Methodology and tools for Drupal sites GDPR compliance
Slides from my workshop "Methodology and tools for Drupal sites GDPR compliance" at Drupal Developer Days 2018 (July 5, 2018, Lisbon, Portugal) #DrupalDevDays
Methodology and tools for Drupal sites GDPR compliance Fedir RYKHTIK @FedirFR (@AgenceStratis) July 05, 2018, Drupal Developer Days 2018, Lisbon, Portugal
GDPR > Short introduction General Data Protection Regulation Aims primarily to give control to citizens and residents over their personal data Date made: 14 April 2016 Implementation date: 25 May 2018 Number of articles : 99 8
What is personal data (PD) ? Personal data is any information that relates to an identified or identifiable living individual. Different pieces of information, which collected together can lead to the identification of a particular person, also constitute personal data. 9
Examples of personal data (PD) ● a name and surname; ● an email address such as [email protected]; ● an Internet Protocol (IP) address; ● a cookie ID*; ● the advertising identifier of your phone; ● an identification card number; ● a home address; ● location data (for example the location data function on a mobile phone). https://ec.europa.eu/info/law/law-topic/data-protection/reform/what-personal-data_en#examples-of-personal-data 10
GDPR > Main concepts ● User should explicetly accept, what You could work with his personal data ● User could change his mind ● Only authorized persons could access to users data ● Data should not be stored forever ● Personal data should be stored and transfered in secure way ● Personal data could be exported and/or removed from Your service ● Access to personal data should be logged ● If You don't need it, don't ask / collect / use it ● In case of security breash You should notify users about it in 72h 12
GDPR > Rights of subject ● Contacting DPO (A12, A13) ● Access (A15) ○ Private date + Details of treatment ● Rectification (A16) ○ Update ● Right to be forgotten (A17) ○ Erase data ○ Data expiration TTL ● Limitation (A18) ○ Postpone data processing ● Portability (A20) ○ Export data ● Opposition (A21) ○ Stop data processing ● Refusal of automatic decision (A22) 13
GDPR > Additional requirements ● Clean PD after usage (A5) ● Minimisation of PD collection (A5) ● Child's consent in relation to information society services (A8) ● Protect access to private data (A25, A32) ● Risk analysis (A35) ● Notify if data leak (A33, A34) 14
Site cases examples ● Drupal.org ● Sites of Young scouts Christian association ● Health forum ● Tinder-like site ● IoT web-app for house control (videocams, physical address) ● PWA site of Your town (with many permissions, as to take photos, so not only access to PD, but also creation) 15
"Overview of GDPR modules for Drupal" talk by Balu Ertl and Dominika Péterova on DDD18 17 High rated modules in different categories: ● Rights of users ○ GDPR ● Cookie control ○ GDPR consent ● Form consents ○ GDPR ● Anonymization ○ GDPR ● 3rd parties ○ Blitz vanisher ○ Cookiebot ● Security ○ No module Full video: https://www.youtube.com/watch?v=2VLMWn-uH7c
gdpr - GDPR module 19 ● Checklist for site admin incl. automated content, module and configuration discovery (e.g. cookie consent, check if there is privacy policy page etc) displaying the current status on a progress bar and also placing a link on the status report page. ● GDPR consent submodule (D8 only) which allows setting up "agreements" and track the consent per user. ● GDPR fields submodule (D8 only) to mark personal data on field level. Currently, this serves only documentation purposes, handling of incoming requests eg. for deletion will be handled by the upcoming GDPR tasks submodule. ● Drush command of drush gdpr-sql-dump with the primary goal of preventing developers from accessing sensitive personal data of site users by obfuscating configured fields of the SQL dumps. Under heavy development. ● GDPR tasks submodule with various site management operations: ○ Handle and track requests coming from users (data subjects). ○ Allow users to initiate “forget me” and "export" action at site administrators.
gdpr - GDPR module > Dependencies 20 drupal/entity ● Unified way to deal with entities and their properties drupal/message ● The Message module is the core of the message stack. It enables logging and displaying system events in a number of different use cases. Events that are recorded over time are sometimes call activity streams. Exportable messages subtypes can be created for different use cases with custom fields and display (view) modes fzaninotto/faker ● Data anonymization drupal/checklistapi ● UI for modules to create fillable, persistent checklists that track progress with completion times and users
gdpr - GDPR module > PROs & CONs 21 PROs ● Only one module, which has systematic approach CONs ● Important number of open issues ○ Including installation errors. The team is working on it. ● At the moment there is no documentation. The team is working on it. ○ https://www.drupal.org/docs/8/modules/general-data-protection-regulation ● Not covering all GDPR articles ● Important number of dependecies, but it's normal situation, as RGPD has many requirements Questions ● Should it be the module ? Should it be in the core ? ● Should it have submodules, or it should be standalone projects ? ● Probably needs our help ?
Problems ● At the moment there are no any complete module, which covers all topics / articles of GDPR ● Some modules exists only for Drupal 7 or 8, but not for both. At the moment it's probably better to focus on D8 ● There are articles, which are not covered at all : ○ A8 For sites / applications with social networks features (aka information society services), if the user is a child, parents should give their permission for using such services ○ A16 Module to change personal data OR custom manual modification for small organizations. ○ A19 Automatic API or manual notification of 3rd parties about modification or erasure of personal data of a data subject. ○ Dynamic personal user page, where all 3rd parties are listed; or manual request processing (for sites with small number of users/data subjects). ○ A22 Form or module to request / stop decision-making and profiling based on personal data processing (as content personalization by interests, or gender). ○ A32 ■ Encrypt important private data directly in the database ■ Protect data integrity (data should not be changed but not-authorized person) ■ Implementation of authentificaiton / or extended permission configuraiton for manual editing ○ A33 Module or application to collect statistic about the number and types of personal data stored on the site, to be able to give such statistics to the DPO. 22
GDPR framework > Architecture overview 24 ● Data structure layer ○ Properties of the site ○ Properties for the content type ○ Properties for individual fields of each ● Time-based jobs ● Generic frontend PD UI ● DS PD UI ● DPO PD UI ● Site builder PD UI ● System
GDPR framework > Architecture > Data structure layer 25 ● Properties of the site ○ Cookiie ○ Data policy ○ Parents consent ● Property of content types, entity ○ Consent date ○ Expire date ○ User relationship ○ Randomization or removal ? ● Properties of individual fields ○ PD field ? ■ Subtype of PD field ■ Anonymization type ○ Sub CTs relationship
GDPR framework > Architecture > DS PD UI 29 ● See all own PD ● Edit own PD ● PD export ● Erase own PD ● Change consents ○ Examples ■ No NL ■ No personalized NL ■ Limit access to other users to records with his PD ● PD admin visibility protection request
GDPR framework > Architecture > System 31 ● GDPR DB Dump (without PD) ● Data access operations logging ● Additional security methods, as DB records encryption ○ Possible decreasing of overall site performance
fedir
cembasaranoglu
sakaitakeshi
kaznishi
datarian
sbtechnight
foursue
taketakekaho
yhana
kazumax55
yoshinagaiwnl
oracle4engineer
teckl
frogandcode
shpigford
keithpitt
bluesmoon
caitiem20
samlambert
akmur
philhawksworth
kneath
maltzj
orderedlist
erikaheidi