The General Data Protection Regulation (GDPR) (EU) 2016/679 is a regulation in E

1. The General Data Protection Regulation (GDPR) (EU) 2016/679 is a regulation in EU law on data protection and privacy for all individuals within the European Union. It addresses the export of personal data outside the EU. The GDPR aims primarily to give control back to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. This will come into force on 25th May 2018.
2.  
3. This law is applicable to any and all website and forum owners who may have members who reside within the EU with various degrees of uncertainty on what needs to be done to maintain compliance.
4.  
5. This guide is not designed to be fully comprehensive, however will outline the key factors to think about. This does not constitute official legal advice and you should contact a lawyer or solicitor if you require absolute assurances.
6.  
7. For most forum owners these can be broken down into the following points:
8.  
9. Hosting - Are you self managed or on a managed service. Is your host GDPR compliant?
10. Security - Is your server software and web application software up to date?
11. Inform - Do you tell people what is placed on their computers when they visit your site (cookies, tracking files)?
12. Consent - Do you let people opt out of any such tracking or placement of files?
13. Data collection - What do you collect about people who visit or register on your site?
14. Processing - How do you use the data?
15. Withdrawal - Can people opt out of how their data is used?
16. Erasure - Can people ask for their data to be deleted?
17. Portability - Can users data be moved elsewhere?
18.  
19. Stop. Don't panic. For most forum owners, most of these points may only require minor tweaks to how you run your website or the policies you use.
20.  
21.  
22. 1) + 2) Security is important. Most forums will be on shared or managed hosting packages. Take the time to ask your host what their update policy is regarding the server software. How often are system updates run? How often are key software packages checked? What is their policy on fixing critical exploits such as meltdown, spectre and heartbleed?
23.  
24. If you are self managed, then consider are you capable of regularly maintaining your server?
25.  
26. Old and out of date software: Do you really need that 5 year old wordpress install? Or a CMS from the millennium? If so, make sure its up to date or securely behind a .htaccess password protected directory. Most security breaches relating to XenForo forums come from out of date 3rd party software. Be brutal, be honest, if you don't need it, get rid of it.
27.  
28. 3) + 4) XenForo will drop various cookies onto a users computer when they visit the site. You may have additional cookies dropped for example if you use Google Analytics or Cloudflare.
29.  
30. Functional cookies are exempt from requiring "explicit consent". This also includes Google Analytics as of this guide being written. Notified consent is considered good enough. (Eg a banner informing the visitor to the site they have been placed with a page on your site explaining what each cookie does, and how the user can remove them).
31.  
32. It appears the approach taken by many of the big companies, including the ICO, regarding cookies is to tell people they are placing them (implied consent) and showing them how to deny/turn them off at the browser level with a warning the site may not function correctly without them. For example
33.  
34. http://www.betfair.com/aboutUs/Cookie.Policy/?utm_campaign=&utm_medium=em&utm_source=adobe_campaign
35.  
36. https://www.moneysavingexpert.com/site/cookies-qa
37.  
38. https://ico.org.uk/global/cookies/
39.  
40. It is safe to assume these guys have lawyers on retainer telling them this is acceptable, so we suggest to mirror that approach.
41.  
42. When do I need explicit opt in for cookies? Cookies which hold personal data on a user and are not required for the functionality of a site will require explicit opt-in with the ability to turn these off. Examples of such cookies may include Advertising cookies which track a users browsing habits or affiliate cookies which track if a user has used a referral link. The providers of these services should be providing the relevant guidance for their services.
43.  
44. 5) + 6) + 7) + 8) Whao hold on there buddy? 4 points in 1 go? Yep! And I'll tell you why. While some websites and drama queens will tell you the GDPR is going to cause nightmares and headaches lets run down the key points relating to forums because is quite simple.
45. Unless you export your data to 3rd parties for reasons such as sending out email marketing then most forums will never bump into the GDPR apart from when a user is attempting to use it to be irritating.
46. The data most forums collect will be reasonable for the running of the website.
47. As long as you have clear, easy to follow policies regarding data use, what you do with it, there is little to worry about.
48. You must comply with a users request to stop sending them emails if they so ask.
49. The right to erasure is not an absolute right. This means if you have legitimate interest in holding onto a users data, such as the email, username, IP addresses, you don't have to delete a users account. The example most forums will refuse an account deletion on will be to enforce a 1 account per person policy, or maintain records of banned/troublesome users.
50. Likewise, you don't have to delete a users posts as maintaining them is a legitimate interest for the running of your forum.
51. 9) This part is somewhat ambiguous at the moment. Even the ICO has contradicting guidance on it. The implications are that if a user requests, you provide them back a copy of the data they have provided you. There are no common agreements on he format schema or of what use it may be particularly on websites who's signups may be very basic data. Most likely a tool to simply give the users profile account data to them in a CSV file will be used.
52.  
53. Whats the TL: DR?
54. If you dont move any data outside of XenForo, and just run your site on the XenForo platform then you have little to worry about as the email options and site mailing options are all built in to the standards deemed acceptable.
55.  
56. You will need the cookie popup, a page explaining what the cookies do and how they can be removed.
57.  
58. If you have 1 account policies you can claim legitimate interest to refuse deleting members accounts. Likewise can be said for posts made on your forum.
59.  
60. No question! From Official XenForo Resource Author ONLY!