Quote:
Originally Posted by DaleDe
When I looked at the description of the legislation it talked a lot about collecting information that the user doesn't authorize. We do not do any of that. All information about a user is directly submitted by the user. Most is optional. The only statistic that we generate is the number of posts and that is clearly displayed. I think a typical forum doesn't collect things the user would be worried about.
|
The typical GDPR problem for non-commercial and non-malicious sites isn't that they're harvesting stuff against the user's will. It's that even if the user consented/was informed up front, they're allowed to come back after the fact and say “I no longer want you to have X, Y, and Z pieces of personal information” (including IP address as a possibility).
And at that point you must scrub that info from all databases, server logs, backups, etc in a timely fashion.
Lots of out of the box setups aren't designed to (for instance) go through all the Apache logs and eliminate IP addresses, or go through and delete first/last names from not just the main user records but debug logs, change history, quotations in messages, etc. Some systems are smart enough that some of that is stored as pointers into the main record (especially quotes), but some aren't and some of that (change history) is inherently stored as copies for good reason.
So compliance becomes a bit of a PITA to dot all the i's and cross the t's.