andrewilley wrote: ↑
Thu Apr 12, 2018 8:26 am
I run a very small phpBB forum at [removed link]
, with probably just a few posts a week for users to ask questions that aren't covered by the rest of the information on the site, and to post comments. It is a non-commercial site and has no e-commerce or other data gathering tools. I do use Google Analytics for usage reports, Google Ads to try to cover the server running costs/etc, and AddThis for social media shares/follows.
The site is not SSL encrypted, although that might be something I'd consider if it can be done without any financial costs and if it doesn't involve complicated procedures or code rewrites.
If You use Googla Analytics, Ads, social media plugins, you relay data to third party.
You have to inform your users about it. The standard phpBB registration rules does not contains info about it but most people keep it without change. This is not good. You should adapt it to your site specify.
You have to add info about cookies too, if you have not.
For SSL You can try to use "Let's encrypt". It is free. Personally, I pay for fixed ip and ssl to my forum but I also use "Let's encrypt" on other sites.
We all have to keep a record of the activities and categories of data processing. The GDPR requires it and there are penalties for not having it.
All of this is no cost.
But that still does not exhaust all the requirements of GDPR about which we wrote in this and other topics.
I think that small websites, forums based on obsolete scripts, some unauthorized extensions, etc. are a bigger source of problems than websites, large, decent companies. I think about data leakage problems. That is why it is very good that these regulations are. What is missing is specifics. But here you can rely on standards and good procedures known for years (eg password rules, access levels, connection encryption). There are often national rules on this subject and compliance can be demonstrated with respect to GDPR.
Personally, it's hard for me to trust a small forum that has just been created, does not use ssl when sign up/logging in, even requires a lot of data, often the name and surname, and the owner does not even introduce himself, there are no rules, no policy, nothing. I always read the rules when I register somewhere. Most people do not read, and then they are surprised that FB knows too much about them. I have 12k users on my forum. I think the majority did not read the rules of the forum, but there are also people who very carefully ask me about it. In recent months, their number has increased, probably due to the FB affair and a lot of information about the upcoming GDPR.
Of course, the small side has little chance of attack from the hackers because there is little data to extract, and the websites of large companies are attacked often. But sometimes it's enough to make a mistake in the script so that, for example, the data is displayed to everyone on the page.
I once had such a case in the online store. I bought something, paid, and accidentally clicked 'back' and the page displayed transaction data of another client that has just ended. Each 'back' click showed the exact details of other transactions. An error in the scripts may be out of date but the leak has occurred. I reported it to them but a dishonest person could in this way extract a lot of data about transactions. Fortunately, it was bookshops and not sexshop