Are you ready for the General Data Protection Regulation?

glasgowcyclist · 26 Apr 2018

Resurrecting this to ask a question for a colleague who runs a small language forum. It is not engaged in any economic activity, carries no advertising, and is just a quiet corner of the web where people come for general linguistic chit-chat. Members are from around the globe and although they register with usernames and email addresses, these are not necessarily capable of identifying any member (most use pseudonyms).

Is his forum bound to comply with the GDPR?
What would it have to do?

Dan B · 26 Apr 2018

On which basis I would assume that email addresses are in scope, and quite likely so are IP addresses if you collect those[*]

[*] sure, there are cases where they can't be used to identify an individual, but there are lots of other cases where they can

glasgowcyclist · 26 Apr 2018

User said:
Where is it based?

As in, where is the server it's hosted on? I don't know and I thought that didn't matter so long as it was providing a service to and holding personal data of EU residents. I'll try to find out though, I suspect it's in the UK.

slowmotion · 26 Apr 2018

Has HMG actually got the resources to police this? What usually happens is that the authorities go after large organisations and leave tiny businesses thankfully unmolested.

glasgowcyclist · 26 Apr 2018

Dan B said:
On which basis I would assume that email addresses are in scope, and quite likely so are IP addresses if you collect those[*]

[*] sure, there are cases where they can't be used to identify an individual, but there are lots of other cases where they can

I agree, email addresses and IP addresses are personal data but my reading of it is that if the site is not engaged in economic activity then the GDPR doesn't apply.

ColinJ · 26 Apr 2018

Presumably then, a forum flouncer could demand that all of his/her posts be removed? If so, then it would make sense to also require removal of any quotes of those posts. It would be an absolute nightmare to do and what was left of those threads could be a ridiculous, nonsensical mess!

Jimidh · 26 Apr 2018

I’ve just spent the day working through this for my business , small chain of community pharmacies, and I think a long bike ride this evening is required to clear my head.

To be fair be fair we actually comply with most of it anyhow but just some more work to be done regarding recording and formalising what we already do and and some more staff training required. Luckily most of the stuff we need is provided by Community Pharmacy Scotland and the NPA so we don’t have to reinvent the wheel.

srw · 26 Apr 2018

https://ico.org.uk/for-organisations/resources-and-support/getting-ready-for-the-gdpr-resources/

First port of call for anyone with questions.

slowmotion said:
Has HMG actually got the resources to police this? What usually happens is that the authorities go after large organisations and leave tiny businesses thankfully unmolested.

If you're doing something glaringly illegal and someone reports you I don't suppose you'll get a pass just because you're a small organisation. If you doubt that the ICO will bother with small organisations, I suggest you look at their list of enforcement actions, where there's a mix of large and small organisations, companies, public sector and individuals: https://ico.org.uk/action-weve-taken/enforcement/

bruce1530 · 26 Apr 2018

User said:
Yes - and the functionality exists in the forum software to delete those posts and, if need be, indicate that a pot has been deleted. It happens elsewhere quite often.

I’ve heard opinions both ways on this, and not sure which is right.

GDPR applies to personal data. So things like name, IP address etc are all covered.

but it’s not a copyright regulation. It’s only about personally identifiable data, not the general content.

So there’s one school of thought that says if someone “flounces out”, the forum operators only need to remove their account details, and reassign their posts to an anonymous “former member”. That means there’s generally no personal data, so GDPR rules do not apply.

But as I said,that’s just one school of thought.

bruce1530 · 26 Apr 2018

slowmotion said:
Has HMG actually got the resources to police this? What usually happens is that the authorities go after large organisations and leave tiny businesses thankfully unmolested.

It would not necessarily be just HMG policing it. The ICO is the only organisation that can apply the penalties, but even under the current regulations, there are a substantial number of cases where Person X accuses Organisation Y of breaching their rights under the DPA, claims that it has caused them stress and/or loss, and claims damages in the civil courts.

bruce1530 · 26 Apr 2018

[QUOTE 5225890, member: 45"]The issue with that is that if a member is a member for long enough it's possibly fairly easy to identify them from a good read of their posts. A comment here and a comment there and before long you might be able to find out, for example, where they live and work.[/QUOTE]

Perhaps. Until there’s a test case I doubt we’ll know for sure.

Dan B · 27 Apr 2018

For the record I'm super-ready for GDPR. Judging by the number of emails I've had in the last couple of months saying "please please please we beg you, opt in to our mailing list so we can carry on spamming you with special offers you dont want because you once bought something from us eight years ago" it shoudl result in significantly less spam.

And after May 26th any more spam from online shops or recruitment consultants will be replied to with a DSAR

david k · 29 Apr 2018

ColinJ said:
Presumably then, a forum flouncer could demand that all of his/her posts be removed? If so, then it would make sense to also require removal of any quotes of those posts. It would be an absolute nightmare to do and what was left of those threads could be a ridiculous, nonsensical mess!

To be fair many of our threads are already nonsensical, so this may improve them ^_^

david k · 29 Apr 2018

We hold many emails, consent is assumed when leaving them, this is something I suspect we need to address along with the length of time they are kept
I have noticed email addresses that pop up when you start typing disappear if not used for sometime, wonder if this has anything to do with it?

slowmotion · 29 Apr 2018

srw said:
https://ico.org.uk/for-organisations/resources-and-support/getting-ready-for-the-gdpr-resources/

First port of call for anyone with questions.

If you're doing something glaringly illegal and someone reports you I don't suppose you'll get a pass just because you're a small organisation. If you doubt that the ICO will bother with small organisations, I suggest you look at their list of enforcement actions, where there's a mix of large and small organisations, companies, public sector and individuals: https://ico.org.uk/action-weve-taken/enforcement/

I could have sworn I spotted a Data Protection detector van today. Weeks of insomnia will follow.

Are you ready for the General Data Protection Regulation?

glasgowcyclist

Charming but somewhat feckless

Dan B

Disengaged member

glasgowcyclist

Charming but somewhat feckless

slowmotion

Quite dreadful

glasgowcyclist

Charming but somewhat feckless

ColinJ

Puzzle game procrastinator!

Jimidh

Veteran

srw

It's a bit more complicated than that...

bruce1530

Guru

bruce1530

Guru

bruce1530

Guru

Dan B

Disengaged member

david k

Hi

david k

Hi

slowmotion

Quite dreadful

Similar threads