Topic: SMF & GDPR Personally Identifiable Information

[Aleksi "Lex" Kilpinen]

I base my answer only on a gut feeling over the fact that you either have to have a legal interest to protect by keeping the members data, or you have to have their permission to keep their data. For members that have been away for say more than a few months, have not given clear consent, and are not currently doing business with you, you basically lack both.

Sucks, but that's how I would see it.

[Arantor]

That’s a pretty good interpretation.

You have no automatic right to any data, and you either need a legal right (performing a service counts, as would performing legal duties or criminal investigation) or the user consenting.

Without clear proof of consent, it’s tough but I think you’d be safe doing one round of emails to long dormant accounts with “we haven’t heard from you, and so under GDPR we are going to clear out the data we have on you after a 30 day period”

Those who care can then reconsent, those who don’t, you’ve done your due diligence.

This at least would be above board under the ICO guidance. YMMV for other EU territories.

[Si6776]

Good job guys, I'm looking forward to the GDPR features in 2.0.16.  Something I'm wondering about though, when members are required to accept the privacy policy... what should be done with inactive members who don't respond?  Should they be given something like 30 days to respond and then their accounts are deleted by default?  Or should we just do nothing knowing they will be asked for consent should they ever log in again?

On a purely speculative note, I would see inactive members that have not logged in over a prolonged period as unnecessary data, and without clear acceptance they should probably be removed.

On the other hand, it could be argued that removing large chunks of members, particularly those that have participated in threads, would be detrimental to the site, and therefore, it wouldn't be unreasonable to keep that data.  Members that have registered but never posted, however, are fair game for removal, in my opinion. 

[Arantor]

You don’t have to delete posts unless they contain personal data, only the accounts.

[Aleksi "Lex" Kilpinen]

For some sites that might work too, but I would not be willing to bet that would hold in general. You would have to have some real reason to keep the personal data, not meaning user provided content which is another thing really, but the actual user info.

[Rikacha]

I apologize for bumping this topic but am wondering if a forum owner does not comply with the new GDPR regulations and installs some type of tool which allows for the right to be forgotten and other GDPR regulations, can I contact SMF support to have my content deleted from the site or how should I proceed? I have managed to accumulate thousands of posts on a particular forum and I am confident that some of them do contain identifying information, but despite using the search function for keywords there are still posts in sections I do not have access too and, the risk that I have overlooked something which worries me.

[vbgamer45]

SMF does not have any control over other forum owner or their content.. You would have to contact them.