JamesIG

You've no doubt heard about GDPR by now. It's a very hot topic in many circles. Lots of experts are weighing in on the best approach to take before the May 25th deadline.
Which reminds me of my favorite joke:
"Do you know a great GDPR expert?”
Yes, I do!
“Could you send me his email address”
No, I'm afraid not.
I wrote about how Invision Community can help with your GDPR compliance back in December. I've seen a lot of posts and topics on GDPR in our community since then.
First, let's get the disclaimer out of the way. I'm a humble programmer and not a GDPR expert or a lawyer. The information here is presented to assist you in making decisions. As always, we recommend you do your own research and if you're in any doubt, book an appointment with a lawyer.
It is also worth mentioning that GDPR is very much a living document with phrases like "legitimate interest" and "reasonable measures". None of these phrases have any real legal definition and are open to interpretation. Some have interpreted them severely, and others more liberally.
GDRP is about being a good steward of the data you store on a user. It's not designed to stop you from operating an engaging web site. There's no need to create stress about users linking to other sites, embedding images, anonymizing IP addresses, and such on your site. These don't impact any data you are storing and are part of the normal operation of how the web works. Be responsible and respectful of your users' data but keep enjoying your community.
Let's have a quick recap on the points we raised in our original blog entry.
Individual Rights
The right to be informed
Invision Community has a built in privacy policy system that is presented to a new user, and existing users when it has been updated.

 
What should your privacy policy contain? I personally like the look of SEQ Legal's framework which is available for free.
This policy covers the important points such as which cookies are collected, how personal information is used and so on.
There may be other services out there offering similar templates.
Right to erasure
I personally feel that everyone should listen to "A Little Respect" as it's not only a cracking tune, but also carries a wonderful message.
The GDPR document however relates to the individuals right to be forgotten.
Invision Community allows you to delete members. When deleting members, you can elect to remove their content too. There is an option to keep it as Guest content, thus removing the author as identifiable.
It's worth using the 'keep' option after researching the user's posts to make sure they haven't posted personal information such as where they live, etc.
Emailing and Consent
Invision Community has the correct opt-in for bulk emails on registration that is not pre-checked. If the user checks this option, this is recorded with the member's history. Likewise, if they retract this permission, that action is also recorded.

 
When you edit the terms and conditions or privacy policy, all users are required to read it again and opt-in again.
Cookies
A lot of GDPR anxiety seems to revolve around these tiny little text files your browser stores. If you read the GDPR document (and who doesn't love a little light reading) then you'll see that very little has actually changed with cookies. It extends current data protection guidance a little to ensure that you are transparent about which cookies you store.
Invision Community has tools to create a floating cookie opt-in bar, and also a page showing which cookies are stored and why.
This is the page that you'd edit to add any cookies your installation sets (if you have enabled Facebook's Pixel, or Google Analytics for example).
Your GDPR Questions
Now let's look at some questions that have been asked on our community and I'll do my best to provide some guidance that should help you make decisions on how to configure your Invision Community to suit your needs.

Alan!!
Is the soft opt-in cookie policy enough? What about the IP address stored in the session cookie?
Great question. There's conflicting advise out there about this. The GDPR document states:
The ICO states that session cookies stored for that session only (so they are deleted when the tab / window is closed) are OK as long as they are not used to profile users.
This is re-enforced by EUROPA:

My feeling is that GDPR isn't really out to stop you creating a functioning website, they are more interested in how you store and use this information.
Thus, I feel that storing a session cookie with an IP address is OK. The user is told what is being stored and instructions are given if they want to delete them.
Given the internet is very much driven by IP addresses, I fail to see how you can not collect an IP address in some form or another. They are collected in access logs deep in the server OS.
Finally, there is a strong legitimate interest in creating a session cookie. It's part and parcel of the website's function and the cookie is not used in any 'bad' way. It just allows guests and members to retain preferences and update "last seen" times to help deliver content.
Do I need to delete all the posts by a member if they ask me to?
We have many large clients in the EU with really impressive and expensive legal teams and they are all unanimous in telling us that there is no requirement to delete content when deleting a user's personal information. The analogy often given is with email: once someone sends you an email you are not obligated to delete that. The same is true with content posted by a user: once they post that content it's no longer "owned" by them and is now out in public.

Ultimately, the decision is yours but do not feel that you have to delete their content. This is not a GDPR requirement.
What about members who haven't validated? They're technically not members but we're still holding their data!
No problem. The system does delete un-validated users and incomplete users automatically for you. You can even set the time delay for deletion in the ACP.

 
What about RECAPTCHA? I use this, and it technically collects some data!
Just add that you use this service to your privacy policy, like so:
I see many companies emailing out asking for members to opt back in for bulk mail, do I need to do this?
Short answer: No.
Since Invision Community 4.0, you can only ever bulk email users that have opted in for bulk emails. There's no way around it, so there's nothing to ask them to opt-in for. They've already done it.
There is a tiny wrinkle in that pre 4.2.7, the opt-in was pre-checked as was the norm for most websites. Moving forward, GDPR asks for explicit consent, so this checkbox cannot be pre-ticked (and isn't in Invision Community 4.2.7 and later). However, the ICO is clear that if the email list has a legitimate interest, and was obtained with soft opt-in, then you don't need to ask again for permission.
What about notifications? They send emails!
Yes they do, but that's OK.
A notification is only ever sent after a user chooses to follow an item. This falls under legitimate interest.
There is also a clear way to stop receiving emails. The user can opt-in and opt-out of email as a notification device at their leisure.

 
Do I need to stop blocking embeds and external images?
No. The internet is based on cross-linking of things and sharing information. At a very fundamental level, it's going to be incredibly hard to prevent it from happening. Removing these engaging and enriching tools are only going to make your community suffer.

There's no harm in adding a few lines in your privacy policy explaining that the site may feature videos from Vimeo and Youtube as part of user contributions but you do not need to be worried. As stated earlier, GDPR isn't about sucking the fun out of the internet, it's about being responsible and transparent.
Phew.
Hopefully you've got a better understanding about how Invision Community can assist your GDPR compliance efforts.
The best bit of advice is to not panic. If you have any questions, we'd love to hear them. Drop us a line below.

We are happy to announce the new Invision Community 4.3 is available!
Some highlights in Invision Community 4.3 include...
Improved Search
We now support Elasticsearch for scalable and accurate searching that MySQL alone cannot provided. There are also enhancements to the overall search interfaces based on your feedback.

 
Emoji
Express yourself with native emoji support in all editors. You can also keep your custom emoticons as you have now.

 
Member Management
The AdminCP interface to manage your members is all new allowing you easier control and management of your membership.

 
Automatic Community Moderation
You as the administrator set up rules to define how many unique member reports a piece of content needs to receive before it's automatically hidden from view and moderators notified.

 
Clubs
The new Clubs feature has been a huge hit with Invision Community users and we are expanding it to include invite-only options, notifications, exposure on the main community pages, paid memberships, and more.
Custom Email Footers
Your community generates a lot of email and you can now include dynamic content in the footer to help drive engagement and content discovery. 
New Gallery Interface
We have reworked our Gallery system with a simplified upload process and more streamlined image viewing.
 
The full list follows. Enjoy!
Content Discovery
We now support Elasticsearch which is a search utility that allows for much faster and more reliable searching. The REST API now supports search functions. Both MySQL and Elasticsearch have new settings for the admin to use to set search-defaults and default content weighting to better customize search logic to your community. Visitors can now search for Content Pages and Commerce Products. When entering a search term, members now see a more clear interface so they know what areas they are searching in and the method of search. Member Engagement
Commerce can now send a customizable account welcome email after checkout. You can whitelist emails in the spam service to stop false-positives. REST API has many enhancements to mange members. Ability to join any OAuth service for login management. Invision Community can now be an OAuth endpoint. Wordpress OAuth login method built in. Support for Google's Invisible ReCaptcha. Groups can be excluded from Leaderboard (such as admins or bot groups). All emails generated by Invision Community can now contain admin-defined extra promotional text in the footer such as Our Picks, and Social Links. Admins can now define the order of Complete Your Profile to better control user experience. Clubs
Option to make a Club visible but invite-only Admins can set an option so any Club a member is part of will also show in the parent application. So if you are in a Club that has a Gallery tab then those image will show both in the Club and in the main Gallery section of the community. Club members can now follow an entire Club rather than just each content section. There is a new option on the Club directory page for a list view which is useful for communities with many Clubs. If you have Commerce you can now enable paid memberships to Clubs. Admins can set limits on number of Clubs per group. If a group has delete permission in their Club, they can now delete empty containers as well. Members can ignore invitations. Moderation and Administration
Unrestricted moderator or administrator permission sets in the AdminCP are visually flagged. This prevents administrator confusion when they cannot do something as they will be able to quickly see if their account has restrictions. You can choose to be notified with a new Club is created. Moderators can now reply to any content item with a hidden reply. Download screenshot/watermarks can now be rebuilt if you change settings. Support for Facebook Pixel to easily track visitors. Moderators can now delete Gallery albums. Automatic moderation tools with rules to define when content should auto-hide based on user reports. Totally new member management view in AdminCP. More areas are mass-selectable like comments and AdminCP functions for easier management. New Features
Commerce now has full Stripe support including fraud tools, Apple Pay, and other Stripe features. Commerce packages can now have various custom email events configured (expiring soon, purchased, expired). Full Emojii support in the editor. Complete overhaul of the Gallery upload and image views. Announcements system overhaul. Now global on all pages (not via widget) and new modes including dismissible announcements and top-header floating bar option. Many new reports on traffic and engagement in the AdminCP. Blog has new view modes to offer options for a traditional site blog or a community multi-member blog platform. The content-starter can now leave one reply to Reviews on their item. Commerce now makes it much easier to do basic account-subscriptions when there is no product attached. Useful Improvements
Forums has a new widget where you can filter by tags. If tags are not required, the tag input box now indicates this so the member knows they do not have to put in tags. Member cover photos can now be clicked to see the full image. Any item with a poll now has a symbol on the list view. Twitch.tv embed support. You can now update/overwrite media in the Pages Media Manager. Mapbox as an additional map provider to Google Maps. Technical Changes
Direct support for Sparkpost has been removed. Anyone currently using Sparkpost will automatically have their settings converted to the Sparkpost SMTP mode so your email will still work. Your cache engines (like Redis) will be checked on upgrade and in the support tool to ensure they are reachable. Third-party applications will now be visually labeled to distinguish them from Invision Community official applications. The queued tasks list in the AdminCP is now collapsed by default as queued tasks are not something people need to pay much attention to during normal operations. When upgrading from version 3 series you must convert your database to UTF8 and the system saves your original data in tables prefixed with orig. The AdminCP now alerts you these are still present and allows you to remove them to reclaim storage space. On new installs there are now reasonable defaults for upload limits to keep people from eating up storage space. Categories in all apps (forums, gallery albums, databases, etc.) no longer allow HTML in their titles. This has been a concern both in terms of security and usability so we were forced to restrict it. Large improvements to the Redis cache engine including use for sessions. The login with HTTPS option has been removed and those who were using it will be given instructions to convert their entire community to HTTPS. Images loaded through the proxy system now honor image limits for normal uploads. We now consider BBCode deprecated. We are not removing support but will not fix any future issues that may come up.
 
There's a lot to talk about here so we are going to lock this entry to comments so things do not get confusing. Feel free to comment on upcoming feature-specific entries or start a topic in our Feedback forum.
 

Completing long and complex forms online is tedious. It can be off putting having to fill in a lot of information before you can join a site or service. You may find that potential members never bother to convert from a visitor.
How to convert guests into regular members is an often asked question. The simple answer is to lower the barrier to entry. Invision Community 4 already allows you to register with Facebook, Twitter, and other networks with ease.
"Complete My Profile" is a system that will lower the barrier of conversion. Guests only have to complete a very basic form to gain membership. Members are then asked to complete any custom profile fields you require.
You can also set up steps that group items together to encourage existing members to add more information to their public profile.
Members with a complete profile and user photo provide others with much more engagement and personality.
Registering
If we look at registering first. Clicking "Sign Up" will only show a simple modal form with as few fields as possible.

 
If you have required steps, and after any member validation flow, the complete your profile wizard is shown.

 
This enforces required fields and the member cannot skip them or view other pages until completed.
Of course, you may have steps that are not set to required. These are available too, but are skippable. Members can complete skipped steps later.

 
A dismissible progress bar shows to members that have uncompleted steps. Once dismissed, it no longer displays in the header of the site.

 
This same progress bar is always shown in the members' settings overview panel, in the user control panel. This will prompt members with incomplete steps.

 
If you set up a new required step, members have to complete the step before being able to browse again. This will ensure that all regular members have completed profiles.
Admin Control Panel
You will create new steps in the Admin Control Panel. Each step can contain multiple elements of a single group. This step can be set to required to enforce completion or suggested to allow it to be skipped.

 
The basic profile group contains things like user photo, birthday and cover photo. Choose any of these for this step.

 
The custom profile field group contains any fields you have set up already.

 
You can switch off this system if you feel it does not fit your needs. When disabled, you get the normal registration form.

 
Reducing the complexity of membership can only help convert more guests into contributing members. Enforcing required steps ensures that you capture data across your membership.
We hope you enjoy this feature and you see an increase in guest conversion with Invision Community 4.2.