GDPR Compliance
-
Is your plug-in compliant to GDPR?
-
There is a whole wordpress group looking at GDPR compliance.
In all honesty I don’t think anyone knows what ‘compliance’ means – even the regulators in my country (UK) cannot explain it in any terms that mean anything useful. The rest of this response is just my view from a lot of reading AND NOT ANY OFFICIAL BBPRESS OR OTHER VIEW!
In general terms, your as data controller and/or data processor need to explain what personal data you hold, why, and what processes it goes through, and whether it is passed to anyone else and for what purpose, and obtain their positive consent to your holding and processing that data.
So you might on signup want to say that you gather username, firstname, lastname and email in order that you can open a user account, let the user login, be able to identify the user and communicate with them. Usernames, first and last names will be published on the site and in forum profiles, topics and replies, but email addresses will only be visible to administrators of the site. None of this information is shared with other parties, or used for any other purposes.
However I have been sent some sites guesses at a GDPR statement that run to several pages.
But most of that is wordpress related (eg what info you captured as part of registration), rather than an issue of bbpress. You may want to think about letting user a see user b’s profile, so may want to alert users to what profile information is shown, as per my attempt above.
The real bbpress issue relates to the right to be forgotten – and I have frankly given up trying to understand that. So if user x publishes lots of posts, and then asks for all their ‘personal data’ to be deleted – is stuff that they published as topics and replies for all the other users to see counted as ‘personal’, and is stuff that others posted about them ‘personal’. Given that facebook lets you close an account, but doesn’t delete comments you have made, I suspect that this is information that you have put in the public domain, rather than personal data, but I am not a lawyer ! I’d also suspect that since the papers frequently mention celebrity gaffs where they have say tweeted and then deleted some stupid comment, that again that is not personal data.
The only thing that GDPR will do is keep lawyers and consultants busy.
This is what i have found out taking the whole of GDPR into account.
The biggest issue actually is logging IP addresses. (sensitive data)
IP address is data which you can use to find out a persons location (in collaboration with ISP).
But since this is a forum, comments itself are not personal data, but IP addresses are.
In Terms and conditions it should be clear that IP addresses are collected, they are visible to the persons with the following rights.
If a person requests removal of IP addresses related to them, then you should not do that right away. It needs to be clear what is the time legally when somebody can file a complaint legally against a comment.
Then you as a service providor need to keep that data available and not delete them right away due to legal regulations.
The same thing comes into play if a person requests to delete their account.
The only thing that I found has to go away 100% is IP-logging.
It is no longer legal to display IPs publicly like bbPress currently does.On my site it was pretty simple to do using this:
add_filter( 'bbp_current_author_ip', function() { return '127.0.0.1'; } );
- You must be logged in to reply to this topic.
