That's not an ideal answer, but... uh, ultimately not a strictly incriminating one, I guess?
Since you said you're asking to figure out how to act yourself (though in that case I would argue this is a T&I thread, not S&C), I'll briefly elaborate on the things that matter:
First of all, let's consider what personal data a forum like ours collects. The most obvious examples are IP addresses (linked to individual posts) and e-mail addresses. There is also data collected by Google Analytics and actual posts. To be compliant with the GDPR, each of these should be justified with a lawful basis. In our case, those could be:
- IP addresses: compliance with legal requirements (if for some reason Interpol asked us for Intikam's IP address history, we'd be obliged to comply, and thus we must store it), but also the nebulous legitimate interests clause. A forum like ours needs to be able to employ some measure of restricting abusive users, and IP addresses are a good way of doing that. An individual could object to us storing this data, but they'd have to provide a good reason for their data protection to override our legitimate interest.
- E-mail address: again, this falls under legitimate interests - bans, password reminders, etc. We have a decent enough reason to store your e-mail address, and while as an individual you can make a case to object, we're not under any immediate threat
- Google Analytics - we should do a better job at disclosing that Google Analytics is active on the website, but the standards of pseudonymisation used by Google are sufficient to be acceptable under the GDPR, so long as we don't send them any data we shouldn't be passing along. Again, an individual has the right to object, yadda yadda. Once again, we can claim legitimate interest, since this information enables us to better cater our media activity to the demographics that visit us, and our GA setup is fairly minimalist.
- Posts - the most obvious of legitimate interests. It's the forum's literal purpose. As always, a user can object to their data being stored, but in this instance this would trigger an immediate removal of their account and all associated posts, for obvious reasons.
Ultimately, the thing to remember is that the GDPR is there to protect the user, but not beyond the realms of reason. As long as the data we collect is proportionate and measured to the goals we want to achieve, there is nothing to worry about.
More information about those LI words I keep using:
https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/legitimate-interests/