In 2018, the EU GDPR (General Data Protection Regulation) took effect. Since then, many community managers have been trying to understand how to comply with the new European privacy regulation. Further from there, whether there have been other changes to note since Brexit officially took place.  

When the UK formally left the EU in early 2020, what changed? The UK is no longer subject to EU GDPR but, in place, has the UK Data Protection Act (2018) which was designed to be read in conjunction with EU law. 

As the UK transitions out of the EU, there is a temporary trade deal in place, “the bridge”, until June 2021. In terms of data protection, there is still a free flow of information between the EU and the UK until then. After that, if you receive information from the European Economic Area (EEA), the ICO recommends “you put alternative safeguards in place before the end of April”. 

If you run a customer community forum, you might have some outstanding questions about GDPR and the UK Data Protection Act (DPA 2018).

Please note that we are not lawyers and these are new laws that have not yet been interpreted by the courts, so some of the rules remain a bit ambiguous. You should consult with your corporate legal department about data privacy questions.

GDPR and Community Forums

Q: I know nothing about GDPR, where should I start?  

A: There is quite a lot of information available about GDPR online. Simply, GDPR is a European law based on a few key principles around personal data handling and almost all of them make good common sense. The good news is that most customer community forums – in isolation – don’t contain a lot of personal data.  How the data is being processed is straightforward and well understood by the community members.

Q: Do I need to care about GDPR if my company is not in Europe?

A: Yes, the law covers the data of EU citizens regardless of where the data is being processed. If your community has a global reach (it probably does) and you want to do business in the EU, you should comply.  Protecting your customers’ data privacy, no matter where they are, is probably a good idea anyway. And, by the way, the law imposes hefty fines up to 4% of your annual revenue!

Q: Is there differences between UK and EU law I should understand?

A: If you operate inside the UK, the DPA 2018 applies to you. Specifications from the EU GDPR were incorporated into UK law in the form of the UK GDPR which works in conjunction with the DPA 2018: implementing a UK-only context was basically the only amendment. The principles, rights, and obligations in the UK GDPR have little change in practice.  

 

Q: I use cloud (SaaS) community forum software, am I responsible for GDPR compliance or is the vendor?  

A: The GDPR defines you as the ‘data controller’, i.e the organisation that is collecting personal data, and your forum vendor is a ‘data processor’.  As the controller, you are responsible for ensuring that downstream processors and sub-processors assert their compliance. Many companies are putting in place Data Processing Agreements with vendors. These agreements outline the responsibilities of both parties and outline the data protection measures put in place by the vendor.       

Q: What kind of personal data would be recorded by a community forum?

A: The data that you might have about someone includes basic data such as the name and email address that was shared at time of registration, but it also includes data that you have inferred about someone such as their IP address. Some community forums ask for additional info to be added to the member profile.  Be especially careful if you are asking for ‘sensitive’ data like political affiliation or sexual orientation.

Q: What do I need to do to make my community forum compliant with the GDPR?

A: The GDPR includes the following key requirements:

1. Consent: You need explicit consent and you need to clearly inform people how you are going to use their personal data.  For example, if you are handing over your community member list to marketing to be used in various ad campaigns, you should let people know.

2. Right to be forgotten (right to erasure): If someone asks that you delete their personal data, in most cases, you’ll need to comply. (More on this in the next question below.)
   
3. Right to Access:  If someone asks you what personal data you have on them, you will need to provide an answer about what you have, how you’re using it, and be able to provide a copy of the data.

4. Data portability: The GDPR says that you will need to provide someone with a copy of their personal data in a format that is machine readable and that could be imported into another platform. We can’t imagine this being a frequent request but you should be able to produce a CSV or MySQL export of a user’s data.

5. Data security: You have an obligation to make sure that you are making reasonable efforts to keep data secure. Basic security measures include making sure your community forum is served over HTTPS and that data is stored and transferred securely. A commercial community forum provider will have put in place a raft of security measures that involve physical security, network security, application security and policies around data handling.

Q: Is user generated content (UGC) personal data? Is UCG subject to rules around data portability and erasure?  

A: This is a tricky one.  What if a member asks that you delete all their posts? What if those posts were valuable both to the community and your company? We feel that if the posts are stripped of identifying information ( for example the username and photo of the member), they do not need to be removed. The exception here is if the posts contain information that identifies the person that is requesting removal. That would also include posts with personal data about the requester that was posted by another member. You might consider laying out in your terms of use or privacy policy who owns UGC and what will be done if someone requests removal of posted content.

Vanilla and most other community forum vendors allow both deleting a member and all their posted content or deleting only the member profile and leaving in place the posts under an anonymized author name.

Q: Does the fact that I have a single sign-on (SSO) to my community matter?

A: If you use SSO, it means that personal data is being captured somewhere else, like on a website and then passed to the forum software. Something to consider doing is mapping your data flow so that you know of all the places a person’s data resides.

Q: Can I keep forum member personal data indefinitely?

A:  The GDPR says you should keep personal data no longer than is necessary for the purpose you obtained it.  It might be reasonable to argue that the data should be kept indefinitely since being a member of a community is not a time-limited task. However, it’s a good idea to periodically review personal data and consider securely deleting unneeded personal data. You might consider deleting member profiles that have been inactive for a very long time.  

 

Q: My community forum uses Facebook Connect to authenticate members, does that create a privacy risk?

A: Facebook has been in the news recently for its handling of user data. Facebook and other social media logins can make it easy for people to register to a community. When someone registers for  your community forum using Facebook, they are allowing Facebook to send over information about your new member and presumably Facebook is logging that transaction. From a compliance point of view, we would think that this is two separate actions and that you as the community manager are not responsible for someone’s use of Facebook to log in.  If you offer social logins, we would recommend that you also offer a registration form as well to give people the option.

Q: Do I have to re-opt in all my community members?  

A: No. You don’t need community members to re-confirm their registration to the community.  GDPR is prompting some companies to do a re-opt in for their email marketing lists to ensure that they have explicit consent. Even then, re-confirming email lists is only required if proper consent was not obtained at the time the emails were obtained. Consent can be reconfirmed when members return to the community.

Q: What if a banned user makes an erasure request to get removed from the ban list?

A: The GDPR includes the concept of ‘legitimate interests’  where you can retain data if it is in the interest of protecting individuals.  We believe a ban list would fall under legitimate interests.

 

Q: Does the GDPR require users to consent to the use of Cookies? How do forums use cookies?  

A: On some websites, you sometimes see a notification pop-up asking people to consent to the use of cookies. Those are there because of a different EU law about cookies.  The law says that you must get consent if you are using cookies to collect and store ‘non-essential’ information such as info that is used for targeting advertising. By default, the cookies used by forum software are the ‘essential’ kind that are used to keep people logged in, track analytics and so on and you need not get consent for using those cookies. With respect to GDPR, you need to know that that information in cookies could be used to identify the person and should be treated as personal information.  

 

Q: How can Vanilla help if I get a GDPR-related request?  

A: Vanilla has reviewed the GDPR requirements and we are highly confident that we will be able to comply with any request.  If you get a request and need our assistance, please contact customer support or your Customer Success Manager (CSM).

 

Q: What will Vanilla do if it receives a GDPR request related to my community?  

A: Our policy in this case is to immediately contact you with the details of the request.  As the data controller, we feel that the communications to the community member should come from you. We’ll be happy to assist you in any way we can.

Do you want to know more about building a community? Check out our eBook – it’s easier than you think!

 

Additional Reading

EU GDPR Website : https://www.eugdpr.org/

UK Data Protection Act Information: https://www.cookiebot.com/en/data-protection-act-2018/

Wikipedia: https://en.wikipedia.org/wiki/General_Data_Protection_Regulation

GDPR: data portability is a false promise: https://medium.com/mydata/gdpr-data-portability-is-a-false-promise-af460d35a629

Cookies Consent Under the GDPR: https://eugdprcompliant.com/cookies-consent-gdpr/

GDPR on Quora: https://www.quora.com/topic/General-Data-Protection-Regulation-GDPR