them.
Obviously this was because they tried the lowest 1000 and they didn't join the forum until a few years after it started.   When you have a forum with hundreds of thousands of posts, then its obviously going to take quite a while to go through several hundred runs just to find if a user has made any posts in that particular batch of 1000.

 ~ I envisage this could cause more queries when more users notice that it's there and me repeatedly having to explain that they are going to have to run a check on each batch of 1000. 

 ~ I also have concerns over server load -  If you had someone repeatedly clicking that button just for the hell of it.

Therefore I'm quite happy to leave the "User Data Information" in place, but I'd like to be able to switch off Exporting Posts unless I got a specific request to me please.

Finally - Someone also brought up profile data.    From what I can gather it is far more important to put info they may have supplied (such as location) in the csv file than concerns over data portability, which is a separate issue and may not even apply.   
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: Si6776 on May 18, 2018, 04:04:46 PM
In view of the above can I ask a request from @vbgamer45 please.

Would it be possible from within the admin CP > GDPR Helper > Settings to break down the setting  "Allow members to export their own data" into 2 distinct settings
  • Export User Data Information
  • Export Posts

Despite not having had it switched on for long and not even making it public that its there,  I've already had one query about the Export post function in that nothing came up for them.
Obviously this was because they tried the lowest 1000 and they didn't join the forum until a few years after it started.   When you have a forum with hundreds of thousands of posts, then its obviously going to take quite a while to go through several hundred runs just to find if a user has made any posts in that particular batch of 1000.

 ~ I envisage this could cause more queries when more users notice that it's there and me repeatedly having to explain that they are going to have to run a check on each batch of 1000. 

 ~ I also have concerns over server load -  If you had someone repeatedly clicking that button just for the hell of it.

Therefore I'm quite happy to leave the "User Data Information" in place, but I'd like to be able to switch off Exporting Posts unless I got a specific request to me please.

Finally - Someone also brought up profile data.    From what I can gather it is far more important to put info they may have supplied (such as location) in the csv file than concerns over data portability, which is a separate issue and may not even apply.   

So, just to clarify, to export posts, does the user need to know the message ID of the range of posts they want to export?  That sounds incredulous and virtually impossible to action from a user perspective.  Surely that would be exempted from GDPR requirements on the grounds that it's not reasonably possible to provide such data in that way?  I can't really see that anyone would want to export all of their posts anyway, but if someone wanted to maliciously cause havoc by overloading a server, or making demands for the data from an Admin, that would seem a good way to do it.  :(
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: vbgamer45 on May 18, 2018, 04:33:41 PM
It's a range. If Only if you have more 1000 posts. That is done not to overload the server. I could raise it. It is not really that taxing for the amount of data that is exported.
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: Si6776 on May 18, 2018, 04:52:12 PM
It's a range. If Only if you have more 1000 posts. That is done not to overload the server. I could raise it. It is not really that taxing for the amount of data that is exported.

Some of my members have many thousands of posts.  It would be good if there was some clarification as to whether we actually need to allow exporting of posts as well as profile data.
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: kitz on May 18, 2018, 06:07:09 PM
It's a range. If Only if you have more 1000 posts. That is done not to overload the server. I could raise it. It is not really that taxing for the amount of data that is exported.

I'm not quite sure what you mean.   This is what shows if I try to export my own data (see attachment below)
0 - 372,816 which it total number of forum posts.  Yet if I view my stats I have made a total of 31,050 posts.


The member who queried me ran it for 0-1000 and it returned zero results.   Presumably this will be because he didn't have any posts within the message ID range 1-1000 as he only joined in 2011.  Yet he has made 22188 posts since then. 

Can you perhaps see the problem here?  How will any member know what range to enter when presented with 0-372,816
I'd probably have to run it 373 times to make sure I get all my own posts :(
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: vbgamer45 on May 18, 2018, 06:47:13 PM
I see the issue. I guess could let no limit....Just was doing for server load reasons
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: Si6776 on May 18, 2018, 07:08:07 PM
I see the issue. I guess could let no limit....Just was doing for server load reasons

So, if I understand correctly, the ranges cover the whole forum?  Is there any way to make the Export tool only link to the specific member's posts?
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: vbgamer45 on May 18, 2018, 07:23:04 PM
Yeah just takes more time.
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: petewadey on May 19, 2018, 04:46:15 AM
I've installed this great mod, and sent email to all my 1000+ members asking them to sign on and except the agreement.
I was thinking whoever signs on since installing the mod have agreed, but notice on the who's on line, that a lot of members are just viewing the gpdr. This clocks them up as being on line, but not necessarily excepting the agreement.
How do I know when someone accepts?
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: akalebic on May 19, 2018, 07:40:52 AM
Is there anything that I am missing from my addon?

Where I can see your add-on in action?

Maybe someone asked but how the member exports own data? I couldn't find it...
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: Si6776 on May 19, 2018, 07:50:00 AM
Quote from: akalebic
Maybe someone asked but how the member exports own data? I couldn't find it...

It's in the member's own profile.
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: akalebic on May 19, 2018, 08:00:42 AM
Quote from: akalebic
Maybe someone asked but how the member exports own data? I couldn't find it...

It's in the member's own profile.

I already figured out that I had unchecked option that member can modify the profile.. Now when is enabled it works.. However thanks a lot.   ;)
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: busymouse on May 19, 2018, 09:38:06 AM
GPDR Helper For SMF 2.0.x

Warning does not guarantee GPDR compliance. No warranty provided.

Includes:
Allows member to export their data. Their profile and post information
On member deletion clears IP address and email from posts and assigns a new username to all old posts.
Includes a privacy policy page, adds link in the footer e and adds a section for consent on registration
Stores the date/time that the privacy policy was changed and option to force to reagree
Stores the date/time that the registration agreement was changed and option to force to reagree

Danke! Thx!  8)
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: petewadey on May 19, 2018, 12:20:16 PM
Yes in the database there are fields in the smf_themes table
gpdr_policydate - privacy policy date
gpdr_agreementdate - member agreement date




Can anyone point me to this Database please? Is it in CPanel or Admin on SMF?
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: vbgamer45 on May 19, 2018, 12:34:43 PM
Cpanel phpmyadmin stored as a unix timestamp
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: petewadey on May 19, 2018, 01:13:41 PM
I've gone Cpanel>MyAdmin>Databases>SMF>Themes.> and can't find gdpr? Am I close or miles away?
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: Shambles on May 19, 2018, 01:39:03 PM
Miles away.

It's a direct menu item in the ACP
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: petewadey on May 19, 2018, 02:22:03 PM
Thanks for letting me know I'm miles away, but ACP? Please someone just tell me and others in simple terms how to access this data. > > > >etc.
Thanks
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: Si6776 on May 19, 2018, 02:27:21 PM
Is there a way to untick the box in all member's profiles to receive Newsletters, etc, so that they have to opt-in again for these? 

I was under the impression that this was one of the main criteria of GDPR, but there seems to be some confusion, as previously mentioned in this thread, as many companies seem to be saying that previous consent still stands, as long as an opt-out option is clearly offered.  I'd like to remain on the safe side though, and have all members opt-in again if they choose to, if it's not too much hassle. 
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: akalebic on May 19, 2018, 02:44:33 PM
Thanks for letting me know I'm miles away, but ACP? Please someone just tell me and others in simple terms how to access this data. > > > >etc.
Thanks

ACP stands for Administrator Control Panel... So open the administration root tab (dont open sub items in menu) and it should be shown under as sub options between Configuration and Forum option...
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: hugbear on May 19, 2018, 04:34:37 PM
Is there a way to untick the box in all member's profiles to receive Newsletters, etc, so that they have to opt-in again for these?
Admin -> Main -> News and Newsletters... -> Newsletters -> Advanced -> Override Notification Settings

or

Admin -> Features and Options -> Allow users to disable announcements (although I don't think this would reset the override for those that already opted out of receiving news but likely it would rather prevent future opting out)
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: Si6776 on May 19, 2018, 04:52:17 PM
Is there a way to untick the box in all member's profiles to receive Newsletters, etc, so that they have to opt-in again for these?
Admin -> Main -> News and Newsletters... -> Newsletters -> Advanced -> Override Notification Settings

or

Admin -> Features and Options -> Allow users to disable announcements (although I don't think this would reset the override for those that already opted out of receiving news but likely it would rather prevent future opting out)

Thanks, I'd missed that, but...

The Override Notification Settings says underneath it: "Send this to members even if they have chosen not to receive announcements."  So, that's not really want I want to do, as all that implies that it does is send to people even if they've unticked the box.

Unticking all the Membergroups in the non-Advanced bit seems to only govern who should receive Newsletters, but that then wouldn't give anyone the option to opt-in, would it?   What I want to do is untick the option in all member's profiles, so they have to re-tick it to opt back in.   :-\
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: Kindred on May 19, 2018, 05:21:13 PM
There is no way to do that without a direct database edit
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: Si6776 on May 19, 2018, 06:52:26 PM
There is no way to do that without a direct database edit

OK, in which case, I guess we're hoping that won't be a requirement, and that 'pre-consent' can stick after GDPR.
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: petewadey on May 19, 2018, 08:01:19 PM
Thanks for letting me know I'm miles away, but ACP? Please someone just tell me and others in simple terms how to access this data. > > > >etc.
Thanks

ACP stands for Administrator Control Panel... So open the administration root tab (dont open sub items in menu) and it should be shown under as sub options between Configuration and Forum option...

If you mean the GDPR Helper tab, that doesn't tell me who has excepted the agreement? Where do I find that?
Title: Re: SMF & GDPR Personally Identifiable Information
Post by: vbgamer45 on May 19, 2018, 09:11:56 PM
There isn't a place in the frontend at the moment.