GDPR - new European Privacy law

[donjuan]

Hello,

I am wondering (and really hoping) that IPB wants to make some changes here and there needed for any forum, to comply with the GDPR law which is going to be active on the 25th of May 2018.

If IPB doesn't make a few of the needed changes then they will lose all of their EU customers and alot of non EU customers as well because even non EU forums would have to follow these rules if they aim in the EU market, and the fines are insanely high. So this really is something highly needed.

More information about the changes can be read in this article: https://litmus.com/blog/gdpr-what-europes-new-privacy-law-means-for-email-marketers

[Mack_au]

I don't see what this has to do with Invision per se.

A forum can't send out emails to anyone who hasn't signed up to the site. A forum admin can already require a user to validate their own email via a return email.

A forum admin can already set privacy guidelines. You can even require existing users to prompt members on their next log-in to accept new policies.

These things should enable a European based user to fulfil whatever of these crazy rules they think they need to do.

Is there anything specific you think Invision itself needs to do?

[opentype]

21 minutes ago, Mack_au said:

Is there anything specific you think Invision itself needs to do?

For example: I would have to drop my entire list of admin newsletter subscribers and ask every user again to subscribe with a clear description of what kind of information they will receive and how their data is used. The subscriptions based on the pre-selected subscribe checkbox would all be invalid and then …

Quote

Non-compliance with GDPR can lead to fines of up to €20 Million or 4% of a brand’s total global annual turnover (whichever is higher).

And even if I would start from scratch, I would need to have a way to prove in hindsight, that the user has actually subscribed willingly, e.g. with some kind of timestamp with IP addresses or whatever. 

[donjuan]

2 hours ago, Mack_au said:

I don't see what this has to do with Invision per se.

A forum can't send out emails to anyone who hasn't signed up to the site. A forum admin can already require a user to validate their own email via a return email.

A forum admin can already set privacy guidelines. You can even require existing users to prompt members on their next log-in to accept new policies.

These things should enable a European based user to fulfil whatever of these crazy rules they think they need to do.

Is there anything specific you think Invision itself needs to do?

What @opentype says, plus the fact that this rule isn't for mailing only. It's also for registration and general website usage. Also, a person could make a request to get a datasheet of him/her self, on which you have to give them a document with ALL of the information you have of them. If you miss something on it and you get a check, the same fine as above mentioned will happen to you. 

And the IPB database is huge, I don't know what kind of information is being saved at the moment. But apart of that, plenty of 'fixes' are needed.

[ptprog]

Among other things, IPS should  provide some options to protect/encrypt personal data such as email and IP address (although I think it is not technically possible to provide any real protection for emails when both web server and MySQL are collocated), or even disable their collection (at least IP address I believe are just collected for logging purposes, so it should be ok to stop collecting them).  For IP addresses, anonymization should be another option.

Also, I'm not sure about what data IPS stores when using external login methods, but there may exist some personal data here too.

 

Regarding cookies, I think GPDR requires websites to respect Do Not Track headers, and requires affirmative user action for things like accepting cookies.  So, IPS should not set any cookie util it has user consent, and it should provide an opt-out mechanism.

As far as I know, using embedded content also means the user may get cookies from external sites.  So, we may need more control on the embeds we allow, to make sure we don't add more cookies, and to be able to rebuild posts removing external embedded content.

[rllmukforum]

I'm glad this topic has resurfaced, I asked a few weeks back to no response. I'd be surprised if Invision has nothing to do here, given

Quote

The proposed new EU data protection regime extends the scope of the EU data protection law to all foreign companies processing data of EU residents.

Given we all have a vested interest in adhering to laws and protecting our users' rights, I'd really like to participate with others here in trying to establish the remit of forum owners/admin, so we can provide clear expectations of their rights, but also to feed suggestions to Invision to enable us to enforce them.