GDPR (A collection of information geared towards forum management)

010101

My actually reading about GDPR for once quest continues. If you run a forum, and you get a right to erasure request (delete account) what do you do?

You do have to remove the profile, email, username/name. But, it seems you do not have to delete posts. Why? Well, supposedly this is from a Dutch lawyer:

...specifically with forums you will run into a problem that this disrupts the discussion a bit, or the archive is no longer complete. That is a problem, because in such situations freedom of expression is compromised. People should be able to read what has been said in the past, and privacy should not be allowed to rip through like a 1984 bulldozer.

This problem was already recognized when the GDPR was introduced, and it therefore states in the case of the right to forget that it does not apply if the processing (the publication) is necessary for the exercise of the fundamental right of freedom of expression (Article 17 (3) GDPR ). In principle, a forum administrator can thus prevent messages from being deleted. A profile or registration of a user falls outside that fundamental right and must therefore be removed on request.

Source: https://sohmbnaaibqae62wde73uqt43i-ac5fdsxevxq4s5y-blog-iusmentis-com.translate.goog/2018/04/03/geldt-het-vergeetrecht-onder-de-avg-ook-bij-forumdiscussies/

(Above: Lawyer’s blog post about it run through Google Translate. Original: https://blog.iusmentis.com/2018/04/03/geldt-het-vergeetrecht-onder-de-avg-ook-bij-forumdiscussies/)

Flarum already does this. It removes the account but keeps the posts with no user attached. Of course future GDPR extensions might do more just in case you want to be extra cautious. But, it seems so far that Flarum is GDPR compliant out of the box in large part thanks to the fact that it’s a forum and you most likely don’t want to mess up the flow of discussions.

Now, maybe by the year 2030, there will be a Flarum extension that will remove the person’s account, leave their posts but via A.I. summarize and re-write the person’s posts so that the discussion flow still makes sense but the original text is gone. 🤤

clarkwinkelmann

010101 the way I understand it, GDPR guarantees the right to obtain copy of your data and remove personally identifiable data, but not the right to retract everything you ever posted? If that content doesn't contain any identifiable information, the forum owner has probably no legal obligation to destroy/hide that data? There might be a difference between what's public and private as well here...

Depending on the terms of service of the website, you might also have already given away the rights to reproduce your content, in which case I suppose only requests like DMCA could still be used against data where you could be recognized?

In the case of Discuss, there's also our guidelines that specify not deleting content unnecessarily. Quitting the forum probably shouldn't be a workaround that rule. I don't think we have ever deleted a user's complete post history so far. The only posts we remove are those breaching our guidelines or those containing private information.

010101

Recently another thread on GDPR went south because folks began insisting they were right and I was wrong. In that thread I was simply saying, I don’t think I’m 100% wrong or right just as they likely weren’t 100% right or wrong. I’m not sure why there can’t be compromise and more in depth research like I’m doing 🔬on this topic.

Anyway, my quest continues. Hopefully no one comes here just to say I’m wrong without really solid evidence.

Oh, and, why am I still posting about this? 😆 Because I’m genuinely curious. My forum isn’t big now… but maybe one day it will have a lot of members and so I want to be prepared. It’s very hard sorting through fact versus fiction on these laws. I think some people are too quick to be like: you must do this or that. I think that’s more dangerous. Just accepting what you’ve heard versus reading many viewpoints.

My latest idea to find the truth about GDPR is to simply check and see what some popular forums are doing. As far as right to be forgotten, some popular forums are doing what was discussed above, and in other threads, and what Flarum does by default. Which is, the username, email, profile is removed, but post content remains without the username listed. Xenforo does it like this, and Mac Rumors does this. They have humongous communities.

Therefore, as far as that part goes, Flarum seems to be compliant out of the box. Or, major forums are doing it wrong. Which I doubt.

The next popular compliance concern involves personal data requests. This I still need to research more but, I know it doesn’t mean downloading someone’s posts. It just means you show them what personal data you have about them. With a default Flarum installation this would just be: username, email, IP address. All very easy to get from Flarum’s admin area, or your database. But, what I still want to research is the format. Seems it has to be in a machine readable format. I read Xenforo staff saying they export to .xml format. I’m not sure why. Seems like you could just say, “Sure user, here’s what we have on you: username, email@email.com, and your IP. Is there anything else I can do for you?” 😌

The rest of GDPR is a lot about informing (privacy policy / terms of service) and other things you as a website owner need to do. Not something the Flarum software needs to do. And so again, I’m struggling really hard to figure out why some think Flarum isn’t GDPR compliant as-is.

Here’s more from Xenforo:

https://xenforo.com/community/threads/upcoming-changes-for-gdpr-compliance-in-xf1-and-xf2.146888/#post-1248611

I also just practiced deleting all posts by a user from my database. Again, it seems that’s not necessary for a forum, just anonymizing posts is, but just in case… I found it’s incredibly easy with phpMyAdmin to delete all posts by a specific user ID. Then you can use the new user page in Flarum’s admin dashboard to go to their profile and delete their account. And boom. That’s about as compliant as you can get my friends.

Why not just delete their account with phpMyAdmin too? Because I want Flarum to do it in case certain extensions need to do something special during the deletion.

I’ll start a separate resource thread on how to delete all posts by a certain user with phpMyAdmin (or any other similar MySQL GUI). It really is super easy. I can do it with little MySQL query experience. And so you can too!

To me, all of this means if there ever is a GDPR extension, it would be more important for large forums and/or to be fancy. Because I think even a beginner can figure out some MySQL/phpMyAdmin basics to remove data if needed.

Disclaimers: 1) I’m not a lawyer, I’m not responsible if you follow my advice then get fined or shut down. 2) When messing with phpMyAdmin, back up that database! And I want to stress that I only recommend deleting posts with phpMyAdmin. Delete user accounts with Flarum’s tools.

streaps

010101 Recently another thread on GDPR went south because folks began insisting they were right and I was wrong. In that thread I was simply saying, I don’t think I’m 100% wrong or right just as they likely weren’t 100% right or wrong. I’m not sure why there can’t be compromise and more in depth research like I’m doing 🔬on this topic.

Seriously? That is how you start a post after you suggested closing the other discussion? Just assuming others don't know shit and you are the one doing the in depth research? It went south because of some other folks? Nothing to do with your style of discussion?
My impression was that you were derailing any serious discussion about the lack of a proper GDPR extension and constantly negating the problems that it causes. In-between making sure that everyone understands that you don't care that much about the GDPR anyway:

I won’t be bullied into not running a website because of the EU. I’ll forever be a free and open Internet warrior.

A user's posts are personal data too. And users have the right to data portability. Nearly everything connected to the users account is personal data. Date of registration, last login, bookmarks, personal stats and maybe comments by the moderation about the user, ...

Did anyone doubt that it's possible to export and delete that data from the MySQL database? It is just not very practical. And if the process is so super easy, why don't we have a extension that can do this? I guess it would be just a couple of hours work. The whole discussion around the topic would have took more man-hours by now.

010101 And so again, I’m struggling really hard to figure out why some think Flarum isn’t GDPR compliant as-is.

I guess the disagreements are about the definition what GDPR compliance for a software means. My understanding is that you use it as in "Flarum does not violate the GDPR". Others mean with GDPR compliance (of a software) that it includes all the basic functionality (or more) to enable GDPR compliance without the need to fiddle with the database or read the source code of extensions to figure out what kind of data is stored for the user and how to export the data on request. It also could mean that it gives you an general overview of the relevant data that will be stored and processed for every user. Because we need to know what data is stored and processed and we should prepared to export and delete that data on request.

You propose that every admin (some with limited knowledge of the GDPR and some with even disgust for it) figure out a way to do this stuff manually for themself. This will lead to bad user experiences with Flarum forums and makes Flarum a non-option for most organisations.

With your limited point of view and use case, you might be right.
But the general message is: "Flarum can be 100% GDPR compliant. You just need to be an GDPR expert and be prepared to write your own tools to export the data from the database".
Another message is: "We close controversial discussions about this topic".

Meanwhile people interested in Flarum do realize that it is not ready for the GDPR, there are no commits for nearly two months in flarum-ext-gdpr and no GDPR roadmap. Next thing they will do is installing Discourse or NodeBB.

Don't get me wrong. I know time and resources are limited and I'm in no position to tell the developers how they should prioritize their work. It is what it is. askvortsov described the situation in the two posts on the GDPR extension thread well enough.
But denial doesn't help. At the moment the unfinished GDPR-extension is the biggest issue that prevents production usage for anyone who takes the GDPR seriously and has not the skills/resources to write their own tools/extension. Of course someone with a big enough budget could just commission an extension and an audit of Flarum, but it hasn't happened yet.

davwheat

010101 I read Xenforo staff saying they export to .xml format. I’m not sure why.

It's a combination of it being easier to work with from a programming point of view, and your right to data portability, I believe.

luceos

streaps Did anyone doubt that it's possible to export and delete that data from the MySQL database? It is just not very practical. And if the process is so super easy, why don't we have a extension that can do this? I guess it would be just a couple of hours work.

Flarum is extensible and the currently envisioned GDPR extension allows extensions to register what PII is for instance. Such an approach would be future proof and wouldn't require one GDPR extension to create logic for any extension inside the ecosystem by pushing that responsibility towards the specific extension. In my humble opinion, this is the best approach to tackle the legislative requirements of GDPR from a community framework perspective; it's not simple to build though.

Understand that we are listening and we do value all the feedback that's been provided. As we're a bit stretched thin right now, we won't make any public statements as to the decisions that have been drawn from this.

Having said that, please everyone please remain respectful, stay on topic. There's nothing to be gained from these overly heated arguments that border on attacking people personally.

010101

streaps Thanks for your views. I’m not part of the Flarum dev team though. This thread is a thread I started a while back to post about information I find on GDPR. This thread is less about my opinions and more interpretation of actual information I find so that if needed I can comply with a GDPR user request right now.

Again, thanks for your views and passion on the subject. Do you have any links from popular forums showing how they handle GDPR? That’s what I’m currently working on doing. Seeing what other forums do.

streaps

luceos Understand that we are listening and we do value all the feedback that's been provided. As we're a bit stretched thin right now, we won't make any public statements as to the decisions that have been drawn from this.

Unfortunately in being not transparent you are creating your own FUD (fear - uncertainty - doubt). People might think that you have your own GDPR problem with the Blomstra service and for legal reasons you cannot disclose anything. For example I haven't found anything about a DPA on blomstra.net (or freeflarum.com) or anything about how a DSAR can be handled. I don't say these are facts, but that one might get the impression from what is (not) available on the websites.

For this collection: If a forum is hosted by a third party as a service a data processing agreement is mandatory.
https://piwik.pro/blog/7-elements-every-dpa-data-processing-agreement-should-have/

Other services put the DPA on their website:
https://www.discourse.org/forms/dpa
https://protonmail.com/dpa
https://www.digitalocean.com/legal/data-processing-agreement/

So make sure that you (as the data controller) have a proper DPA with the third party (data processor) hosting your forum.

010101

davwheat data portability, I believe.

Oh, that’s right. The portability part.

It seems odd in a default Flarum installation case to offer that. All one could give the user is email, IP, and their username. I think that’s the only personal info. in the database on a user.

I suppose the debate could continue forever whether actual post content counts or not, but here’s an interesting point: Wordpress’ built in GDPR export tool only exports user account info. Not posts. And the big forums I visit export account info. Not posts.

For now, if I were to get that type of request I’m going to follow WordPress, Xenforo, and others leads and only provide user account data.

010101

An update: Next I will throughly review this official checklist. Which is crucial if Flarum ever wants to have an official page on this topic. I immediately saw how this checklist will help. Many times someone might say, you must do this, it's in the GDPR law. But, what they might miss is that a certain part might only be crucial if you have 250+ employees or conduct higher risk data processing, as you'll read in the first part of this checklist.

https://gdpr.eu/checklist/

This also caught my eye so I'll closely review it. It's a "simplified" guide on a Microsoft's website. And it seems like "official" Microsoft documentation versus a random blog. Meaning, I feel better trusting it.

https://docs.microsoft.com/en-us/microsoft-365/admin/security-and-compliance/gdpr-compliance?view=o365-worldwide

010101

Okay, after years of hearing this and that about GDPR, and reading this and that, and soaking up all kinds of opinions... Here is my GDPR guide for forums.

To-do:

Put this in a Github repository and then you can submit a pull request to make it better
Make the table of contents linked

GDPR Guidance

For forums

This is not legal advice. This has not been reviewed by a lawyer. It is up to you to do the research and determine what you need to do to make your forum compliant. Especially if your forum is popular, generates revenue, collects very sensitive/risky data, and/or has 250 or more employees, it is recommended that you consult a lawyer. If this guidance results in any damages, the person who drafted this guidance is not responsible. Any website or entity displaying this guidance (since it is free to share) is not responsible. Follow this guide at your own risk.

TL;DR

If you own a forum, you must understand the basic concepts of GDPR, and there are certain steps you need to take to ensure your forum complies with this law. Yes, even if you are not in the EU. Unless, you block all EU citizens from seeing your forum. Even then, your country probably has similar laws. But, don't be scared. Here you will see why you might not have to do certain things. Such as, why it's likely OK to leave posts in place after deleting a user's account. Plus, you may not need any fancy GDPR features, and you may not even need that annoying cookie banner notice. This guide isn't legally allowed to state anything with certainty though because the author isn't a lawyer.

What is GDPR and do I have to comply?
Where does most of the information for this guide come from?
What should I do first?
Make sure what you collect is justified
Tell people you are collecting their data and why
What about security?
Do I need a Data Protection Officer?
Common user requests you may receive
What about cookies?
Anything else?

What is GDPR and do I have to comply?

GDPR (General Data Protection Regulation) was agreed upon by the European Parliament and Council in April 2016, and replaced the Data Protection Directive in Spring 2018 as the primary law regulating how companies protect EU citizens' personal data. The law lays out what website owners, companies, non-profits, and other entities need to help ensure this personal data is protected. Even if you are not in the EU, if you own a website and someone from the EU visits, then you need to comply. Or, block all EU IP addresses.

In a way, GDPR is nothing new. For centuries there have been privacy laws in some countries, and since the late 90s there have been some sort of Internet Privacy laws. If you have been a website owner since the 90s then you are very familiar with privacy policies and terms of service. You can think of GDPR as a slightly more robust version of the early laws.

Where does most of the information for this guide come from?

Most of the information referenced in this guide comes from https://gdpr.eu/checklist/. Some of the carefully researched opinions in this guide when it comes to how forums need to comply comes from years of reviewing various articles, as well as looking at how large forums handle GDPR.

In other words, this is an interpretation of an official GDPR checklist geared towards forums. At the end of the day, this is all anyone can do - interpret the law. This is what lawyers do as well.

What should I do first?

Review this checklist for yourself: https://gdpr.eu/checklist/
As stated above, this checklist is the foundation for this guide.

If you process high risk, very sensitive personal data, or have 250 or more employees, your first step is to assess the situation using a form like this. This will help you to remember to do certain things and add certain information to your privacy policy. Then file it away in a safe place in case you are audited.

If you run a small, niche forum that generates little to no revenue, and all you process is the type of data a default forum installation typically processes (i.e. username, email, password, IP address, and posts), then doing this assessment/form step is optional.

What's "high risk" data?

What exactly is high risk data? Let's just read text straight from gdpr.eu:

From Recital 75

... data are processed which reveal racial or ethnic origin, political opinions, religion or philosophical beliefs, trade union membership, and the processing of genetic data, data concerning health or data concerning sex life or criminal convictions and offences or related security measures; where personal aspects are evaluated, in particular analysing or predicting aspects concerning performance at work, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements, in order to create or use personal profiles; where personal data of vulnerable natural persons, in particular of children, are processed; or where processing involves a large amount of personal data and affects a large number of data subject.

But wait, never read one part of a law like this and assume it 100% applies to you and that it 100% applies to every type of website, and all types of situations. GDPR also makes exceptions. Later in this guide you will see why many people, including lawyers, feel that the above does not count when it comes to actual forum discussion posts. Profile/account data? Yes. But actual forum posts? Maybe not. Keep reading this guide to find out why.

Make sure what you collect is justified

Again, let's look at actual text from gdpr.eu:

Processing of data is illegal under the GDPR unless you can justify it according to one of six conditions listed in Article 6.

Ok, thanks for that GDPR gods. Now, let's think about forums. With a basic forum you need to store a username, email, and password, and collect post content or else it isn’t a forum that people can participate at. Therefore, you are justified to collect all of that. However, as a non-justified example, collecting a mailing address at sign up may not be justified if that isn’t needed for your forum to run.

Thus, most small forums using most default installations will have justification by default.

Tell people you are collecting their data and why

Most forums do not come with a privacy policy by default. You will need to create one. One part of your policy should spell out, even if it seems obvious, all the data your forum collects. By default, this might only be: username, email, password (to create an account and keep your account and the forum secure), and an IP address (which is used for security/spam blocking purposes). Also, many web hosting services collect IP addresses by default and so sometimes there is no way around that. Other than owning a server you 100% control.

Finally, anything a user posts in a discussion or on their profile is collected data, but contributing to a discussion is optional. The user is not forced to type in personal information when creating a discussion. With account creation they are forced to provide a little personal information. Again, when creating a discussion they are not. See the difference?

Your privacy policy could even explain it in an easy to read way like this: As a forum contributor you must not post anything that could personally identify you. When drafting a new discussion or reply, users must ask themselves something to the affect of, "if I leave this forum one day and my account data is removed but post content remains, would people be able to identify who posted this?" In other words, just post normal discussion content. Don’t post your name, email, other contact info, in a forum thread and then the posts won’t identify you down the road. We truly care about you and your privacy which includes reminding you to think about what you post.

What about security?

From gdpr.eu:

You must follow the principles of "data protection by design and by default," including implementing "appropriate technical and organizational measures" to protect data.

This can be confusing, frustrating, and/or scary if you are a very small forum using shared hosting, for example. You are at the mercy of the web host. Most popular web hosts though will have their own clear privacy policy, and usually it will state how they protect data. Therefore, this part of your privacy policy could also link to their policy to show the data is protected by the web host.

Most high quality forum software takes security seriously and as soon a security issue is detected, the development team is transparent, fixes it as soon as they can, and announces once it’s fixed so you can update your forum.

Thus, typically almost by default, you will be able to check this box as complete (after building it into your privacy policy of course).

Anonymize where possible. In other words, if using analytics software that stores IP addresses, you can usually tell those systems to anonymize the IPs.

If possible, stay away from third parties processing your users data. But if you must do this, research how to stay compliant.

Create an internal policy

Create a security policy that ensures your team members (moderators/admins/etc.) are knowledgeable about data security. The internal policy should include guidance about email security, passwords, and what needs to be done if there is a breach or if a user requests something. Who at your forum will handle GDPR related requests?

Notify users if there's a security issue

Straight from gdpr.eu:

If there's a data breach and personal data is exposed, you are required to notify the supervisory authority in your jurisdiction within 72 hours. A list of many of the EU member states supervisory authorities can be found here. The GDPR does not specify whom you should notify if you are not an EU-based organization.

Do I need a Data Protection Officer?

No.

If you're big and important, yes. If you are a small forum, no. This is when you might need one:

Public authority — The processing of personal data is done by a public body or public authorities, with exemptions granted to courts and other independent judicial authorities.

Large scale, regular monitoring —The processing of personal data is the core activity of an organization who regularly and systematically observes its “data subjects” (which, under the GDPR, means citizens or residents of the EU) on a large scale.

Large-scale special data categories — The processing of specific “special” data categories (as defined by the GDPR) is part of an organization’s core activity and is done on a large scale.

Common user requests you may receive

Right of access by the data subject
Right to be forgotten
Copy of data

Let's look at each of these below.

Right of access by the data subject

Be clear in your privacy policy what data you collect and why. Also, be clear if you do not plan on deleting the user’s posts once their account is deleted and why. The why is simple: a forum discussion will not make sense, help others, or continue to be a forum with a bunch of posts missing. If you disagree with this, then make it your policy that you will delete all posts by a user upon request. Simple.

It also should be easy for the user to edit/update their information. Most forum software allows the user to easily edit account data and posts.

Right to be forgotten

This is the most common debate I see in forums. What does right to be forgotten truly mean, for a forum. The law says that it should be easy for user to erase their personal data. Some feel this means the user should be able to click a button. But, others disagree because it is just as easy to email an admin and say, "delete my account." Easy is subjective. Thankfully the GDPR gods wrote a subjective law.

But what about their posts?
This is up to the forum owner. But, if you choose to keep the posts. I say don't worry about the naysayers especially if your forum is small. Why? Because most forum software removes the person's identifiable (username) information upon account deletion. They are anonymized.

But, but, that’s not compliant!
You say tomato I say tomotto. But, seriously, let’s look at this very closely by reading actual verbiage form gdpr.eu with additional commentary in bold under certain points related to forums.

The right to be forgotten appears in Recitals 65 and 66 and in Article 17 of the GDPR. It states, “The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay” if one of a number of conditions applies. “Undue delay” is considered to be about a month.

An individual has the right to have their personal data erased if:

The personal data is no longer necessary for the purpose an organization originally collected or processed it.
Commentary defending leaving posts in place: Account login data then should definitely be removed. If the user doesn’t want the account, you don’t need their login information. But, forum posts, one can argue, are still necessary. Without them, many forum conversations will no longer make sense. Which damages the forum. Remember, user privacy is very important. But, not at the cost of damaging a forum/organization/business/or others' rights.

An organization is relying on an individual’s consent as the lawful basis for processing the data and that individual withdraws their consent.

An organization is relying on legitimate interests as its justification for processing an individual’s data, the individual objects to this processing, and there is no overriding legitimate interest for the organization to continue with the processing.

An organization is processing personal data for direct marketing purposes and the individual objects to this processing.

An organization processed an individual’s personal data unlawfully.

An organization must erase personal data in order to comply with a legal ruling or obligation.

An organization has processed a child’s personal data to offer their information society services.

However, an organization’s right to process someone’s data might override their [the user's] right to be forgotten. Here are the reasons cited in the GDPR that trump the right to erasure:

The data is being used to exercise the right of freedom of expression and information.
Commentary defending leaving posts in place: This is sometimes citied as a reason a forum does not have to erase posts.

The data is being used to comply with a legal ruling or obligation.

The data is being used to perform a task that is being carried out in the public interest or when exercising an organization’s official authority.
Commentary defending leaving posts in place: This could be used as a reason a public forum with posts about public safety, as one example, may keep posts. They are there for the good of the public.

The data being processed is necessary for public health purposes and serves in the public interest.
Commentary defending leaving posts in place: A health forum might cite this as a reason posts are kept.

The data being processed is necessary to perform preventative or occupational medicine. This only applies when the data is being processed by a health professional who is subject to a legal obligation of professional secrecy.

The data represents important information that serves the public interest, scientific research, historical research, or statistical purposes and where erasure of the data would likely to impair or halt progress towards the achievement that was the goal of the processing.

The data is being used for the establishment of a legal defense or in the exercise of other legal claims.

Furthermore, an organization can request a “reasonable fee” or deny a request to erase personal data if the organization can justify that the request was unfounded or excessive.

If you are a small forum with little resources, it might be necessary to charge a small fee for these requests as stated in the final point above. This helps ensure people aren’t making the requests just to make them. Essentially to spam you or your admins. Again, user privacy is extremely important, but it doesn't mean people can abuse your forum or staff. Or, maybe one request a month is free. Then you charge $50 for additional requests.

Do I have to give people their data if asked?

Yes, you should be able to send their personal data in a commonly readable format (e.g. a spreadsheet) either to them or to a third party they designate.

Once again, forum posts are typically not considered personally identifiable personal data. Therefore, this data export could end up being nothing but: username, email, and IP address. Furthermore, major CMSs like WordPress only provide features to export user account data. Not actual posts.

What about cookies?

They are delicious. Who cares if they are unhealthy.

Oh, Internet cookies? Ok.

If you are only using a default forum installation, no ads, and you aren't doing anything crazy like tracking users activities in a weird way, or letting a third party cookie track them, then a cookie pop up notice may not be necessary. Always talk about cookies in your privacy policy, but you may not need an actual in your face notice. Typically you only need that if you are using cookies which are not required for the website to work.

Here's a cool site you can link to in your privacy policy to explain cookies: https://www.cookiesandyou.com/

Anything else?

Finally, just make everything very clear and easy. If a user needs to object to something or contact you, make it easy and obvious. And sure, there's more. Such as what sections your privacy policy should have, other laws, and so on and so forth. But, this should help you to be less scared of GDPR.

Don't let GDPR scare you. The Internet is still a free and open place to express yourself. And, its still a fun place to run a community.

luceos

streaps I'm sorry I should have been transparent from which position I am speaking. What I said was meant as the project manager for Flarum. Understand that Blomstra is an entity completely detached from the Flarum project team and the Foundation, and that FreeFlarum is a community driven project by @Sanguine.

I've always tried to be transparent in what we can and cannot do, but the last time we were transparent about this GDPR extension it backfired. This topic isn't easy and it should be implemented right. If we again state exactly what the plans are, how will we be able to balance expectations against the flux of actual development capacity? But if you must know, we are considering to pull GPDR functionality into a bundled (managed by the project team) extension. As we are working on the next release and have no clear roadmap yet for 2.0, I cannot promise anything in regards of a deliverable on that subject.

As to your question about the DPA for Blomstra; we've had the privacy policy drafted but might have missed this. We're going to tackle this with the utmost urgency, I'm glad you raised it here. Thank you.

010101

Yes, DPA. I alluded to this in my long winded guide above when I mentioned making sure you review your host's policies. I just did not call it a "DPA." I'll add this to my guide that if you rely on a web host (aka the qualifications and resources of third-party expertise to carry out your data processing) you should have a DPA. Although, sadly like with everything else I read on GDPR, there are grey areas... exceptions... 😕

I believe the instruction to forum owners would simply be: If you use a popular web host, they have a DPA (or should). Search your web host's website for this document. Link to it from your forum. And, a host's privacy policy might be their DPA, no? Does it have to be separate from the privacy policy?

010101

I’ve created a better checklist. The above long post is good for reference, but I wanted something shorter and cleaner.

GDPR checklist for small communities

https://www.wilcosky.com/d/27-gdpr-checklist-for-small-communitiesgroupsforums

Note the small communities part. This is what I have and this research was originally for me. Plus, mega forums that make money can just hire a lawyer.

Thank you @askvortsov for the amazing checklist extension. It works beautifully for this.

I’ll get the text/markdown added to my GitHub account soon so others may use the checklist at their sites if they’d like.

010101

Flarum GDPR related extensions

It’s a great Monday morning in my part of the world! This should be my final post here for a while. Hopefully. I’m sure people are tired of seeing this thread. I’ve done as much research as I can at this time and published tools above, such as a checklist.

To end this glass menagerie of human convolution (for now) I will list free extensions, available right now, to help you comply with GDPR:

For Policies - fof/terms
To have a privacy policy and terms (verbiage not included). Create as many policies as you want. Have the new user check off and agree to them all to join your community. Stores consent too. That’s a GDPR big ol’ green check ✅!

For data requests - justoverclock/flarum-ext-contactme
A button for the user is nice, but not required. Direct the user to use this contact form for data requests (including account deletion aka right to be forgotten). That’s another big ol’ GDPR green check ✅!

For Cookies 🍪- fof/cookie-consent
Not always required with a default installation and no add-ons, but if you want, a cookie notice. So, you’ve got yet another big ol’ GDPR green check ✅!

For fanciness and even easier ways to comply - [coming soon]
There will be GDPR extensions in the future. How do I know? Well that’s what people keep saying. And, it’s inevitable. People make all kinds of extensions for Flarum.

For getting started - A checklist

With the above tools and information, you are on your way to compliance domination. 😎

« Previous Page