Joomla GDPR/Compliance Team - April Update
The Joomla GDPR/Compliance Team have during the past weeks been working towards becoming General Data Protection Regulation (GDPR) compliant in advance of the May 25th 2018 deadline.
Here is a quick summary of what has been done and what is still ongoing.
Joomla and GDPR: a Single Sign On (SSO) solution
With the upcoming changes in privacy laws and the GDPR coming into effect we had to do something about our Joomla properties. The Joomla properties are the websites we all use like the Extension Directory, Volunteer Portal, etc.
The first step is to consolidate all the data we have in all these 30+ sites. This means we bring all the data to a single Identity site where we can manage all our profiles. The result will be that we only need to document and manage one site with all sensitive data. One place to manage your Joomla profile.
All Joomla.org sites will make use of the identity provider to authenticate the login, this is done through Single Sign On. Another advantage is that our users will only need 1 login for all the Joomla properties instead of a username and password for each site.
The identity site will contain the consents that are required to make use of a Joomla site. Using the consents we can track who has given consent for what and when.
Currently we have the Single Sign On working, and are now working on implementing the exchange of data and consents to the Joomla properties. Once that is done we can start looking at the data migration to the identity site.
The view to edit the user profile on the Identity website is ready too.
Consent Management System
Another crucial part of the solution is the Consent Management System, also known as, Identity Manager, a place where we can manage and track all the consents from the users.
The Identity Manager will allow us to define which data fields are needed by each property and use different/specific consent statements for each usage of data. Consent statements will be added for each field used/transferred to the endpoint property.
After the first login to a property, the users will be prompted a window where they can give their consents to authorize the transfer of data to the website they’re trying to visit.
The Identity Manager will track also any changes in consents or in data managed by each property, seeking the consents from users in case new data or new consent is needed.
From the Identity Manager users will be able to check their consents and can withdraw any of them at any time.
The team has been busy also working on articles to make the Community aware of the needed changes and the impact of the new Regulation. Several articles have been published on the Joomla Community Magazine by Alberto Nutricati, Achilleas Papageorgiou and Reino Koho:
Furthermore a public channel dedicated to GDPR is available on Glip, where people from inside and outside the Joomla sphere discuss interesting themes and questions regarding the GDPR, if you want to access this channel, please contact any of the Compliance Team members or if you are already added to the Joomla organization in Glip, you can find the channel in the list of public channel there.
Assessment and next steps
The team engaged the Webmasters Team to complete the assessment of the Joomla.org properties, checking which data are collected and processed.
Based on the assessment results, team will identify any gaps and suggests the actions to be taken to progress towards compliance.
Assessments will be also the main source to develop consent statements that will be added to the identity manager.
The Compliance Team onboarded new volunteers: Reino Koho, Brendon McLoughlin and Sandra Decoux.
Team is looking for volunteers for the following roles:
- Data Protection Experts
The team would like to thank Wilco for all his efforts, dedication and support as Team Leader so far. As Wilco is stepping down as team leader, we are now open and actively looking for a new team leader.
Anyone interested in volunteering for any of the above mentioned roles, please write an email to email@example.com .