GDPR Prinicpal 5 - How to delete data after storage period expires

Guys, as you probably know, GDPR Principle 5 requires that we

• review the length of time we keep personal data;
  consider the purpose or purposes you hold the information for in deciding whether (and for how long) to retain it;
  securely delete information that is no longer needed for this purpose or these purposes; and
  update, archive or securely delete information if it goes out of date.

In our case we are mandated to delete lapsed subscribers (disabled subscribers) after 3 years.

How would be the best to automatically achieve that? We currenly have hundreds of disbaled subscribers on file form years back.

Is or has Community Builder Dev taken a position to provide capabilities specifically relating to GDPR - given that's it's the law in all European Economic Areas, Norway and Iceland, and for anyone that holds EU citizen data, it would be much easier to have this as a standard function in CB rather than having to write scripts etc., which for me in any case is not that easy.

My apology if I missed directive you've already issued.

Filter CB > User Management then mass-delete would be fastest way to do this manually. You can automate user deletion I suppose using CB Auto Actions, but I don't recommend automating such an operation as if not done 110% correctly could result in accidental deletion of active users.

Is or has Community Builder Dev taken a position to provide capabilities specifically relating to GDPR - given that's it's the law in all European Economic Areas, Norway and Iceland, and for anyone that holds EU citizen data, it would be much easier to have this as a standard function in CB rather than having to write scripts etc., which for me in any case is not that easy.

Folks, please understand GDPR is not a problem for CB to solve. It is an individual problem you must solve for your own site. We provide tools to be compliant, at least in a manual way, we've no plans to hardcode in a "1 button GDPR compliant" feature; that would be impossible. GDPR needs to be evaluated on a per-site basis and per-country basis as these laws don't apply to everyone.

To clarify what I mean by this is you need to evaluate your need for compliance based off what you collect, for what purpose, and from whom. This makes it a problem for you to solve based off the needs of your site. CB it self is simply a tool and will provide tools to help with compliance, but we can not meet every per-site usage needs like data lifetime which is entirely based off the services rendered by the site it self.

We will be providing a Joomla plugin, for free, to integrate with Joomla 3.9 core privacy extension meant to tackle this very thing when possible. CB Privacy it self can allow users to delete themselves, secure their data via privacy controls, and eventually will have a easy export feature built in.

Guys

Folks, please understand GDPR is not a problem for CB to solve. It is an individual problem you must solve for your own site. We provide tools to be compliant, at least in a manual way, we've no plans to hardcode in a "1 button GDPR compliant" feature; that would be impossible. GDPR needs to be evaluated on a per-site basis and per-country basis as these laws don't apply to everyone.

I think this is where you are wrong - these laws apply GLOBALLY to anyone who prcoesses EU citizen's data. I have received GDPR updates from literally tens of Joomla Component, template and extension manufacturers, and I work for a software company as well and we updated our software to help our clients be GDPR complaiant. Its one of the biggest privacy laws ever to come into effect, so if you think that basically your European clients are not imporant enough to provide some automated capabilities to for a major law that affects how we deal with data, and which CB IS ALL ABOUT, then its a bit sad really.

As an example one of our suppliers, J2Store (shopping cart for Joomla) - issued as special GDPR APP that when uploaded (optional) makes it so easy to handle GDPR access requests, allows users to delete their data etc. which made our life very simple and us much esaier to comply.

I would appreciate you rethink this. I'm not being difficult, just practical, and if you are expecting all your affected clients to each do their own manual prcoessing, and struggle on their own, then maybe it sends a strong message to us about how valuable we are or not to you.

so if you think that basically your European clients are not imporant enough to provide some automated capabilities to for a major law that affects how we deal with data, and which CB IS ALL ABOUT, then its a bit sad really.

That is not what I'm saying at all. We already provide the functionality to partially automate GDPR compliance and manual processes for the rest. We don't have a means of automating deleting users off a schedule and never will as it's far too dangerous to do. We have to weigh the pros and cons of implementing stuff like that. The big con is thousands of our users slamming support because they accidentally purged their entire database of user data.

As an example one of our suppliers, J2Store (shopping cart for Joomla) - issued as special GDPR APP that when uploaded (optional) makes it so easy to handle GDPR access requests, allows users to delete their data etc. which made our life very simple and us much esaier to comply.

Users can already delete themselves using CB Privacy and Joomla 3.9 privacy component will also allow this, which again we will integrate with. CB Privacy will also eventually allow a user to 1 click export their data, which again Joomla 3.9 privacy component will allow for this as well.

I would appreciate you rethink this. I'm not being difficult, just practical, and if you are expecting all your affected clients to each do their own manual prcoessing, and struggle on their own, then maybe it sends a strong message to us about how valuable we are or not to you.

As said in my previous reply we will be integrating with Joomlas core privacy component meant to centralize handling of GDPR compliance. I see no reason for us to specifically design a plugin to handle this when we, and everyone else, should be integrating directly with Joomlas core component for handling this. This provides a centralized hub for GDPR compliance instead of a dozen per-component implementations, which ironically goes against GDPR as it needs to be easily accessible.

Thanks for the clarifications, lets leave it there.

Having worked with a team of top international lawyers on this for my own company around the effect and enforcibility of the regulations on our global company, I would be a bit less hasty to say it cannot be enforced globally, of course it can, its called "international law". Anyone with a google browser can start looking this up. here is one opinion: blog.returnpath.com/gdpr-impact-for-non-eu-companies/

The failure of someone in a non-European country to comply could lead to a lawsuit against them in Europe and a seizure of their European assets (and the person's assets in any of the many other countries in the world, including the USA, that recognizes the judgments of European courts), and might, in general put that person in a position of complying with European laws and court judgments, or not having any practical ability to do business with Europeans at all.

Have added some clarification to my original reply to help avoid some confusion. I'll be working on a blog on how to be GDPR compliant with CB and the products it offers. I'll provide instructions for those that are subscribers and those that are not, which will hopefully ease the process. Please keep in mind automation is not a requirement of GDPR and while we will provide as much automation as reasonably possible some things will have to be done manually (e.g. article 5 clause 1e is all about not keeping data longer than necessary; it's not possible for us to determine this for you, but tools are available to purge said data as needed).