WelshPaul wrote: ↑Fri Dec 01, 2017 10:14 pm
All very well and good having the ability to delete an account but what about logs? Surely if someone makes a post on your forum you need to maintain some info such as an IP address? What if someone signs up to my forum and posts child porn pics and then deletes their account? If all their info is deleted where does that leave me as the site admin?
Exactly.
100% of my concern with the GDPR is that it has the potential to become a huge cybersecurity nightmare, and has the potential to turn the EU into Russia 2.0 in terms of the malicious activities that come out of it.
Now, in your case, you'd have the right to retain (a user should *never ever* have the rights to delete their own account - even under the GDPR, idc if the GDPR forces you to allow it. You need to cover yourself in the event of something like this) the data. However, there are some concerns where data archived as far back as multiple years ago can come in handy for both investigating a current situation, as well as for enforcing an administrative decision against a user account.
I think that too many companies and commercial entities are afraid to voice out against the GDPR for fear of being labeled as an eneemy to user privacy, despite the fact that things in it like the right to erasure and the right to know what information's retained have, and bring up, some extremely valid cybersecurity concerns. Cybersecurity policies are
not a one-size fits all solution (which the GDPR makes it out to be), nor should they ever be. Too many people judgement at the surface of something. "More privacy and rights always equals good and no bad" is not always the case, and I think that within a few months of the GDPR being fully enforced, this is going to start coming to light. The EU will realize that the regulation is a huge mistake. Now, whether or not they'll actually repeal it is a different story. We'll see.
If I stop a previously known toxic user from re-registering on our forums, because he submitted a right to erasure request that I ignored and I still had their information retained years later which allowed us to detect an attempted re-registration... am I liable to be (attempted to be) fined by the EU for protecting the interests of my community? The whole GDPR is a mess. Marketing companies playing this up as only a good thing is ten times worse than marketing companies watching every single site I go on (barring incognito mode sites, of course
) I go on, as far as I'm concerned.