SMF & GDPR Personally Identifiable Information

[kitz]

With GDPR fast approaching, I was doing a data audit on what information is held by the forum software.  I have searched the forum but aside from this thread can't really find much info, but surely it must be a headache for other community based forum owners too and I'm surprised that no one else has brought the topic up.

Obviously there is no getting around IPs and email addresses, but I noticed that the software allows input of birthdate and Gender both of which come under scrutiny for GDPR
TBH I don't want or need this data and TBF I'd rather not even store it any more.  We are a family friendly forum and age is of no consequence and gender is of no relevance.    How are other forum owners treating these 2 items?

• Would SMF consider turning off these options for forums which don't need them and thus relieving us of the burden for something we don't need or even use.
  
  
• Can I delete any info that anyone has already put in by running a query on the DB and if so what can anyone give me a sample of what I should run. 
  
  I really would appreciate other forum owners feedback on how they are dealing with GDPR.  We are non profit making and struggle as it is to cover hosting costs so consulting a lawyer isn't really a valid answer.

[Kindred]

those items are not required by default...  and gender can already be disabled



personally, I plan to completely ignore the idiocy that is GDPR.  The US has enough idiocy at the moment and I am not going to trouble myself with craziness from across the pond.

as for SMF as a whole...   we are considering what can/should be done.

I don't see how gender can be considered PII, though...

when a user deletes and account, I believe that gender, location and birthdate are deleted as well... So, you should be covered, there.

IP and email address are stored in each post, though... even from deleted accounts. (unless you let the individual delete all of their posts, which is not reasonable and would not be done on my sites, even if I was planning to follow GDPR, IMO)

[kitz]

Thank you for the prompt response.

gender can already be disabled

Thanks, wasn't aware that gender could be disabled.  Just found the option by enabling Advanced Profile Fields.

Could DOB be added in there too?

I plan to completely ignore the idiocy that is GDPR.

Unfortunately some of us can't because we're in the EU :/

I don't see how gender can be considered PII,

Race, ethnicity, gender, bio-data, sexual orientation and religion are all included.

[kitz]

I've noticed that despite turning the field off, existing data still remains in the table.
I'd therefore like to completely clear the data - presumably if I run the following SQL statements... these are the defaults and this will work?  *

Code Select Expand


UPDATE `smf_members` SET `gender`= 0

UPDATE `smf_members` SET `birthdate`= 0001-01-01


I'd also like to clear Location but am unsure what to enter in the field as I don't think its null or space can anyone advise what value is in use please

Code Select Expand

UPDATE `smf_members` SET `location`= <value>


---
*bearing in mind I never, ever usually do anything in the SMF database.

[vbgamer45]

I would do

Code Select Expand


UPDATE `smf_members` SET `location`= ''


[-Rock Lee-]

I am from Argentina and the hysteria generated by all this is something hypocritical but the bureaucracy needs to generate money for itself by doubt and it does not have to be understood that it applies to corporations or with a minimum of people that can be used for specific purposes. I do not have the exact number, because they do not say it with clarity apparently, but being something small I would not have to give importance to it and I believe when registering an account is aware of this ... at least the sources in Spanish that I have read pages in English can give more accurate answers.


Regards!

PD: Excuse my bad English

[ormuz]

leaving some examples being done on other softwares.

https://xenforo.com/community/resources/gdpr-for-xenforo-2.6320/
https://pt.wordpress.org/plugins/wp-gdpr-compliance/

[Kindred]

you might want to note that neither of those references is being done by the software authors.... they are add-ons/mods.

[hugbear]

I think the biggest issue SMF has regarding GDPR is with ,,the right to Data Portability"(*) since I haven't found any way for a user to export his/her own data. Are there any plans to provide means to deal with such requests?


(*) The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided

[Wellwisher]

Just been doing my own research about GDPR. No doubt SMF will need to be compliant. All I can say is thank god for Brexit in the U.K. I am so glad U.K will be out of the E.U and along with it, E.U'S B.S rules and regs on the internet. Can't wait to remove cookie consent and this law when we leave the E.U. 

[SpacePhoenix]

personally, I plan to completely ignore the idiocy that is GDPR.  The US has enough idiocy at the moment and I am not going to trouble myself with craziness from across the pond.

The you'll need to be prepared to ban and maybe also delete any member of your personal forum who lives in the EU otherwise you'll be foul of the GDPR

[Gwenwyfar]

personally, I plan to completely ignore the idiocy that is GDPR.  The US has enough idiocy at the moment and I am not going to trouble myself with craziness from across the pond.

The you'll need to be prepared to ban and maybe also delete any member of your personal forum who lives in the EU otherwise you'll be foul of the GDPR

If half the world ignores the GDPR... how do they go about trying to enforce it for so many people? They take down the internet? You're going to build sites around being afraid of all the silly laws over the place?

The country I live in has much of that. Technically, some retarded laws are broken by most of the population, so there's little they can do about it. And no one really cares because they are just stupid and there's enough bureaucracy as it is.

SMF as a software may need to address it, but I'm also personally giving it the finger

[drewactual]

so far as i see it it's nothing but an effort to clear the clutter (in their eyes).  sites with large financial backing will be the only ones capable of operating sooner or later, allowing easier control of what information is available when and where.  i can foresee a circumstance where anything any of these remaining sites have to pass anything they script through a filter operated by a central government before it can be 'shared' with the public. 

it's 1984 on the animal farm, wile Atlas is shrugging.

[shinglis]

Like everyone else, doing my own research and where practicable I will try to comply but if the software does not allow it, I do not intend to change software just because it's not GDPR compliant.  Given the limited amount of user data I store (i.e email address) I don't predict many requests to export and if I have a request it will have to be via forum admin.

if as forum admin of approx 300 users I get chased down under GDPR rules it will be a sad day for the internet and it's users.

[Kindred]

do note that username, email address and IP address are all considered personal data by the idiocy that is the GDPR

[SpacePhoenix]

Like everyone else, doing my own research and where practicable I will try to comply but if the software does not allow it, I do not intend to change software just because it's not GDPR compliant.  Given the limited amount of user data I store (i.e email address) I don't predict many requests to export and if I have a request it will have to be via forum admin.

if as forum admin of approx 300 users I get chased down under GDPR rules it will be a sad day for the internet and it's users.

personally, I plan to completely ignore the idiocy that is GDPR.  The US has enough idiocy at the moment and I am not going to trouble myself with craziness from across the pond.

The you'll need to be prepared to ban and maybe also delete any member of your personal forum who lives in the EU otherwise you'll be foul of the GDPR

If half the world ignores the GDPR... how do they go about trying to enforce it for so many people? They take down the internet? You're going to build sites around being afraid of all the silly laws over the place?

The country I live in has much of that. Technically, some retarded laws are broken by most of the population, so there's little they can do about it. And no one really cares because they are just stupid and there's enough bureaucracy as it is.

SMF as a software may need to address it, but I'm also personally giving it the finger

Just been doing my own research about GDPR. No doubt SMF will need to be compliant. All I can say is thank god for Brexit in the U.K. I am so glad U.K will be out of the E.U and along with it, E.U'S B.S rules and regs on the internet. Can't wait to remove cookie consent and this law when we leave the E.U. 

I just done a quick google search and found this:

https://www.gdprandbeyond.com/blog-post/data-privacy/gdpr-affect-non-european-companies/

he EU General Data Protection Regulation (GDPR) will come into place in less than one year's time. The regulation, which replaces the 1995 Data Protection Directive, makes changes to the way data is handled and processed in the EU. It includes fines of up to the greater of €20 Million or 4 percent of corporate annual turnover for firms that do not comply.

The GDPR covers companies operating within the EU. But there are questions about firms residing outside the bloc: For example, what exactly does the regulation mean for businesses based in the US? And will the UK need to adhere to GDPR after Brexit?

The short answer is: the regulation will affect firms both inside and outside of the EU. In fact, any company dealing with EU businesses', residents', or citizens' data will have to comply with the GDPR.

The guidance makes clear that all organisations handling such data will be required to comply, regardless of jurisdiction, says Jamal Elmellas, chief technology officer at Auriga Consulting.

(there's more to the article, I've just quoted only the 1st 4 paragraphs of it

[Rob Lightbody]

Just been doing my own research about GDPR. No doubt SMF will need to be compliant. All I can say is thank god for Brexit in the U.K. I am so glad U.K will be out of the E.U and along with it, E.U'S B.S rules and regs on the internet. Can't wait to remove cookie consent and this law when we leave the E.U. 

But they've already said GDPR will apply to us even after Brexit (we're adopting it, it was in the Queen Speech) and also you have to do it if ANY of your members are EU citizens.

[Wellwisher]

But they've already said GDPR will apply to us even after Brexit (we're adopting it, it was in the Queen Speech) and also you have to do it if ANY of your members are EU citizens.

Yes you're right this defo bites...

The short answer is: the regulation will affect firms both inside and outside of the EU. In fact, any company dealing with EU businesses', residents', or citizens' data will have to comply with the GDPR.

Source: https://www.gdprandbeyond.com/blog-post/data-privacy/gdpr-affect-non-european-companies/

[Gwenwyfar]

I know, what I just said had that in mind

[Bigguy]

Just a silly question but my site is not a business. From the link two posts up it says:

For example, what exactly does the regulation mean for businesses based in the US?

If your site is NOT a business do you still have to comply. I would think so after it says:

In fact, any company dealing with EU businesses', residents', or citizens' data will have to comply with the GDPR.

But that still refers to companies....what about the wee tiny small forum owner not doing business with anyone, just sittin around chattin.