Data retention/GDPR

Hey everyone,

First time posting here, though I’ve been what we’d all call a ‘lurker’ for a little while now. It’s great to see so many people sharing their experiences and solutions!

My question is around a current challenge we’re facing - data retention and GDPR! The exciting stuff!

We’re a support forum and so the majority of posts are emotional support/expressions of emotion. It therefore feels unethical in some senses to delete/archive these posts after what is effectively an arbitrary number of years. But of course, we want to be compliant.

My question really is around best practice. What do other communities do with their forum data? Do you archive it after a certain amount of time? Do you delete it?

Any help would be much appreciated!

Best wishes,

lenstar

Hi lenstar! As far as I know, GDPR doesn’t mandate purging data arbitrarily…it’s more about providing a means for your members to request deletion of their account and/or data. Typically, it’s more the tech support forums that periodically archive out of date content (because it confuses people using newer versions of software, etc.). Emotional or physical support forums would seem to me to be a case where you might just leave it alone unless someone requests deletion. (Caveat is if you’re paying higher fees to retain old data.)

1 Like

Hey rhogroupee!

Thanks for that. Yes absolutely! I think maybe I’ve been a little unclear - data that we retain about our members (any personal data that’s linked up to our CRM for example) or data that people request to be deleted is fine!

It’s more that we’re receiving guidance from our Info Gov team which is saying we need to delete posts etc on the public forum from beyond a certain amount of years. This is what I was saying felt arbitrary - I’m trying to distinguish why posts/blogs are subject to the same rules and regs around personal data/member data which we retain (which definitely should be purged and compliant) as that just doesn’t seem right to me? I don’t think we can justify deleting someone’s posts just because they’re X years old.

I hope I’ve explained myself a little better!

Best wishes,

lenstar

That does sound like a policy decision to apply an arbitrary best before date just to remove stock from the shelves.

The threshold does not appear to be based on any of the normal attributes for considering GDPR: the purpose of the support forum; the attributes of the user; requests by the users themselves; the context of the data; or the data content itself.

FYI, if the intention of the policy is only to hide the data from public view then that is very different than deleting it. The latter could be thwarted by, for example, Discourse software where data is only soft deleted ie deleting a post hides it as if it is deleted but the data is still retained in the database.

@remah is correct. There is no GDPR requirement to delete data unless a user specifically requests it. Even then you don’t have to delete – you can just anonymise.

Be very very careful about listening to GDPR “requirements”. They are almost always not based on fact.

1 Like