[solved] Does the GDPR apply to a forum?

[qubit]

UPDATE 11 March 18: question answered. See my summary here. Thanks everyone.

UPDATE 24 May 18: definitive answer regarding an individual

There isn't an appropriate section for my question, so I've put it in General Software. Mods, please feel free to move it if you think it should be somewhere else.

I've been wanting to start a forum for the longest time and this year I might actually do it. It would start off as a general discussion forum with anonymous usernames as on here, with a tech corner, a bit like a small TPU and will be run as a non-profit. It might carry front page news at some point, but that would be some way off. However, UK law is changing, with the Data Protection Act being replaced by the much tougher EU General Data Protection Regulations on 25th May and I wonder if it would apply to someone like me.

I'm not a business and at most, my forum would run a few ads to help pay the bills. I've looked it over, but the website doesn't clearly spell out the scope of whom it covers, so I'm not quite sure if it applies to me. Basically, if I'm going to be under some onerous provisions with heavy penalties then I won't bother.

 

[dorsetknob]

my opinion
it may have been more appropiate posted here ( Mods may also concur and subsquently move it editing this post also
https://www.techpowerup.com/forums/forums/programming-webmastering.52/

My Advice would be to call Someone like Godaddy and speak to "Customer/sales Serivce with enquirys as to legal responsabilitys /liabilitys
and the same to Other Hosting services
get each to send you a laid out Costed Plan ie a pre Contract Document
Hope this helps and
ps sorry if i'm telling you i'm telling you how to teach gran-ma how to suck eggs

Pps worth Speaking to @W1zzard for Advice

 

[qubit]

Thanks D, that sounds like a good place to start. If W1z can chip in too, that would be great.

 

[Bill_Bright]

I think you should consult a lawyer (solicitor in the UK).

 

[dorsetknob]

STEP 1.See above talk to Hosting providers
STEP 2.

I think you should consult a lawyer (solicitor in the UK).

Why pay for Legal Advice untill you have confirmed if you have any POTENTIAL liabilitys

 

[Mindweaver]

my opinion
it may have been more appropiate posted here ( Mods may also concur and subsquently move it editing this post also
https://www.techpowerup.com/forums/forums/programming-webmastering.52/

I don't know if that is the right place with out asking a few questions.

@qubit are you asking what forum to use example ZenForo, vBulletin, etc.. or are you asking where to start and how to code it? Do you want to learn HTML, CSS3, PHP, JavaScript, asp.net and need help? If so then I will move it for you buddy.

 

[Bill_Bright]

Why pay for Legal Advice untill you have confirmed if you have any POTENTIAL liabilitys

Because it is the solicitors job to understand the laws and identify all those liabilities.

qubit has stated he will be accepting ad revenue to help pay the bills for the service he will be providing. That's a business - regardless if non-profit or not - regardless if he states it is a business or not.

 

[qubit]

@Mindweaver No, it's just the legalities of setting up a forum. Regarding the technicalities such as software, servers, domains etc I can work out myself and will ask on here if I get stuck on any of it.

@Bill_Bright Wouldn't surprise me if you're right re ads and a business. Legal advice sounds like a good idea at some point. I belong to a union which should be able to get me that kind of formal advice for free. I just wanted to get a start on it here and also figured it would make a for an interesting talking point.

 

[CAPSLOCKSTUCK]

just do it.

In the UK the taxman isnt even interested in the first year....they expect a loss.

Speaking purely from personal experience.

 

[dorsetknob]

you have to find out potential liabilitys and the hosting company can indicate for free what they might Be

Then you pay for ( if you proceed ) Legal advice on the whole plan

There is no Point in PAYING FOR LEGAL ADVICE till the Hosting Company indicates some form of liability or not
if @qubit gets advice from potential host that indicates for certain that he will have liability's then he won't proceed
your Advice while appropriate if he proceeds ( would COST HIM MONEY that he may necessarily not need to spend if he does not proceed)

 

[Tatty_Two]

I think, in relation to the new data protection legislation it would depend on what data you were storing, if the registration process allowed a user to place a date of birth then you may come up with some problems, where as an age may not, if all you asked from a user was an anonymous username and country of origin you may get away with it but I agree it's worth getting some advice whatever the source, either that or wait unit next year when we are not part of the EU and therefore may relinquish EU GDPR

 

[Bill_Bright]

wait unit next year when we are not part of the EU and therefore may relinquish EU GDPR

It seems pretty clear in the link qubit included, while the name may change, the meat of the law will remain the same.

The new Data Protection Bill going through Parliament will transpose the GDPR into UK law, and will continue to apply post-Brexit.

 

[dorsetknob]

It seems pretty clear in the link qubit included, while the name may change, the meat of the law will remain the same.

The devil is always in the Detail and untill such laws are passed nothing is sure
Its well Known here in Britain that certain parts of EU law will not be carried after Britex
We will have to wait untill Britex to find out for sure ( and Subsquent relevent legal challanges)

 

[Tatty_Two]

It seems pretty clear in the link qubit included, while the name may change, the meat of the law will remain the same.

Commercially many are not of the same opinion though, it is believed that a watered down version may well be implemented post Brexit as many flaws appear to have been identified already, suffice to say that times are uncertain and so is the longevity of this bill as it stands once we are outside of the EU.

 

[Bill_Bright]

I don't know. When I lived in the UK, many of your consumer protection laws were tougher than ours in the US. You both are right and what happens in May may be watered down compared to the GDPR. But there is also the possibility of even greater protection for the consumer - which I see as a very good thing. The smarter bad guys have turned to hacking companies because they know companies have been too lax in protecting consumer's information.

The bad guys have been extremely successful at using socially engineered malware distribution methods to trick [poorly trained] company employees into clicking on a very legitimate looking but malicious link designed to exploit known but unpatched!!!! vulnerabilities! And it has worked because executive management, CIOs and IT departments have failed to properly train employees to not be "click-happy". They have failed to impress upon IT personnel the need to apply security patches in a timely manner to minimize exposure of known vulnerabilities. And they have failed to invest essential resources in time, training and personnel to ensure a robust information protection plan is in place, is top notch, and remains top notch.

Take the Equifax hack of 145 million accounts (including 15 million in the UK). The vulnerability was discovered and a patch developed and distributed to Equifax 2 full months before the hack occurred. They were even notified by US CERT of the vulnerability and patch. But they failed to apply the patch - in violation of their own 48 hour patch time requirement. They still don't know exactly how the bad guys got in because they failed to implement the essential monitoring tools. They don't even know how the bad guy was able to download the massive amounts of data on145 million people and remain undetected - again, because they failed to implement the essential monitoring tools.

And all that critical, highly sensitive data wasn't even encrypted!

I am all for less regulation but sadly, we have seen over and over - and over! - again companies' negligence - unwilling to invest in robust security - to include extensive employee training. I realize companies basically get $0.00/£0.00 on their IT security investment, but that's just become the cost of doing business in this bad guy infested digital age.

***

As far as the website host, pretty sure you have to sign an agreement absolving them of all liability - unless clearly their fault. I did for my business site with GoDaddy.

At least before going live, if you are going to run a site that contains any personal data, you need to contact a lawyer/solicitor, and get some good insurance!

 

[Sasqui]

I'm not a business and at most, my forum would run a few ads to help pay the bills. I've looked it over, but the website doesn't clearly spell out the scope of whom it covers, so I'm not quite sure if it applies to me. Basically, if I'm going to be under some onerous provisions with heavy penalties then I won't bother.

It doesn't spell out who it applies to because it applies to anyone that collects data electronically.

It's intended to protect people from identity theft and maintain privacy. There are numerous laws in the US that are analogous, the one that comes to mind is HPPA That said, the US is wayyyy far behind the EU/UK in protecting personal data... Equifax Breach and the US government is not looking out for people, they are looking out for business.

Basically, if you are collecting and/or using any personal information (and they spell it out), you are responsible for protection of that data from breach and intentionally or non-intentionally giving it away including derivatives or analysis that may give away personal data that can identify a specific individual.

Here's a snippet from GDPR:

The key elements of the GDPR
Personal data
The GDPR applies to personal data. This is any information that can directly or indirectly identify a natural person, and can be in any format. The Regulation places much stronger controls on the processing of special categories of personal data. The inclusion of genetic and biometric data is new.
Personal data

Name
Address
Email address
Photo
IP address
Location data
Online behaviour (cookies)
Profiling and analytics data
Special categories
of personal data
Race
Religion
Political opinions
Trade union membership
Sexual orientation
Health information
Biometric data
Genetic data

 

[Bill_Bright]

Equifax Breach and the US government is not looking out for people,

They are not doing enough but again, the US CERT (part of US Homeland Security) did warn Equifax well before the breach. But Equifax failed to act on it. This one is 100% Equifax.

Now what needs to happen is the government needs to fine the heck out of Equifax, and perhaps criminally charge their execs. That may get the attention of other businesses and get them to tighten up their security and training.

From that list, you will have their email address and IP address you will need to protect - assuming you will have them create accounts.

 

[Sasqui]

Now what needs to happen is the government needs to fine the heck out of Equifax, and perhaps criminally charge their execs. That may get the attention of other businesses and get them to tighten up their security and training.

This conversation is somewhat off topic... Congress voted to disallow class action lawsuits against Equifax. Another shining example of our GOP leadership, with VP Pence making the deciding vote: https://techcrunch.com/2017/10/24/c...-other-companies-with-arbitration-agreements/

 

[Bill_Bright]

Best to keep the political commentary to yourself or this thread will be shutdown.

 

[the54thvoid]

@qubit - I work for a Local Authority Trust and we have been primed for the new data protection rules. The elements that will concern you as a data processor and a data holder will be the security and clarity of what information you will hold and what will be done with it. If you take our e-mail addresses and allow 3rd party 'spam' without our consent - you will be doomed. If you do not hold our e-mails on secure servers with adequate encryption and they are stolen - you are doomed.

In short:

1 - Data must be held securely and safely.
2 - What you do with said data must be clearly explained.
3 - You must ensure when we sign up we agree to your terms and conditions and said conditions adhere to the new GDPR.
4 - Any unauthorised dissemination of personal data (e-mail, name connected with other data etc) will get your ass sued.

Best to keep the political commentary to yourself or this thread will be shutdown.

If that were the case, certain forum members avatars should be banned (not aimed at you).

 

[Sasqui]

Best to keep the political commentary to yourself or this thread will be shutdown.

Commentary aside, it's fact, not fake news. Just an example of how US elected leaders are beholden to donors not their constituents

In short:

1 - Data must be held securely and safely.
2 - What you do with said data must be clearly explained.
3 - You must ensure when we sign up we agree to your terms and conditions and said conditions adhere to the new GDPR.
4 - Any unauthorised dissemination of personal data (e-mail, name connected with other data etc) will get your ass sued.

Well said. The best policy is not to store any personal information, unless you have a reason to

 

[jsfitz54]

I work for a Local Authority Trust and we have been primed for the new data protection rules. The elements that will concern you as a data processor and a data holder will be the security and clarity of what information you will hold and what will be done with it. If you take our e-mail addresses and allow 3rd party 'spam' without our consent - you will be doomed. If you do not hold our e-mails on secure servers with adequate encryption and they are stolen - you are doomed.

In short:

1 - Data must be held securely and safely.
2 - What you do with said data must be clearly explained.
3 - You must ensure when we sign up we agree to your terms and conditions and said conditions adhere to the new GDPR.
4 - Any unauthorised dissemination of personal data (e-mail, name connected with other data etc) will get your ass sued.

Does, is this going, to apply if Servers are in one location and the Storefront is in a different location as well, non-profit or not?
If all the components are off-shore? "qubit" as an administrator only.

 

[the54thvoid]

Does, is this going, to apply if Servers are in one location and the Storefront is in a different location as well, non-profit or not?
If all the components are off-shore? "qubit" as an administrator only.

It's not about profit or business use. It's simply about data retention and protection of personal data. If qubit is the administrator, he is the designated person in charge of the data (regardless of where it is kept) therefore he will be liable. Also, the regulations cover FOI requests as well so qubit will need to be able to retrieve requests made by his customers on what data he stores about them. In normal use, there would be no issue as long as the data is used for the stated purpose and held according to the requiremnets of the law.

 

[jsfitz54]

It's not about profit or business use. It's simply about data retention and protection of personal data. If qubit is the administrator, he is the designated person in charge of the data (regardless of where it is kept) therefore he will be liable. Also, the regulations cover FOI requests as well so qubit will need to be able to retrieve requests made by his customers on what data he stores about them. In normal use, there would be no issue as long as the data is used for the stated purpose and held according to the requiremnets of the law.

Is there any way "qubit" can limit or circumvent or eliminate personal legal exposure?

Edit: "qubit" is a volunteer at a non-profit.

 

[Tatty_Two]

Is there any way "qubit" can limit or circumvent or eliminate personal legal exposure?

Edit: "qubit" is a volunteer at a non-profit.

I work for a large national charity and our volunteers are not exempt from legal exposure.