Methodology and tools for Drupal sites GDPR compliance

Transcript

1. Methodology and tools for Drupal sites GDPR compliance Fedir RYKHTIK

   @FedirFR (@AgenceStratis) July 05, 2018, Drupal Developer Days 2018, Lisbon, Portugal

2. Thank you for your generous sponsorship of #DrupalDeveloperDays Lisbon 2

   Diamond Sponsor Platinum Sponsors Gold Sponsors

3. Speaker info • CTO (3 y+) • Associate professor (3

   y+) • Back-end developer (10 y+) • DevOps / SA (10 y+) • @FedirFR 3 • Interests ◦ OSS architecture ◦ DevOps on clouds ◦ Security ◦ Golang Fedir RYKHTIK

4. Workshop ressources https://speakerdeck.com/fedir/methodology-and-tools-for-drupal-sites-gdpr-compliance https://gist.github.com/fedir/6340a245d560090d454142c0aff2b18c 4

5. This workshop structure • GDPR • Existing solutions in Drupal

   • Framework architecture • Practical part 5

6. Practical part requirements • IDE : VSC, PHPStorm • Git

   • Composer • ddev OR VBox 6

7. GDPR 7

8. GDPR > Short introduction General Data Protection Regulation Aims primarily

   to give control to citizens and residents over their personal data Date made: 14 April 2016 Implementation date: 25 May 2018 Number of articles : 99 8

9. What is personal data (PD) ? Personal data is any

   information that relates to an identified or identifiable living individual. Different pieces of information, which collected together can lead to the identification of a particular person, also constitute personal data. 9

10. Examples of personal data (PD) • a name and surname;

    • an email address such as [email protected]; • an Internet Protocol (IP) address; • a cookie ID*; • the advertising identifier of your phone; • an identification card number; • a home address; • location data (for example the location data function on a mobile phone). https://ec.europa.eu/info/law/law-topic/data-protection/reform/what-personal-data_en#examples-of-personal-data 10

11. GDPR > Glossary Personal Data (PD) Data Subjects (DS) =

    Visitors and users of Your site / application Data Controllers (DC) = You, Your client Data Processors (DP) = External newsletter system, delivery firm ... Superivsory Authorities (SA) = CNDP (Portugal), CNIL (France), AEPD (Spain), BfDI (Germany), Garante (Italy) ... 11

12. GDPR > Main concepts • User should explicetly accept, what

    You could work with his personal data • User could change his mind • Only authorized persons could access to users data • Data should not be stored forever • Personal data should be stored and transfered in secure way • Personal data could be exported and/or removed from Your service • Access to personal data should be logged • If You don't need it, don't ask / collect / use it • In case of security breash You should notify users about it in 72h 12

13. GDPR > Rights of subject • Contacting DPO (A12, A13)

    • Access (A15) ◦ Private date + Details of treatment • Rectification (A16) ◦ Update • Right to be forgotten (A17) ◦ Erase data ◦ Data expiration TTL • Limitation (A18) ◦ Postpone data processing • Portability (A20) ◦ Export data • Opposition (A21) ◦ Stop data processing • Refusal of automatic decision (A22) 13

14. GDPR > Additional requirements • Clean PD after usage (A5)

    • Minimisation of PD collection (A5) • Child's consent in relation to information society services (A8) • Protect access to private data (A25, A32) • Risk analysis (A35) • Notify if data leak (A33, A34) 14

15. Site cases examples • Drupal.org • Sites of Young scouts

    Christian association • Health forum • Tinder-like site • IoT web-app for house control (videocams, physical address) • PWA site of Your town (with many permissions, as to take photos, so not only access to PD, but also creation) 15

16. Existing solutions for Drupal 16

17. "Overview of GDPR modules for Drupal" talk by Balu Ertl

    and Dominika Péterova on DDD18 17 High rated modules in different categories: • Rights of users ◦ GDPR • Cookie control ◦ GDPR consent • Form consents ◦ GDPR • Anonymization ◦ GDPR • 3rd parties ◦ Blitz vanisher ◦ Cookiebot • Security ◦ No module Full video: https://www.youtube.com/watch?v=2VLMWn-uH7c

18. GDPR > Existing solutions for Drupal 8 & 7 18

    Module Project key Drupal 7 Drupal 8 Features Articles GDPR AdSense User Consent adsense_consent Yes - Management of personalization of advertising for users 6,7 Blizz Vanisher blizz_vanisher Yes Yes Cookie consent 6,7 Commerce GDPR commerce_gdpr Yes - Right to be forgotten (manual and automatic) 5, 17 Cookie Content Blocker cookie_content_blocker Yes - Cookie consent 6,7 Cookiebot - Cookie consent, Cookie monitoring and Cookie control cookiebot Yes Yes Cookie consent 6,7 Cryptolog cryptolog Yes Yes IP anonymization 5 EU Cookie Compliance eu_cookie_compliance Yes Yes Cookie consent 6,7 General Data Protection Regulation gdpr Yes Yes Checklist for site admin; Data processing consent; GDPR fields; DB dumps without PD; GDPR tasks 6,7,18, 32 General Data Protection Regulation Compliance gdpr_compliance - Yes Form checkboxes; Cookie consent; Policy Page 7,13 GDPR Consent gdpr_consent Yes - Data processing consent 6,7 GDPR Export gdpr_export Yes - User's data portability 20 GDPR Form Compliance gdpr_form_compliance Yes - Data processing consent for forms 7 GDPR Tag Manager gdpr_tag_manager - Yes Cookie consent 6,7 IP anonymize ip_anon Yes Yes IP anonymization 5 Mask User Data mask_user_data Yes Yes Data randomizer 18, 32 Scrambler scrambler Yes - Data randomizer 18, 32 Full statistics https://goo.gl/xCaoWT

19. gdpr - GDPR module 19 • Checklist for site admin

    incl. automated content, module and configuration discovery (e.g. cookie consent, check if there is privacy policy page etc) displaying the current status on a progress bar and also placing a link on the status report page. • GDPR consent submodule (D8 only) which allows setting up "agreements" and track the consent per user. • GDPR fields submodule (D8 only) to mark personal data on field level. Currently, this serves only documentation purposes, handling of incoming requests eg. for deletion will be handled by the upcoming GDPR tasks submodule. • Drush command of drush gdpr-sql-dump with the primary goal of preventing developers from accessing sensitive personal data of site users by obfuscating configured fields of the SQL dumps. Under heavy development. • GDPR tasks submodule with various site management operations: ◦ Handle and track requests coming from users (data subjects). ◦ Allow users to initiate “forget me” and "export" action at site administrators.

20. gdpr - GDPR module > Dependencies 20 drupal/entity • Unified

    way to deal with entities and their properties drupal/message • The Message module is the core of the message stack. It enables logging and displaying system events in a number of different use cases. Events that are recorded over time are sometimes call activity streams. Exportable messages subtypes can be created for different use cases with custom fields and display (view) modes fzaninotto/faker • Data anonymization drupal/checklistapi • UI for modules to create fillable, persistent checklists that track progress with completion times and users

21. gdpr - GDPR module > PROs & CONs 21 PROs

    • Only one module, which has systematic approach CONs • Important number of open issues ◦ Including installation errors. The team is working on it. • At the moment there is no documentation. The team is working on it. ◦ https://www.drupal.org/docs/8/modules/general-data-protection-regulation • Not covering all GDPR articles • Important number of dependecies, but it's normal situation, as RGPD has many requirements Questions • Should it be the module ? Should it be in the core ? • Should it have submodules, or it should be standalone projects ? • Probably needs our help ?

22. Problems • At the moment there are no any complete

    module, which covers all topics / articles of GDPR • Some modules exists only for Drupal 7 or 8, but not for both. At the moment it's probably better to focus on D8 • There are articles, which are not covered at all : ◦ A8 For sites / applications with social networks features (aka information society services), if the user is a child, parents should give their permission for using such services ◦ A16 Module to change personal data OR custom manual modification for small organizations. ◦ A19 Automatic API or manual notification of 3rd parties about modification or erasure of personal data of a data subject. ◦ Dynamic personal user page, where all 3rd parties are listed; or manual request processing (for sites with small number of users/data subjects). ◦ A22 Form or module to request / stop decision-making and profiling based on personal data processing (as content personalization by interests, or gender). ◦ A32 ▪ Encrypt important private data directly in the database ▪ Protect data integrity (data should not be changed but not-authorized person) ▪ Implementation of authentificaiton / or extended permission configuraiton for manual editing ◦ A33 Module or application to collect statistic about the number and types of personal data stored on the site, to be able to give such statistics to the DPO. 22

23. Framework architecture 23

24. GDPR framework > Architecture overview 24 • Data structure layer

    ◦ Properties of the site ◦ Properties for the content type ◦ Properties for individual fields of each • Time-based jobs • Generic frontend PD UI • DS PD UI • DPO PD UI • Site builder PD UI • System

25. GDPR framework > Architecture > Data structure layer 25 •

    Properties of the site ◦ Cookiie ◦ Data policy ◦ Parents consent • Property of content types, entity ◦ Consent date ◦ Expire date ◦ User relationship ◦ Randomization or removal ? • Properties of individual fields ◦ PD field ? ▪ Subtype of PD field ▪ Anonymization type ◦ Sub CTs relationship

26. GDPR framework > Architecture > Time-based actions 26 • PD

    expiration ◦ Erase / anonymization ◦ Consent automatic require cycle ◦ External services notifications about modifications / erase ▪ API ▪ E-mail

27. GDPR framework > Architecture > DPO PD UI 27 •

    PD statistics • PD actions log • PD records search & ops • Data leak notification module

28. GDPR framework > Architecture > Site builder PD UI 28

    • CT configuration • DPO role assignement

29. GDPR framework > Architecture > DS PD UI 29 •

    See all own PD • Edit own PD • PD export • Erase own PD • Change consents ◦ Examples ▪ No NL ▪ No personalized NL ▪ Limit access to other users to records with his PD • PD admin visibility protection request

30. GDPR framework > Architecture > Generic FE PD UI 30

    • Cookie consent • Privacy page • Form to contact DPO

31. GDPR framework > Architecture > System 31 • GDPR DB

    Dump (without PD) • Data access operations logging • Additional security methods, as DB records encryption ◦ Possible decreasing of overall site performance

32. Ressources • https://ec.europa.eu/info/law/law-topic/data-protection/reform/what-personal-data_en • https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679&from=EN • https://eur-lex.europa.eu/legal-content/EN-FR/ALL/?uri=CELEX:32016R0679 • https://gdpr-info.eu/ •

    https://techblog.bozho.net/gdpr-practical-guide-developers/ • https://techblog.bozho.net/tracking-cookies-gdpr/ • https://techblog.bozho.net/protecting-sensitive-data/ • https://www.gdpreu.org/the-regulation/key-concepts/personal-data/ • https://github.com/contact/privacy • https://github.com/georgringer/gdpr • https://decisions.typo3.org/t/making-typo3-gdpr-ready/306/16 • https://www.drupal.org/project/gdpr • https://www.youtube.com/watch?v=2VLMWn-uH7c 32

33. Thank You ! @FedirFR (feel free to contact me and

    share any feedbacks about the workshop)