By Luca Marzo on 2018-01-21 16:12 in Compliance Team

This Sprint of the Joomla! Compliance Team has been held on January 20 and 21 at Cologne, Germany.

Participants

In attendance: Wilco Alsemgeest, Luca Marzo, Roland Dalmulder, Yves Hoppe, Sander Potjer.

Discussion outline

  • Team defined the roadmap for the GDPR milestones.

  • Team defined the technical requirements for the identity management platform.

  • Sander visualized the structure of Identity Platform: https://goo.gl/7WMtf5

  • Identity DNS setup has been fixed.

  • Identity.joomla.org will be the central place where to manage users profile and the entry point for centralized login.

  • Other properties will store anonymized users information.

  • Code will be hosted on a private repository on GitHub under the Joomla organization.

  • Luca prepared the list of third-party Data Processors currently used: https://goo.gl/3PyLru

  • Several custom components will be developed: API backend management system, Data Management Component (Identity Management System - IdMS), API, API Client.

  • Roland developed the Identity Provider and Service Provider for the Single Sign On (SSO).

  • Yves is working on a pull request to the Joomla CMS core to add an event when the user is loaded. This event will be extensively used by the API client while fetching data from the IdMS platform.

  • Wilco worked on the identity website configuration.

  • SSO system is already up and running on identity.joomla.org.

  • SSO has been deployed to a real Joomla.org property and tests have been conducted successfully.

  • Sander prepared a Proof of Concept of the data fetching system from API.

  • The following properties will be excluded from the first wave of the SSO/IdMS implementation: Extension Directory, Forum, Resource Directory, Showcase Directory, Template Directory, Documentation. Data will be mapped anyway to prepare the SSO/IdMS system for the second wave of implementation.

  • Properties’ backups will not contain personal data. Backup of the IdMS will be kept within the European Union.

  • A minimum subset of data will be shared with all the properties (including Full Name, Email address) to allow login across all the properties. The related consent statement will be specific to the login feature.

Action items open

  • Adjust the Global Privacy Policy to include all the purposes and specific policies (including tools like Glip, GSuite).

  • Collect Data Processing Addendums (DPAs) from all the Third-Party Processors.

  • Consultants in Compliance Team will prepare an Article for the Joomla Community Magazine to explain the Community what are personal data.

  • Each property will be assessed to see which data is managed and who has access.

  • Sander will bring a spreadsheet to the next Operations Department Meeting to assess all the properties’ extensions in which personal data are managed.

  • Wilco will work on the design of the Identity website.

  • Map all the fields needed by each property and define the complete field subset to be implemented into the IdMS.

  • Wilco will work on merging users and emails data from all properties (At least from members listed in the Volunteers Portal) and find a migration path which is as automated to the data component. Final migration as late as possible.

  • Prepare Consent statements for each subset of data needed by the properties.

  • Prepare the Emergency Procedure Document for emergency cases (e.g. Data Breach).

Timeline

  • January 20, 2018 - Requirements definition.

  • January 21, 2018 - Single Sign On development completion.

  • January 28, 2018 - Complete extensions list used by properties to manage personal data.

  • January 28, 2018 - Introduction to personal data article for the Joomla! Community Magazine.

  • January 31, 2018 - List of data needed by each property and purpose of collection.

  • February 15, 2018 - Consent statements drafting / Legal Review Start.

  • March 31, 2018 - Consent Management System ready.

  • March 31, 2018 - Consent statements ready and published in the Identity Platform.

  • April 30, 2018 - Test of the complete Data Management Platform.

  • April 30, 2018 - Update of the General Privacy Policy.

  • April 30, 2018 - Notification to all users seeking consent.

  • May 15, 2018 - Users will be able to login using the SSO and manage their profile in the IdMS.

  • May 25, 2018 - GDPR becomes effective.

 

Notice: Attendees of this Sprint gave their consent to publish their full name in this report.

The Joomla Compliance Team would like to thank David Jardin who allowed us to use his office and Rowan Hoskyns-Abrahall who helped with all the organization logistics.