Posted by: Anonymous20
isn't that better handled during the Wordpress signup and not for each and every plugin ?
I would prefer the proposal suggested by anonymous3542, for it to be part of the wpForo process. I use wpForo as my front end for sign-up not wordpress, I totally hide the wordpress dashboard members access their account info via the forum tools.
Well i think most of us don't use wpForo like that. And a simple standard WP Signup is enough.
Because i see a lot of plugins adding their own stuff and that is not good IMHO. For example a photo gallery i use, is adding ticks and boxes for comments to photos etc.
Posted by: Anonymous20
Well i think most of us don't use wpForo like that. And a simple standard WP Signup is enough.
Agreed I'm likely in the minority and I respect that. 👍
However rather than being dismissive of the possibility, it could always be an option to switch on or off. That way everyone is catered for, those that wish to use it can those that don't , don't. Pretty much how many of the wpForo options currently work. All academic anyway, the wpForo team ultimately decide what's included or not.
@cmw14 @anonymous20 I'm another who doesn't handle login and register functions via wpforo - I use TML for both (mainly because phenomlab enforces 2FA Auth and also makes use of more social login capabilities than just Facebook).
I'm going to look into adding a bit more functionality and I'll post the results here .
I think there is more than ticks for comments and posts. I read now the Right to be Forgotten for example.
What happens if someone requests to be "forgotten" and the forum posts ?
@anonymous20 you are correct there. It's much more in fact. The tick boxes in terms of auto signups, comments, contact forms etc all have to be unticked by default to prove that you are not sending the user unnecessary junk.
GDPR is wide ranging in terms of reach, and whilst it certainly does protect the individual who is the owner of that data, it makes it a complete nightmare for custodians .
@cmw14 Please don't get me wrong. I'm equally confused about this GDPR c**p as you. Just saying that if some PLUGIN exists for all that, maybe we should consider it.
Just thinking loudly.
Checking Wordpress plugins repo for GDPR i see only 4 plugins, that seems not very promising. But interesting.
Also right now i know a huge ammount of sites that base their popularity and rank due to the ammount of comments or/and forum post. HUGE ammount of information. What will happens to all that ? They should scrap everything on request ? Just scrap the link to a name/account and just annonymize the comments/posts ?
How should we know that the people that REQUEST to be deleted is actually the person of the email belongs ? Hacked email accounts ? How do we verify ? An email confirmation is enough ?
Some great points here @anonymous20 and I'll do my best to clarify them.
Those sites with hundreds if not thousands of comments and forum posts can argue a "legitimate interest" for keeping data. Those who have previously subscribed to something would only need to attest to their data being used in any site by means of a one time redirect when they login to a terms and conditions page. They are not allowed to proceed any further unless they provide consent .
In a similar fashion, the right to be forgotten is another conundrum in the sense that (as you've mentioned) the request could originate from a hacked account. There are no clear guidelines around this scenario at present, and an official request is generally enough in order to execute. However, there are various sanity checks that you could leverage to potentially combat this, such as 2FA in order to complete the request etc. Effectively, the user has the right to both request deletion, which can either be automated via the site, or via a secured one time link. By definition, the user also has the right to gain an export of all data held in relation to them as a CSV or XLS file for ingest by another custodian (another site, for example). I tend to prefer the normalisation route, with data being sanitised, removing any pertinent information that may identify the user rather then remove the content .
Then there's backups. There's no enforced rule within GDPR that dictates you have to restore each backup and remove information - you just provide written attestation that the data is removed from the said date, and will not be reinstated without the express written consent of the owner.
Lastly, there's the legal side. Regulation always trumps GDPR. For example, if a company is regulated by the FCA or SEC then they have the need to comply with such data retention regulations - in most cases, 7 years, or indefinitely if that associated data is subject to legal hold. Any company exercising this right would need to provide legal evidence of such a retention requirement but that would not be difficult. In essence, the right to be forgotten can only be trumped by regulatory law. Failure to comply with any request is in essence a breach of those regulations and could attract obvious penalties.
One final thing to consider is the beach reporting requirements. You now have to notify both the ICO and all users within a system that there had been a breach within 72 hours.
Feeling sick yet ? 😯
