Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[kitz]

-------------------------
Notice for transparency.
-------------------------




SMF update 2.0.16 released 27 Dec 2019 made significant changes to support GDPR compliance within the SMF Core.

Notable changes in 2.0.16

    Support for privacy policy in addition to registration agreement
    GDPR Compliance toggle in Core Features
       Enabling this configures multiple settings and new features to comply with the GDPR, including:
        Requiring members to accept the current privacy policy in order to use the forum
        Asking during registration whether the new member wants to receive announcements via email
        Enabling token-based unsubscribe links in emails so members can unsubscribe without logging in
        Allowing members to download a copy of their profile information
        Adjusting the behaviour of a number of other features in minor ways as necessary
    PHP 7.2 support
    Improved security hashes for the image proxy
    Improved security for the login cookie
    Assorted other security improvements
    Various improvements for both the installer and upgrader

These changes made little GDPR differences to forums (such as kitz.co.uk) who have been GDPR compliant pre May 2018 content wise, but it did mean we had some problems being able to update because of the mod.

Someone kindly wrote a quick mod hack for SMF forums which enables admins to force users to accept the updated policy changes after I bought the topic up on SMF about GDPR.

In order to update to 2.0.17 I had to remove the GDPR helper modification.  Because I was one of those still having problems updating, I made some manual adjustments which mean GDPR helper data collected by the mod was also removed. 
Now that the latest version of SMF is GDPR compliant without this mod, I have no intention of re-installing GDPR helper, as it would force all users to re-read & agree to the privacy policy and registration form that have had no change to content.   

The only change for our members is that the forum privacy policy can now be viewed here. 
I only noticed the url change yesterday and will update the relevant post above with the new url - which is why Im making this post now.
The new merged page is (and has been) linked in the footer the bottom of each page under Terms and Policies since the update(s).

TLDR version;

• SMF 2.0.16/2.0.17 updated Dec 2019
• GDPR compliance included in the SMF Core code.
• GDPR Helper modification uninstalled.
• Forum Registration Agreement & Forum Privacy Policy merged into the one page - presumably to make it easier for new registrations.
• Neither of these had content changed since May 2018.

[kitz]

Whilst posting about GDPR, I take the opportunity to remind members of the forum policy regarding some of the GDPR policies namely:

    The right to restrict processing

You have a right to ‘block’ or suppress processing of personal data. When processing is restricted, we are permitted to store the personal data, but not further process it.

Our data processing is as restricted as possible. Processing generally requires you to act on our website, therefore not using the website will cease such processing.

As above, processing requires you to act on our website as a logged in member.  Once you are logged out then there is no further processing by the server.

    The right to erase

The right to erasure is also known as ‘the right to be forgotten’. The broad principle underpinning this right is to enable you to request the deletion or removal of personal data where there is no compelling reason for its continued processing.

On the forum, this can be dealt with by requesting to delete your account. A deletion will have to be approved by an administrator (to protect against accounts being deleted maliciously). We will deal with this by transferring your username to a Guest account which has no user associated profile and all posts previously made will be attributed to the Guest account.

Blanket removal of individual posts is not seen as a compelling reason as it breaks up the thread and seriously affects readability and continuity of technical information data for our other members.  We may also consider a change of username if this is preferred.

We do not blanket remove all posts for the reasons stated above, but are willing to remove or edit individual posts that may contain personally identifying information.

Anonymity
 
If you wish to retain anonymity  - for example if you have used your real name instead of an alias - then admin can change your 'display name'.  The display name is self explanatory, but to clarify this is the name appended to any posts you make.


Personal data & account deletion

The forum has no facility for members to delete their account themselves.   However, this can be done by a forum administrator.   We do this by re-assigning your account to a [special] guest account that will remove all personal data from our servers (such as email and IP addresses) and will asign the attribute 'guest' to any posts you have made in the past.   Because this action assigns you to a guest account that has no personal data, the database treats your posts and any other deleted accounts as the same account.   As such, there is absolutely no going back from this action.

The only personal data that we do hold on our servers for members is your email address & any IP addresses associated with any posts you make.  Both of these and any other information such as user/display name, av, forum signature, registration date etc are deleted when merging to the guest account.

If you wish, you can download a copy of your personal data from Profile > Actions > Download profile data.
Any posts you have made can be viewed from Profile > Profile Info >  Show Posts. 

[Alex Atkin UK]

This sounds like a sensible approach.  The reason I ditched my own login facility on my sites is I honestly didn't want to have to deal with this problem as like you said, deleting user data would completely break the site.

Arguably I still might have to on my legacy sites if an old user requests it, although I don't think I logged IPs anyway.  My biggest gripe with GDPR is how unclear it is what is and is not considered personal data.  As my sites were compatibility lists for emulators, I always considered anything posted to the sites as then belonging to the site, but GDPR seemed to step on this assumption.