Advertisement:

Author Topic: SMF & GDPR Personally Identifiable Information  (Read 7635 times)

Offline kitz

  • Jr. Member
  • **
  • Posts: 115
    • kitz.co.uk
SMF & GDPR Personally Identifiable Information
« on: April 11, 2018, 01:35:54 PM »
With GDPR fast approaching, I was doing a data audit on what information is held by the forum software.  I have searched the forum but aside from this thread can't really find much info, but surely it must be a headache for other community based forum owners too and I'm surprised that no one else has brought the topic up.

Obviously there is no getting around IPs and email addresses, but I noticed that the software allows input of birthdate and Gender both of which come under scrutiny for GDPR
TBH I don't want or need this data and TBF I'd rather not even store it any more.  We are a family friendly forum and age is of no consequence and gender is of no relevance.    How are other forum owners treating these 2 items?

  • Would SMF consider turning off these options for forums which don't need them and thus relieving us of the burden for something we don't need or even use.
  • Can I delete any info that anyone has already put in by running a query on the DB and if so what can anyone give me a sample of what I should run. 


I really would appreciate other forum owners feedback on how they are dealing with GDPR.  We are non profit making and struggle as it is to cover hosting costs so consulting a lawyer isn't really a valid answer. :(

Offline Kindred

  • The Mean One
  • Support Specialist
  • SMF Legend
  • *
  • Posts: 56,075
  • Gender: Male
    • Kindred-999 on GitHub
Re: SMF & GDPR Personally Identifiable Information
« Reply #1 on: April 11, 2018, 01:42:30 PM »
those items are not required by default...  and gender can already be disabled



personally, I plan to completely ignore the idiocy that is GDPR.  The US has enough idiocy at the moment and I am not going to trouble myself with craziness from across the pond.

as for SMF as a whole...   we are considering what can/should be done.

I don't see how gender can be considered PII, though...

when a user deletes and account, I believe that gender, location and birthdate are deleted as well... So, you should be covered, there.

IP and email address are stored in each post, though... even from deleted accounts. (unless you let the individual delete all of their posts, which is not reasonable and would not be done on my sites, even if I was planning to follow GDPR, IMO)
Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

Offline kitz

  • Jr. Member
  • **
  • Posts: 115
    • kitz.co.uk
Re: SMF & GDPR Personally Identifiable Information
« Reply #2 on: April 11, 2018, 02:11:08 PM »
Thank you for the prompt response.

Quote
gender can already be disabled

Thanks, wasn't aware that gender could be disabled.  Just found the option by enabling Advanced Profile Fields.

Could DOB be added in there too?

Quote
I plan to completely ignore the idiocy that is GDPR.

Unfortunately some of us can't because we're in the EU :/

Quote
I don't see how gender can be considered PII,

Race, ethnicity, gender, bio-data, sexual orientation and religion are all included.

Offline kitz

  • Jr. Member
  • **
  • Posts: 115
    • kitz.co.uk
Re: SMF & GDPR Personally Identifiable Information
« Reply #3 on: April 11, 2018, 02:50:06 PM »
I've noticed that despite turning the field off, existing data still remains in the table.
I'd therefore like to completely clear the data - presumably if I run the following SQL statements... these are the defaults and this will work?  *

Code: [Select]
UPDATE `smf_members` SET `gender`= 0

UPDATE `smf_members` SET `birthdate`= 0001-01-01


I'd also like to clear Location but am unsure what to enter in the field as I don't think its null or space can anyone advise what value is in use please

Code: [Select]
UPDATE `smf_members` SET `location`= <value>

---
*bearing in mind I never, ever usually do anything in the SMF database.

Online vbgamer45

  • SMF Friend
  • SMF Super Hero
  • *
  • Posts: 19,985
    • smfhacks on Facebook
    • VBGAMER45 on GitHub
    • @createaforum on Twitter
    • SMF For Free
Re: SMF & GDPR Personally Identifiable Information
« Reply #4 on: April 11, 2018, 02:52:51 PM »
I would do
Code: [Select]
UPDATE `smf_members` SET `location`= ''
Community Suite for SMF - Take your forum to the next level built for SMF, Gallery,Store,Classifieds,Downloads,more!

SMFHacks.com -  Paid Modifications for SMF

Mods:
EzPortal - Portal System for SMF
SMF Gallery Pro
SMF Store SMF Classifieds Ad Seller Pro

Offline Rock Lee

  • SMF Hero
  • ******
  • Posts: 1,540
  • Gender: Male
  • Digitalizando un nuevo mundo :D
    • BomberCode.Oficial on Facebook
    • RockLee-BC on GitHub
    • @Bomber_Code on Twitter
    • Bomber Code ~ La nueva era del conocimiento
Re: SMF & GDPR Personally Identifiable Information
« Reply #5 on: April 11, 2018, 03:46:22 PM »
I am from Argentina and the hysteria generated by all this is something hypocritical but the bureaucracy needs to generate money for itself by doubt and it does not have to be understood that it applies to corporations or with a minimum of people that can be used for specific purposes. I do not have the exact number, because they do not say it with clarity apparently, but being something small I would not have to give importance to it and I believe when registering an account is aware of this ... at least the sources in Spanish that I have read pages in English can give more accurate answers.


Regards!

PD: Excuse my bad English
¡Regresando como cual Fenix! ~ Bomber Code © 2018
Ayudas - Aportes - Tutoriales - Y mucho mas!!!

Offline ormuz

  • Full Member
  • ***
  • Posts: 687

Offline Kindred

  • The Mean One
  • Support Specialist
  • SMF Legend
  • *
  • Posts: 56,075
  • Gender: Male
    • Kindred-999 on GitHub
Re: SMF & GDPR Personally Identifiable Information
« Reply #7 on: April 12, 2018, 02:41:55 PM »
you might want to note that neither of those references is being done by the software authors.... they are add-ons/mods.
Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

Offline hugbear

  • Semi-Newbie
  • *
  • Posts: 27
  • Gender: Male
Re: SMF & GDPR Personally Identifiable Information
« Reply #8 on: April 23, 2018, 08:11:45 PM »
I think the biggest issue SMF has regarding GDPR is with „the right to Data Portability”(*) since I haven't found any way for a user to export his/her own data. Are there any plans to provide means to deal with such requests?


(*) The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided

Offline Wellwisher

  • Jr. Member
  • **
  • Posts: 385
  • Gender: Male
Re: SMF & GDPR Personally Identifiable Information
« Reply #9 on: April 24, 2018, 10:14:14 PM »
Just been doing my own research about GDPR. No doubt SMF will need to be compliant. All I can say is thank god for Brexit in the U.K. I am so glad U.K will be out of the E.U and along with it, E.U'S B.S rules and regs on the internet. Can't wait to remove cookie consent and this law when we leave the E.U.  :laugh:




Offline SpacePhoenix

  • Semi-Newbie
  • *
  • Posts: 10
Re: SMF & GDPR Personally Identifiable Information
« Reply #10 on: April 25, 2018, 05:10:02 AM »
personally, I plan to completely ignore the idiocy that is GDPR.  The US has enough idiocy at the moment and I am not going to trouble myself with craziness from across the pond.

The you'll need to be prepared to ban and maybe also delete any member of your personal forum who lives in the EU otherwise you'll be foul of the GDPR

Offline Gwenwyfar

  • Customizer
  • Sophist Member
  • *
  • Posts: 1,047
  • Gender: Female
    • Gwenwyfar on GitHub
Re: SMF & GDPR Personally Identifiable Information
« Reply #11 on: April 25, 2018, 06:00:34 AM »
personally, I plan to completely ignore the idiocy that is GDPR.  The US has enough idiocy at the moment and I am not going to trouble myself with craziness from across the pond.

The you'll need to be prepared to ban and maybe also delete any member of your personal forum who lives in the EU otherwise you'll be foul of the GDPR
If half the world ignores the GDPR... how do they go about trying to enforce it for so many people? They take down the internet? You're going to build sites around being afraid of all the silly laws over the place?

The country I live in has much of that. Technically, some retarded laws are broken by most of the population, so there's little they can do about it. And no one really cares because they are just stupid and there's enough bureaucracy as it is.

SMF as a software may need to address it, but I'm also personally giving it the finger ;)

Offline drewactual

  • Jr. Member
  • **
  • Posts: 238
    • College Football Fan Site CFB51
Re: SMF & GDPR Personally Identifiable Information
« Reply #12 on: April 25, 2018, 08:39:38 AM »
so far as i see it it's nothing but an effort to clear the clutter (in their eyes).  sites with large financial backing will be the only ones capable of operating sooner or later, allowing easier control of what information is available when and where.  i can foresee a circumstance where anything any of these remaining sites have to pass anything they script through a filter operated by a central government before it can be 'shared' with the public. 

it's 1984 on the animal farm, wile Atlas is shrugging.
https://www.cfb51.com is a College Football Fan Site, Store, and Publisher, launched in July of 2017

Offline shinglis

  • Semi-Newbie
  • *
  • Posts: 17
    • Somersetroadend
Re: SMF & GDPR Personally Identifiable Information
« Reply #13 on: April 25, 2018, 10:53:52 AM »
Like everyone else, doing my own research and where practicable I will try to comply but if the software does not allow it, I do not intend to change software just because it's not GDPR compliant.  Given the limited amount of user data I store (i.e email address) I don't predict many requests to export and if I have a request it will have to be via forum admin.

if as forum admin of approx 300 users I get chased down under GDPR rules it will be a sad day for the internet and it's users.


Offline Kindred

  • The Mean One
  • Support Specialist
  • SMF Legend
  • *
  • Posts: 56,075
  • Gender: Male
    • Kindred-999 on GitHub
Re: SMF & GDPR Personally Identifiable Information
« Reply #14 on: April 25, 2018, 12:24:07 PM »
do note that username, email address and IP address are all considered personal data by the idiocy that is the GDPR
Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

Offline SpacePhoenix

  • Semi-Newbie
  • *
  • Posts: 10
Re: SMF & GDPR Personally Identifiable Information
« Reply #15 on: April 25, 2018, 01:50:58 PM »
Like everyone else, doing my own research and where practicable I will try to comply but if the software does not allow it, I do not intend to change software just because it's not GDPR compliant.  Given the limited amount of user data I store (i.e email address) I don't predict many requests to export and if I have a request it will have to be via forum admin.

if as forum admin of approx 300 users I get chased down under GDPR rules it will be a sad day for the internet and it's users.


personally, I plan to completely ignore the idiocy that is GDPR.  The US has enough idiocy at the moment and I am not going to trouble myself with craziness from across the pond.

The you'll need to be prepared to ban and maybe also delete any member of your personal forum who lives in the EU otherwise you'll be foul of the GDPR
If half the world ignores the GDPR... how do they go about trying to enforce it for so many people? They take down the internet? You're going to build sites around being afraid of all the silly laws over the place?

The country I live in has much of that. Technically, some retarded laws are broken by most of the population, so there's little they can do about it. And no one really cares because they are just stupid and there's enough bureaucracy as it is.

SMF as a software may need to address it, but I'm also personally giving it the finger ;)
Just been doing my own research about GDPR. No doubt SMF will need to be compliant. All I can say is thank god for Brexit in the U.K. I am so glad U.K will be out of the E.U and along with it, E.U'S B.S rules and regs on the internet. Can't wait to remove cookie consent and this law when we leave the E.U.  :laugh:

I just done a quick google search and found this:

https://www.gdprandbeyond.com/blog-post/data-privacy/gdpr-affect-non-european-companies/ [nofollow]

Quote
he EU General Data Protection Regulation (GDPR) will come into place in less than one year’s time. The regulation, which replaces the 1995 Data Protection Directive, makes changes to the way data is handled and processed in the EU. It includes fines of up to the greater of €20 Million or 4 percent of corporate annual turnover for firms that do not comply.

The GDPR covers companies operating within the EU. But there are questions about firms residing outside the bloc: For example, what exactly does the regulation mean for businesses based in the US? And will the UK need to adhere to GDPR after Brexit?

The short answer is: the regulation will affect firms both inside and outside of the EU. In fact, any company dealing with EU businesses’, residents’, or citizens’ data will have to comply with the GDPR.

The guidance makes clear that all organisations handling such data will be required to comply, regardless of jurisdiction, says Jamal Elmellas, chief technology officer at Auriga Consulting.

(there's more to the article, I've just quoted only the 1st 4 paragraphs of it

Offline The QE2 Story Forum

  • Charter Member
  • Jr. Member
  • *
  • Posts: 142
    • The QE2 Story
Re: SMF & GDPR Personally Identifiable Information
« Reply #16 on: April 25, 2018, 03:27:55 PM »
Just been doing my own research about GDPR. No doubt SMF will need to be compliant. All I can say is thank god for Brexit in the U.K. I am so glad U.K will be out of the E.U and along with it, E.U'S B.S rules and regs on the internet. Can't wait to remove cookie consent and this law when we leave the E.U.  :laugh:

But they've already said GDPR will apply to us even after Brexit (we're adopting it, it was in the Queen Speech) and also you have to do it if ANY of your members are EU citizens.

Offline Wellwisher

  • Jr. Member
  • **
  • Posts: 385
  • Gender: Male
Re: SMF & GDPR Personally Identifiable Information
« Reply #17 on: April 25, 2018, 04:02:18 PM »
But they've already said GDPR will apply to us even after Brexit (we're adopting it, it was in the Queen Speech) and also you have to do it if ANY of your members are EU citizens.

Yes you're right this defo bites...

Quote
The short answer is: the regulation will affect firms both inside and outside of the EU. In fact, any company dealing with EU businesses’, residents’, or citizens’ data will have to comply with the GDPR.
Source: https://www.gdprandbeyond.com/blog-post/data-privacy/gdpr-affect-non-european-companies/

Offline Gwenwyfar

  • Customizer
  • Sophist Member
  • *
  • Posts: 1,047
  • Gender: Female
    • Gwenwyfar on GitHub
Re: SMF & GDPR Personally Identifiable Information
« Reply #18 on: April 25, 2018, 05:34:54 PM »
I know, what I just said had that in mind ;)

Online Bigguy

  • SMF Friend
  • SMF Super Hero
  • *
  • Posts: 12,510
  • Gender: Male
  • Be nice, or else....
    • smfbigguy on GitHub
    • Whats Ur Beef
Re: SMF & GDPR Personally Identifiable Information
« Reply #19 on: April 25, 2018, 07:20:28 PM »
Just a silly question but my site is not a business. From the link two posts up it says:

Quote
For example, what exactly does the regulation mean for businesses based in the US?

If your site is NOT a business do you still have to comply. I would think so after it says:

Quote
In fact, any company dealing with EU businesses’, residents’, or citizens’ data will have to comply with the GDPR.

But that still refers to companies....what about the wee tiny small forum owner not doing business with anyone, just sittin around chattin.