Are you ready for the General Data Protection Regulation?

Page may contain affiliate links. Please see terms for details.

glasgowcyclist

Charming but somewhat feckless
Location
Scotland
Resurrecting this to ask a question for a colleague who runs a small language forum. It is not engaged in any economic activity, carries no advertising, and is just a quiet corner of the web where people come for general linguistic chit-chat. Members are from around the globe and although they register with usernames and email addresses, these are not necessarily capable of identifying any member (most use pseudonyms).

Is his forum bound to comply with the GDPR?
What would it have to do?
 

Dan B

Disengaged member
On which basis I would assume that email addresses are in scope, and quite likely so are IP addresses if you collect those[*]

[*] sure, there are cases where they can't be used to identify an individual, but there are lots of other cases where they can
 

glasgowcyclist

Charming but somewhat feckless
Location
Scotland
Where is it based?

As in, where is the server it's hosted on? I don't know and I thought that didn't matter so long as it was providing a service to and holding personal data of EU residents. I'll try to find out though, I suspect it's in the UK.
 

glasgowcyclist

Charming but somewhat feckless
Location
Scotland
On which basis I would assume that email addresses are in scope, and quite likely so are IP addresses if you collect those[*]

[*] sure, there are cases where they can't be used to identify an individual, but there are lots of other cases where they can

I agree, email addresses and IP addresses are personal data but my reading of it is that if the site is not engaged in economic activity then the GDPR doesn't apply.
 

ColinJ

Puzzle game procrastinator!
Presumably then, a forum flouncer could demand that all of his/her posts be removed? If so, then it would make sense to also require removal of any quotes of those posts. It would be an absolute nightmare to do and what was left of those threads could be a ridiculous, nonsensical mess!
 

Jimidh

Veteran
Location
Midlothian
I’ve just spent the day working through this for my business , small chain of community pharmacies, and I think a long bike ride this evening is required to clear my head.

To be fair be fair we actually comply with most of it anyhow but just some more work to be done regarding recording and formalising what we already do and and some more staff training required. Luckily most of the stuff we need is provided by Community Pharmacy Scotland and the NPA so we don’t have to reinvent the wheel.
 

srw

It's a bit more complicated than that...
https://ico.org.uk/for-organisations/resources-and-support/getting-ready-for-the-gdpr-resources/

First port of call for anyone with questions.

Has HMG actually got the resources to police this? What usually happens is that the authorities go after large organisations and leave tiny businesses thankfully unmolested.
If you're doing something glaringly illegal and someone reports you I don't suppose you'll get a pass just because you're a small organisation. If you doubt that the ICO will bother with small organisations, I suggest you look at their list of enforcement actions, where there's a mix of large and small organisations, companies, public sector and individuals: https://ico.org.uk/action-weve-taken/enforcement/
 

bruce1530

Guru
Location
Ayrshire
Yes - and the functionality exists in the forum software to delete those posts and, if need be, indicate that a pot has been deleted. It happens elsewhere quite often.

I’ve heard opinions both ways on this, and not sure which is right.

GDPR applies to personal data. So things like name, IP address etc are all covered.

but it’s not a copyright regulation. It’s only about personally identifiable data, not the general content.

So there’s one school of thought that says if someone “flounces out”, the forum operators only need to remove their account details, and reassign their posts to an anonymous “former member”. That means there’s generally no personal data, so GDPR rules do not apply.

But as I said,that’s just one school of thought.
 

bruce1530

Guru
Location
Ayrshire
Has HMG actually got the resources to police this? What usually happens is that the authorities go after large organisations and leave tiny businesses thankfully unmolested.

It would not necessarily be just HMG policing it. The ICO is the only organisation that can apply the penalties, but even under the current regulations, there are a substantial number of cases where Person X accuses Organisation Y of breaching their rights under the DPA, claims that it has caused them stress and/or loss, and claims damages in the civil courts.
 

bruce1530

Guru
Location
Ayrshire
[QUOTE 5225890, member: 45"]The issue with that is that if a member is a member for long enough it's possibly fairly easy to identify them from a good read of their posts. A comment here and a comment there and before long you might be able to find out, for example, where they live and work.[/QUOTE]

Perhaps. Until there’s a test case I doubt we’ll know for sure.
 

Dan B

Disengaged member
For the record I'm super-ready for GDPR. Judging by the number of emails I've had in the last couple of months saying "please please please we beg you, opt in to our mailing list so we can carry on spamming you with special offers you dont want because you once bought something from us eight years ago" it shoudl result in significantly less spam.

And after May 26th any more spam from online shops or recruitment consultants will be replied to with a DSAR
 

david k

Hi
Location
North West
Presumably then, a forum flouncer could demand that all of his/her posts be removed? If so, then it would make sense to also require removal of any quotes of those posts. It would be an absolute nightmare to do and what was left of those threads could be a ridiculous, nonsensical mess!

To be fair many of our threads are already nonsensical, so this may improve them ^_^
 

david k

Hi
Location
North West
We hold many emails, consent is assumed when leaving them, this is something I suspect we need to address along with the length of time they are kept
I have noticed email addresses that pop up when you start typing disappear if not used for sometime, wonder if this has anything to do with it?
 

slowmotion

Quite dreadful
Location
lost somewhere
https://ico.org.uk/for-organisations/resources-and-support/getting-ready-for-the-gdpr-resources/

First port of call for anyone with questions.


If you're doing something glaringly illegal and someone reports you I don't suppose you'll get a pass just because you're a small organisation. If you doubt that the ICO will bother with small organisations, I suggest you look at their list of enforcement actions, where there's a mix of large and small organisations, companies, public sector and individuals: https://ico.org.uk/action-weve-taken/enforcement/
I could have sworn I spotted a Data Protection detector van today. Weeks of insomnia will follow.
television-detector.jpg
 
Top Bottom