New GDPR (General Data Protection Regulation) and phpBB

[david63]

Could someone point me towards a plain-English site that tells me in a few minutes if I need to do anything for this seemingly over-bureaucratic EU nonsense regulation that appears to be aimed at businesses?

When we find one we will - some of us have been looking for such information for weeks. Sorry it is not the answer that you want, but is probably about the best you will get!

[AmigoJack]

a plain-English site that tells me in a few minutes

This can be associated with any topic/issue that comes to your mind. However, when things are complex you can't cheat out. And I suppose you don't want to hear "don't use GA, don't use Ads, don't run a BBS".

[HiFiKabin]

Could someone point me towards a plain-English site that tells me in a few minutes if I need to do anything for this seemingly over-bureaucratic EU nonsense regulation that appears to be aimed at businesses?

When we find one we will - some of us have been looking for such information for weeks. Sorry it is not the answer that you want, but is probably about the best you will get!

Strike weeks and replace that with months. I asked the ICO that very same direct question last year and did not receive a direct answer (just a link to all their docs)

[Acorn]

Yes, the ICO are very good at doing that. No simple answers, just the suggestion that you go and read their documents - the main documentation for the GDPR is 153 pages, and there are many links to other documents in it. The GDPR itself is 68 pages long.

Oh, and they have updated their documentation 14 times since the beginning of last year, so don't rely on what you read 2 months ago.

You could almost believe that they either don't understand it themselves, or are scared of interpreting it in case they get it wrong.

What chance do we stand? All we can do is try hard to abide by the principles and believe that if we can demonstrate that we have tried, we will at least be treated leniently if we fail.

[HiFiKabin]

As I have said elsewhere, the ICO's boss was on the TV the other morning and I caught the end of it . She was pretty useless. No real answer to anything "Yes I use Faceache but have my Privacy Settings tightly set" sort of content. OK, its only morning telly but you expect the content to be slightly useful (well, not really but one lives in hope)

[andrewilley]

However, when things are complex you can't cheat out. And I suppose you don't want to hear "don't use GA, don't use Ads, don't run a BBS".

However those sort of things are all absolutely standard on anything from a tiny home-built website like mine with a few thousand visitors a week to a multi-national corporation. Basically pretty-much the whole internet in fact.

It would be madness to say that everyone needs legal advice, or to understand hundreds of pages of meaningless Euro-babble, just to run a piddling little website - but no doubt that's what the faceless Eurocrats want everyone to do, as they have no understanding of the real world, nor do they care.

Andre

[Mick]

Maybe we should lobby our local MP's and get them to have this thing squashed on May 26th?

[david63]

Maybe we should lobby our local MP's and get them to have this thing squashed on May 26th?

We could have a referendum

[canonknipser]

We could have a referendum

Be sure everybody in the UK knows what he/she has to vote for this time

[tojag]

Do not you understand that personal data has been treated as the most valuable good? Therefore, they want the accountability of these data just like with the money you have. Do you work in a factory, do you have a small business or you have sold something? You have to pay tax. Can you say "I will not pay tax because I do not know the law"? You can not! You can take a lawyer or advisor but you have to pay! Can you say "let's do a referendum! We will not pay!" You can not! They arrest you for hate speech or for something else. There is no chance of winning.
At the moment we should not wonder how to avoid it but how to do it in the simplest way.

[GanstaZ]

If you don't sell data, have the correct points on your privacy page, security is as high as possible and you are responsible owner (only owner should have access to data, when it's needed) then over 80% is covered. There's no right to be 100% forgotten, at least 20% will remain & it can not be a problem. Only thing that may be little problematic is account delete option & export data to some file, so one may move out, but it can be solved.

[AmigoJack]

those sort of things are all absolutely standard on anything from a tiny home-built website

Third party analytics? Before 2000 sure, but afterwards it was easy to do/host that yourself. Ads? Everybody does this voluntarily and it's also your choice, not your need. You should have killed both things decades ago - just because those are comfortable to you it doesn't mean they become okay automatically. Even phpbb.com is using Google Analytics which never was, is, and will be okay.

[tojag]

I run a very small phpBB forum at [removed link], with probably just a few posts a week for users to ask questions that aren't covered by the rest of the information on the site, and to post comments. It is a non-commercial site and has no e-commerce or other data gathering tools. I do use Google Analytics for usage reports, Google Ads to try to cover the server running costs/etc, and AddThis for social media shares/follows.

The site is not SSL encrypted, although that might be something I'd consider if it can be done without any financial costs and if it doesn't involve complicated procedures or code rewrites.

If You use Googla Analytics, Ads, social media plugins, you relay data to third party.
You have to inform your users about it. The standard phpBB registration rules does not contains info about it but most people keep it without change. This is not good. You should adapt it to your site specify.
You have to add info about cookies too, if you have not.
For SSL You can try to use "Let's encrypt". It is free. Personally, I pay for fixed ip and ssl to my forum but I also use "Let's encrypt" on other sites.
We all have to keep a record of the activities and categories of data processing. The GDPR requires it and there are penalties for not having it.
All of this is no cost.
But that still does not exhaust all the requirements of GDPR about which we wrote in this and other topics.

I think that small websites, forums based on obsolete scripts, some unauthorized extensions, etc. are a bigger source of problems than websites, large, decent companies. I think about data leakage problems. That is why it is very good that these regulations are. What is missing is specifics. But here you can rely on standards and good procedures known for years (eg password rules, access levels, connection encryption). There are often national rules on this subject and compliance can be demonstrated with respect to GDPR.
Personally, it's hard for me to trust a small forum that has just been created, does not use ssl when sign up/logging in, even requires a lot of data, often the name and surname, and the owner does not even introduce himself, there are no rules, no policy, nothing. I always read the rules when I register somewhere. Most people do not read, and then they are surprised that FB knows too much about them. I have 12k users on my forum. I think the majority did not read the rules of the forum, but there are also people who very carefully ask me about it. In recent months, their number has increased, probably due to the FB affair and a lot of information about the upcoming GDPR.

Of course, the small side has little chance of attack from the hackers because there is little data to extract, and the websites of large companies are attacked often. But sometimes it's enough to make a mistake in the script so that, for example, the data is displayed to everyone on the page.
I once had such a case in the online store. I bought something, paid, and accidentally clicked 'back' and the page displayed transaction data of another client that has just ended. Each 'back' click showed the exact details of other transactions. An error in the scripts may be out of date but the leak has occurred. I reported it to them but a dishonest person could in this way extract a lot of data about transactions. Fortunately, it was bookshops and not sexshop

[AmigoJack]

accidentally clicked 'back'

For decades whenever that happens to me or the website itself tells me to not use the browser's navigation buttons I said to myself: one of us did not understand HTTP.


What GDPR essentially wants is easy to grasp: security by design (not by approval, not by promise). Technically this is challenging, but then again most never thought about this throughly and now they're shocked. What GDPR will never be able to give you: a bullitproof HOWTO. If you can't trust the software, don't use it (again: this stems from using computers since forever).

[LaxSlash1993]

Got away from this as I've been busy lately with work.

I did find something out, though. This is how the EU plans on enforcing it in the US:
http://www.uniformlaws.org/ActSummary.a ... tion%20Act

I'm once again torn if I want to believe any of the bs going around, or if I just want to geoblock the EU before the enforcement date, retain all of the data for people to come back if case law eases lawyers minds about it, and then go from there.