Recently another thread on GDPR went south because folks began insisting they were right and I was wrong. In that thread I was simply saying, I don’t think I’m 100% wrong or right just as they likely weren’t 100% right or wrong. I’m not sure why there can’t be compromise and more in depth research like I’m doing 🔬on this topic.
Anyway, my quest continues. Hopefully no one comes here just to say I’m wrong without really solid evidence.
Oh, and, why am I still posting about this? 😆 Because I’m genuinely curious. My forum isn’t big now… but maybe one day it will have a lot of members and so I want to be prepared. It’s very hard sorting through fact versus fiction on these laws. I think some people are too quick to be like: you must do this or that. I think that’s more dangerous. Just accepting what you’ve heard versus reading many viewpoints.
My latest idea to find the truth about GDPR is to simply check and see what some popular forums are doing. As far as right to be forgotten, some popular forums are doing what was discussed above, and in other threads, and what Flarum does by default. Which is, the username, email, profile is removed, but post content remains without the username listed. Xenforo does it like this, and Mac Rumors does this. They have humongous communities.
Therefore, as far as that part goes, Flarum seems to be compliant out of the box. Or, major forums are doing it wrong. Which I doubt.
The next popular compliance concern involves personal data requests. This I still need to research more but, I know it doesn’t mean downloading someone’s posts. It just means you show them what personal data you have about them. With a default Flarum installation this would just be: username, email, IP address. All very easy to get from Flarum’s admin area, or your database. But, what I still want to research is the format. Seems it has to be in a machine readable format. I read Xenforo staff saying they export to .xml format. I’m not sure why. Seems like you could just say, “Sure user, here’s what we have on you: username, email@email.com, and your IP. Is there anything else I can do for you?” 😌
The rest of GDPR is a lot about informing (privacy policy / terms of service) and other things you as a website owner need to do. Not something the Flarum software needs to do. And so again, I’m struggling really hard to figure out why some think Flarum isn’t GDPR compliant as-is.
Here’s more from Xenforo:
https://xenforo.com/community/threads/upcoming-changes-for-gdpr-compliance-in-xf1-and-xf2.146888/#post-1248611
I also just practiced deleting all posts by a user from my database. Again, it seems that’s not necessary for a forum, just anonymizing posts is, but just in case… I found it’s incredibly easy with phpMyAdmin to delete all posts by a specific user ID. Then you can use the new user page in Flarum’s admin dashboard to go to their profile and delete their account. And boom. That’s about as compliant as you can get my friends.
Why not just delete their account with phpMyAdmin too? Because I want Flarum to do it in case certain extensions need to do something special during the deletion.
I’ll start a separate resource thread on how to delete all posts by a certain user with phpMyAdmin (or any other similar MySQL GUI). It really is super easy. I can do it with little MySQL query experience. And so you can too!
To me, all of this means if there ever is a GDPR extension, it would be more important for large forums and/or to be fancy. Because I think even a beginner can figure out some MySQL/phpMyAdmin basics to remove data if needed.
Disclaimers: 1) I’m not a lawyer, I’m not responsible if you follow my advice then get fined or shut down. 2) When messing with phpMyAdmin, back up that database! And I want to stress that I only recommend deleting posts with phpMyAdmin. Delete user accounts with Flarum’s tools.
