Apr 05 2019
Apr 05

Note this is a copy of page: https://joomla.github.io/cross-cms-compliance/drupalprivacyandcrosscmsgroup

Background

At this point in the history of the open web, privacy is arguably the key issue in software development. As a range of scandals arising from the misuse of data bring pressure on governments and civil society to take action, it is important for software projects - including Drupal - to take proactive steps to value, resource, and support privacy work.

To date, the Drupal project has largely been reliant on the community to take the lead on privacy work. Development initiatives on privacy issues have mostly centred around contributed modules to implement privacy standards required by the EU’s GDPR privacy legislation.

The status of Drupal’s work on privacy was discussed at great length at Drupal Europe last year with members of the WordPress and Joomla communities, as well as a variety of community members in Drupal who are continuing to focus on privacy beyond GDPR.

As a result, we created the Cross-CMS privacy group, where participants from a number of open source CMSes learn from each other and work to bring our respective software ecosystems towards a common open standards and principles.

For DrupalCon Seattle we would like to present a core privacy initiative that will bring together some of the existing work in contrib as well as the efforts of the others in the cross-CMS group.

Cross-CMS Privacy Group

We have representatives from the communities of Drupal, Joomla, WordPress and Umbraco meeting regularly on Wednesdays at 2-3pm UTC. It’s only been a few months, but we feel that we’ve achieved quite a bit. We’ve managed to stick to our weekly meetings and found that everyone involved has a passion for privacy generally, not just compliance with a specific set of laws.

We’ve found that although our software and community ecosystems are different, we’ve had to encounter the same set of problems - we’ve just handled things in differing ways. Different CMS’ have focused on different areas, which gives us much to learn from each other. For example, WordPress has done a great deal of work on privacy policies, whilst Joomla has fantastic export and import tools for site admins to manage, Umbraco has put a lot of effort into a Consent API, data export and handling of sensitive data fields.

We have already achieved a number of deliverables since beginning:

  • We’ve been working towards a common understanding of how software projects should define privacy that has been influenced by GDPR but aims to go further than mere compliance here: https://github.com/webdevlaw/open-source-privacy-standards (Special thanks to Heather from the WordPress team)

  • We’ve created a repository for posting minutes, and been producing them weekly here (Special thanks to the Joomla! Team especially Luca and Achilleas): https://github.com/joomla/cross-cms-compliance

  • We’ve created a structure for auditing software extensions that could be used by a Drupal privacy team to audit common modules here : https://github.com/joomla/cross-cms-compliance/blob/master/audit-your-software-extension.md

  • We have begun discussing unified standards for file formats for data portability exports and imports, so that users could, in theory, move their data between sites regardless of CMS

  • We’ve created some internal documents comparing the features of our CMSes with the aim to produce a common blueprint for how software best handles user data and privacy tools. We’ve been compiling some legal examples of times when fines have happened and are working together towards a common goal.

General Points on Privacy

Through our conversations we have become convinced that privacy is no longer just a legal requirement but one of ethical importance. We know that giving users the ability to control their own data, and having means to control their consent, isn’t just about avoiding the proverbial fine. As developers behind some of the largest CMSes in the world, we know that we cannot force website administrators to respect their users’ privacy, but we can at least make it so easy for them to do so that they will need a good reason to not enable these tools.

CMSes can often be the first point of processing an individual’s information. A recent discussion raised by Alan Mac Kenna from the Umbraco CMS community within the group centred on the need to be able to demonstrate accountability for processing not only based on consent, but for other ‘lawful bases’ also, enabling our platforms to become a key source of truth for realising accountability under data protection regulations.

However, putting aside the ethical imperative for privacy tools, there are a number of new legal privacy initiatives currently being worked on (which as of this writing include CCPA, the ePrivacy Regulation revamp, and the growing shape of the eventual US Federal privacy law). Therefore, especially for large organisations and enterprise, core functionality in databases and CMSes will likely be an incentive for future projects and funding.

We feel that the Cross-CMS group will assist their projects to value, resource, and support both the ethical reasons for caring about privacy as well as the business incentives for avoiding legal issues. The more we follow consistent design patterns, open standards, and proactive approaches to legislation, the more all of our clients, users and customers will be protected. Whilst other CMSes will never dictate what Drupal needs to do, we can always benefit from mutual learning and understanding.

We hope that as this initiative grows, we will be able to work in cooperation with regulatory bodies themselves to add further authority to the technical approaches we will take in our software.

Drupal Privacy Initiative Goals

We have a number of potential goals for a Drupal privacy initiative:

  • We want to have a clear roadmap of what features need to be in the Core of Drupal, so that other modules can extend that functionality, and what features can remain officially supported in Drupal.
  • An example is the tools for data erasure and “Right to be forgotten” could be an extension of the existing options given when a site admin cancels a user;
  • Whereas tools to make it easier to import user data from other CMSes could exist in contrib but using a data structure that the majority of major CMSes are using.
  • We want to define what we currently believe are the essential features required to improve a website’s handling of user data and privacy, including:
  • Functionality for logging consent or other legal basis for processing;
  • Functionality for handling the exporting and erasure of user data, taking into account that Drupal stores a lot of data in custom fields or other modules.
  • A privacy team-supported checklist, existing in contrib, to assist organisations in compliance and privacy issues outside of pure tech/code issues.
  • A privacy team which, like the security team, vets submitted modules to see how well they respect privacy requirements, as the WordPress Privacy team does. This could instead be more similar to how the accessibility team operates.
  • Potentially other features such as something like the legal module in core which would allow modules to submit wording for privacy policies, such as what cookies they used and how they handle user data.
  • Build upon the work Brainsum (Peter) and FreelyGive (Jamie or yautja_cetanu) have done on the GDPR module on drupal.org to bring the essential functionality into core where appropriate.
  • We want to create documentation within drupal.org to assist developers, site builders and site administrators alike in understanding the privacy issues which impact Drupal, including understanding what other software does.

Our Next Steps

We hope to follow this blog post up with some detailed presentations on the state of privacy tools in other CMSs with screenshots and a more detailed plan.

Currently the representatives of Drupal in the Cross-CMS Privacy Group are from two companies which worked on the /project/gdpr module and another individual who has worked on various encryption modules. We hope to open this up at Drupalcon Seattle.

Chris Teitzel is representing the initiative at Drupalcon Seattle. Many of the members of the working group are in Europe and while not in physical attendance, have pledged to make themselves available remotely for any discussions that are required and are willing to help in any way.

Chris hopes to bring together enough people to support this so an official initiative can be created.

In the long term we hope to secure funding for the group to cover travel and accommodation expenses for periodic in-person meetups and other directly relevant activities, such as conferences and workshops. We may also seek funding support for our time and labour contributing to opensource privacy, which is already a considerable commitment. We naturally must be careful to consider the values and ethics of any potential sponsors, particularly those which may have a mixed track record on privacy.

Apr 30 2018
Apr 30

By jamesabrahams · On Mon, 04/30/2018 - 09:13

[embedded content]

This is an introduction to the new GDPR module that we're working on. This is aimed for people who already have a good understanding of the GDPR and want a fast introduction to the features with little explaination.

We explore :

  • The GDPR field settings page that allow you to customise how each of the fields should function from a GDPR perspective, including various sanitiser for anonymising some fields.
  • How a user will request both rights to access and right to erasure.
  • A Tasks page for staff to process these requests.
  • GDPR consent fields, the ability to write both explicit and implicit consent policies and how to attach them to a form.
  • Finally we explore some of the future features we are working on such as backup and restore and better handling of data exports.
  • Links:

  • https://www.drupal.org/u/yautja_cetanu - (Me, James Abrahams @ Freely Give)
  • https://www.drupal.org/project/gdpr - The module that we are FreelyGive have built in collaboration with BRAINSUM.
Mar 07 2018
Mar 07

This is our first blog post in a while and after chatting to a few people at the recent Drupalcamp London I thought it would be good to push for more blogs posts as it seems like there is a great deal of work we handle that the Drupal community probably needs to talk about a bit more.

We at Freely Give have been working on native Drupal CRM for a great many years now. We have finally gotten some budget to migrate our work to Drupal 8. I'll talk a bit more about what that means in a later blog post. But the reason many of our clients have wanted this migrate is to get them ready for GDPR.

As a result we have both gotten the budget for and planned for a great deal of working making Drupal much more GDPR compliant. We are planning a series of functionality that will likely find its way into the gdpr module on drupal.org. As a result in the next days and weeks I will be writing up a few blog posts on a number of issues:

  • A summary of a white paper we'll produce showing our overall GDPR implementation strategy. Obviously it comes with the disclaimer that this is just our research and we are not lawyers but it is the document we have shown to a number of our clients and so it will likely be useful for organisations just starting to think about GDPR (despite it being only months away!). I hope we'll get some input and comments on this, as I'm sure there are individuals in the Drupal community that have a take on certain aspects of this that differs from ours.
  • An overview of the specific plans we have for our contribution to the GDPR module itself. This will be more techy and aimed at the specific Drupal pages and code we plan.
  • A series of more detailed looks into specific areas of GDPR
  • How this impacts native Drupal CRM.

I hope this content will be helpful for pushing Drupal forward with this coming legalisation!

About Drupal Sun

Drupal Sun is an Evolving Web project. It allows you to:

  • Do full-text search on all the articles in Drupal Planet (thanks to Apache Solr)
  • Facet based on tags, author, or feed
  • Flip through articles quickly (with j/k or arrow keys) to find what you're interested in
  • View the entire article text inline, or in the context of the site where it was created

See the blog post at Evolving Web

Evolving Web