Privacy and GDPR are among the most important issues for web developers, users, businesses, and governments. This presentation will introduce important requirements a web developer should take into account in order to ensure the privacy of its application users. In addition, examples of how Joomla! contributes in this direction.
Privacy: a fundamental feature in web application development in JoomlaTalks 2019 (Athens, Greece), https://joomlatalks.gr/en/
1 of 45
More Related Content
Privacy: a fundamental feature in web application development
2. Intro
Privacy and why it matters
Personal data protection
GDPR requirements
Key points to the path for compliance
How to adapt your development actions & efforts
The Joomla! 3.9 Privacy Tool Suite and its great features
The Joomla! Compliance team (scope and goals)
3. Alkaios
MSc student in Distributed Systems, Security
and Emerging Information Technologies,
University of Piraeus
Software Developer in idcs, Business Unit of
Intelligent Media LTD
Member of Compliance Team in Joomla!
NOT a lawyer!
4. Achilleas
PhD candidate in Personalized Health
Services & Privacy, University of Piraeus
Researcher at the EU H2020 OPERANDO
Project (GA no. 653704)
Head of Digital Strategy in idcs, Business
Unit of Intelligent Media LTD
Leader of Compliance Team in Joomla! (July
2018 - now)
NOT a lawyer!
5. Members of the Joomla! Compliance team
The Project has to evaluate the impact of the privacy related regulations, such as
GDPR and update its privacy policy and internal process accordingly.
This is about Open Source Matters Inc. (OSM) the not-for profit organization that
supports the Joomla! Project, not the CMS.
https://volunteers.joomla.org/teams/compliance-team
Definitely NOT an easy task!
8. GDPR - The after 25/05/2018 era
Do you choose
Panic?
KEEP CALM
AND
TAKE ACTION
Do you choose
Apathy?
9. GDPR: A game changer in privacy
Definitions of Controllers, Processors, Joint Controllers
Responsibilities, roles and the DPO role
Upfront consent, lawful basis consent, implicit vs explicit consent
Specified advance data subjects rights - Chapter 3 Articles 12 to 23
Right to be forgotten and Retention periods - Article 17
Data Protection Impact Assessment (DPIA) - Article 35
Security measures - Article 32
Data breaches and administrative fines - Article 83
10. What is Personal data...
...and where can you spot
them
https://ec.europa.eu/justice/smedataprotect/index_en.htm
11. Map personal data flows
Forms
Cookies
DBs
APIs
Emails
Data entry points
Data entry points
Data processing
Data storage
12. Privacy risks
We are witnessing the phenomenon of the development of an online
heaven of personal data sharing that can be potentially transformed to a
personal hell for any individual or company
Papageorgiou, A., GDPR Awareness: From privacy risks to the need for countermeasures,
https://magazine.joomla.org/issues/issue-mar-2018/item/3314-gdpr-awareness-from-privacy-risk
s-to-the-need-for-countermeasures
13. Privacy risks
GDPR & OWASP mapping on:
Top 10 Privacy Risks
owasp.org
Papageorgiou, A., GDPR Awareness: From privacy risks to the need for countermeasures,
https://magazine.joomla.org/issues/issue-mar-2018/item/3314-gdpr-awareness-from-privacy-risks-to-the-need-for-countermeasures
14. So, what is Privacy in Web development
- Trend to be forgotten? (i.e.
pop-ups that will be forgotten)
- A software extension? Many
extensions together? (i.e. plug and
play solutions)
- Is it an only legal area of practice?
(i.e. its all related to the legal text
onsite)
15. Define your role (GDPR based)
(Art. 4 of GDPR)
Data Controller Data Processor
Controls the data flow of a
service
Processes the data on behalf of
this data flow
Determines the purposes and
means of the processing of
personal data
Processes personal data on
behalf of the controller
16. Controller & Processor
Controller Examples:
An owned and self-hosted website
An owner of a service that uses third party software
Processor Examples:
Automated Mailing Company that sends newsletters
A third party form SaaS solution
A third party analytics service for websites
17. Privacy is related (not limited) to...
Personal data protection measures
Confidentiality (i.e. Encryption, Hash, TLS, etc)
Integrity (i.e. Action Logs, Data Isolation, Role-based Access, etc)
Availability (i.e. Firewall, DDoS prevention, IDS/IPS, Backup, etc)
Responsible, transparent and secure data management
Collaboration between all involved parties (1st party, 3rd party services, etc)
18. User rights
The Right to Be Informed
The Right of Access
The Right to Rectification
The Right to Erasure
The Right to Restrict Processing
The Right to Data Portability
The Right to Object
19. Retention policies
When you result to an end of the necessity of data processing based
on the scope that they have been collected, then you must delete
them (right to be forgotten)
20. Data minimization
Your users hold a lot of
personal information so
make sure that you
collect and process only
what you need!
21. Privacy by default
Always make sure that your users
default settings are pre-defined to
the most private
(ensure freely given consents)
Koho, R., Privacy by default and GDPR, examples and best practises:
https://magazine.joomla.org/issues/issue-apr-2018/item/3318-privacy-by-de
fault-and-gdpr-examples-and-best-practises
22. Privacy by design
Align your projects
methodologies and
internal procedures with
privacy & security
standards
23. How Joomla! CMS assists the whole script
- Privacy Tool Suite, introduced in Joomla! 3.9 thanks to the huge work done
by Michael Babker (Release Lead) and all the other volunteers who coded,
tested & translated https://www.joomla.org/3/thank-you
- Action User Logs
- Consent Management
- Personal Data Edit and Management (right to rectification)
- Export all users personal data to a valid and machine readable format (right
to data portability)
- Anonymize all users data and by extension delete them (right to be
forgotten)
24. Plugin Configuration
Enable and setup the Privacy System Plugin. If the user doesnt feel like giving
consent, will be redirected to Profile Editing Section
32. Remove & Export Requests
Based on the right to be forgotten and the right to portability, choose weather
to export or remove your users data ( always according to their request! )
33. Remove Request
Send a confirmation mail to your user with a 24 hours unique token binded on
the request and the email address
35. Remove Request
As long as the request is confirmed, we can proceed to the deletion of the user and mark the request as
completed:
36. Remove Request
As long as the request is completed we can take a look to our users information
37. Export Request
As described in the Remove Request, the process for the Export Request is
almost the similar. The only difference is that we can either download users
data or send to the users email an attachment. Both choices produce an xml file
(machine-readable format) with all the required information.
38. Export Request XML
All of users Personal Data are
exported in XML format, including:
Personal Information
User ID
Registration Date
Last Visit Date
Account Parameters
User Custom Fields
Users Action Log
40. Remove & Export Requests
Set up a date plan as a reminder for pending requests to be considered urgent
41. Download it and adapt your compliance plan
https://downloads.joomla.org/
42. Some words about the Compliance team
Main focus on the joomla.org/OSM properties
Weekly meetings
Tasks priority and severity, evaluated based on Eisenhower Matrix
GDPR requirements mapping & web properties assessment
Members from Italy, France, Germany, The Netherlands, Finland, UK, Greece
The most important thing that keep us focused & productive: we love
Joomla & we are having fun! :D
43. Third parties & DPAs
SSO & Identity Management
System
Cookie audit & policies
Backup Policy
Incident Response Plan
Articles in Joomla Community
Magazine
& more!
Joomla! Compliance current team & tasks
https://volunteers.joomla.org/teams/compliance-team
44. Cross-CMS privacy coalition and Joomla!
Members from:
Drupal,
Wordpress,
Typo3,
Umbraco CMS
and ofcourse...
Joomla! Compliance
Team members are
collaborating in weekly
meetings!