One element of GDPR compliance is "purpose limitation":

"Personal data must be collected for specified, explicit and legitimate purposes, which
are determined at the time of the collection of the personal data.

Therefore, personal data that is not required by an organisation should not be collected and therefore should not visible on the Moodle profile form.

Currently, by default, the following personal information is asked for on every Moodle profile form out of the box. And there appears to be no way to remove these fields from the Moodle profile form - without using CSS to hide the fields:

• Phone
• Mobile phone - may be relevant  for universities with the SMS feature coming in.
• Address

Even if CSS is applied to hide the input fields, the data already submitted will still be available in the database.

For new installs - can we remove these fields from the default profile form fields and allow organisations that need these to add these fields themselves using the existing custom field functionality?

For existing Moodle installs - Changing to this would require migrating any default form fields that already contain information to custom form fields during the upgrade. However, once these fields are custom fields they could then be removed by institutions who don't require this information. Enabling them to more easily adhere to GDPR guidelines without needing technical expertise to do so - e.g. applying CSS and direct database data modifications.