It’s one year on from the introduction of the General Data Protection Regulation (GDPR), and as with any anniversary it’s an opportunity to reflect – to take stock of what’s changed in our CMS community and beyond as a result of the GDPR and to mention a few things coming down the line that remind us that the GDPR is a step on the privacy journey.
GDPR sparked interesting conversations, not only in the Umbraco community, but in the wider CMS world as well about how best to meet this challenge – Is the solution process-based? Is it the responsibility of tech to fulfil the requirements? Is there a danger of over-engineering a solution? As with most things, the answer lies somewhere in between and in truth, everyone has a role to play in delivering on both the privacy and security that are the fundamental rights that the GDPR aims to realise.
But isn't GDPR so last year?
Out of these conversations in the community and within Umbraco HQ itself, grew efforts to decide how best Umbraco could deliver on what the GDPR was trying to achieve. This culminated in the GDPR Upgrade, introducing features such as a Consent Service, better backoffice auditability, and the ability to mark fields as sensitive for both member profiles and form data.
And with that big privacy push delivered ahead of GDPR’s introduction, it’s fair to ask: are we done? Is there more we could do? What else could we be thinking about?
It's about privacy
GDPR is an important milestone in privacy, but it is important to consider privacy as an ongoing commitment to principles rather than a specific legal obligation that needs to be complied with. More privacy legislation is coming down the track, both from within Europe and beyond, and it is an opportunity for CMSs to be working towards privacy goals that will get them and their user bases ready.
Examples of upcoming privacy legislation affecting our industry are the ePrivacy Regulation revamp, the California Consumer Protection Act (CCPA), and a likely U.S. Federal privacy law. There is interplay between these new developments and existing privacy regulations, and addressing them as a CMS project needs a multi-faceted approach, from community guidance to new approaches to package development and core updates.
It's also good business
Clients are becoming more privacy-savvy as to what they need to be considering when choosing a CMS and to what extent it can meet their compliance needs out of the box. In my work at the intersection of data protection and technology I see this trend in every aspect of supplier procurement – it’s an increasingly smart business decision to choose a platform that takes a best-effort approach towards privacy.
Cross-CMS Privacy Working Group
In recent months I’ve been involved in a Cross-CMS privacy initiative with representatives from other CMS communities including WordPress, Drupal and Joomla as well as legal & tech regulation experts. A primary goal of the Working Group is to discuss each CMSs approach to privacy and find common ground towards problem-solving that we can all benefit from. We’ve found that there are opportunities to support our projects across the areas that privacy spans from legal compliance & project governance, to developing with Privacy by Design, privacy UX patterns and producing practical guidance & best practices to support our communities in considering privacy in the work that they do.
Cross Privacy Initiative’s Vision:
Through collaboration, open source CMS projects can help transform our development communities into ones which empower user privacy through a positive and proactive approach to governance, standards, and tools, rather than a negative and reactive approach to privacy as a legal compliance obligation.
It’s early days but we’re off to a great start in being supported by the Mozilla Open Leaders Project. We are working on guidance to support developers in producing packages that consider privacy, as well as discussing how a common standard may be developed for data portability across our projects.
A key value of our collaboration is that we are able to share knowledge and resources about the new privacy legislation which lies ahead. This enables us to discuss what new functionality we may have to build well in advance of compliance deadlines.
This is a truly open-source collaboration that cuts across code boundaries in an area where there is huge potential to build on each other’s efforts – they’re the same issues after all, just different repos.
If you have ideas that you’d like to contribute towards cross-CMS privacy, we’d love to hear from you. You can do that by contributing to Open Source Privacy Standards Repository (special thanks to our Cross-CMS initiative standard-bearer – Heather Burns from the WordPress Privacy Team) or feel free to get in touch with me.
Umbraco & privacy
In preparation for the GDPR, Umbraco had a GDPR-focused release. Version 7.9.0 added a Consent Service, improved backoffice auditing and the concept of Sensitive Data Fields for Members as well as the ability to export a member’s profile data. Umbraco Forms also introduced Sensitive Data Fields and the ability to disable storing form submissions by default with Forms v7.0.0.
How have other CMSs approached privacy?
One thing that’s clear from being involved in the cross-CMS privacy discussion is that we have all been having the same debates & challenges in our communities. We’ve been coming up with sometimes similar and other times differing approaches towards solving these. Between additions to the core and contributions from community members, every CMS has made an effort to tackle privacy challenges head-on.
Jamie Abrahams from the Drupal community sums it up well:
As developers behind some of the largest CMSs in the world, we know that we cannot force website administrators to respect their users’ privacy, but we can at least make it so easy for them to do so that they will need a good reason to not enable these tools.
Buy-in from the core projects and support from their communities have been key in driving and sustaining momentum in addressing data privacy issues. Here’s a rundown of some banner items that our CMS friends have been working on:
- Established a WordPress Compliance Team;
- Established a GDPR Compliance Roadmap, recently released a 2019 Core Privacy Roadmap;
- Made privacy a core component of the WordPress project;
- Provided guidance for plugin developers to work;
- Developed tools to facilitate data access requests and data portability;
- The WordPress Privacy & Maintenance Release.
- Created a Core Privacy Initiative and first suggested an Open Web Privacy Working Group to encourage collaboration;
- Established a GDPR Compliance Team;
- Developed a Privacy Roadmap and issue tracker;
- GDPR Module – a project to provide GDPR compliance features.
- Nominated a Data Protection Officer (DPO);
- Established the Joomla! Compliance Team;
- Published articles regarding GDPR compliance;
- Planning the release of a Single Sign On (SSO), Profile and Consent Management System solution for the Joomla! Community users;
- Released the Privacy Tools Suite – a comprehensive suite of tools and features included in the Joomla core to ease compliance with Privacy regulations;
- Provided guidance for users and developers to integrate Joomla’s Privacy features.
Opportunities for Umbraco
With the initial GDPR preparation behind us, there are a number of ways Umbraco and we the community, can build on that momentum and evolve how we facilitate and support privacy. I’d like to humbly make the following suggestions based on the experiences of our fellow CMS projects that could help to move this forward:
Create a Privacy Initiative
A quick win is to make it easier to track privacy-related issues on the Issue Tracker (e.g. project/privacy). This would help give greater visibility to privacy issues and also affirm privacy as an ongoing component of the project.
Establish a Privacy Team
An approach that many CMS projects have taken is to create a permanent Privacy Team that is tasked with moving the privacy roadmap forward. This could be either within HQ itself or a combined HQ & community effort such as we’ve seen with the PR Team, the Document Curators Team and the recent formation of the Accessibility Team.
A Privacy Team could develop a privacy roadmap for the project, triage privacy-related issues and possibly evolve into auditing packages against privacy best-practices where a package developer submits a package that would benefit from being able to demonstrate that privacy concerns have been considered.
This would be a great opportunity to bring the cross-skill-set expertise that’s in the community together in areas such as privacy, security, UX, development and regulatory expertise.
Standardise Data Discovery
Handling of personal data by package’s very much depends on how a package is implemented. It may process and store data in custom tables that the CMS doesn’t have a streamlined way of retrieving. Realising the rights of individuals under data protection regulation such as access, erasure, and portability becomes more difficult when data is stored in these silos without a managed way to retrieve it.
A possible solution is for the Core to provide APIs for packages to register where personal data is stored, enabling personal data discovery via the backoffice.
Create a Privacy Dashboard
Not all personal data which is collected through the CMS may end up being stored by the CMS, but it is often the first port of call for individuals exercising their rights to make a request via the CMS-backed website. Surfacing information in a Privacy Dashboard in the backoffice would provide site admins with a central place to facilitate privacy rights, while streamlining the process of fulfilling requests for the user. This could be a Core feature or developed as a package once the Core API’s exist to make personal data management easier.
Drupal has taken this approach, with a community GDPR module that leverages Core API’s.
Drupal GDPR Module
This fits well with Umbraco’s philosophy of providing extension points within Core for package developers to build on, and if a package demonstrates its adoption and utility to the community it may end up being considered for shipping in Core.
Create a Package Privacy Audit
Being accountable for personal data processing is a core principle of data protection regulation. It’s important for site owners to be accountable for their personal data processing and to surface privacy info in user-facing policies. Enabling package developers to submit privacy-related information in a structured way, thereby providing clarity as to how their package processes personal data, could be facilitated through the package-submission process on Our Umbraco.
This could be optional, but for businesses who are concerned about compliance, it will be a very useful indicator to be able to look for packages that have completed a basic privacy audit.
There has been work completed within the Cross-CMS initiative on a Privacy Audit for third-party extensions and similar efforts are in draft form at the W3C.
Leverage the Consent Service
The Consent Service shipped as part of the Umbraco GDPR Release. It exists to capture the consent of individuals for processing of their personal data and to manage those consents. At the moment it may be a bit underutilised, and there could be an opportunity to tie it in with other backoffice features such as the Data Consent property type for Umbraco Forms, which could close the loop between the capturing and recording of consent.
Enable Sensitive Field Encryption
Umbraco, Drupal, WordPress and others are having the same discussions about encryption. I believe that as part of a layered approach to security, Umbraco could consider facilitating sensitive field encryption. There is already the concept of marking fields as sensitive in the backoffice in Umbraco Forms & Member profiles. This data is not currently stored in an encrypted form in the database.
There are trade-offs and additional challenges that come with storing encrypted data, such as impacting on the searchability of it, key management etc. But if the ability is there to use it, it should be up to the implementor to decide if doing so better meets their needs and mitigates their exposure to risk.
By providing guidance within the Umbraco Documentation on Privacy by Design and how to approach building Umbraco solutions with privacy considered, Umbraco has an opportunity to support privacy education & awareness within the community.
The health check
This Health Check will be released as part of the Our.Umbraco.HealthChecks Community Package a pending PR is merged into Core which enables using Content Pickers with Health Checks. A big thank you to Laura Weatherhead for her collaboration on getting this PR across the line.
No CMS can hand a user compliance in a neatly-tied bow, but they can streamline it and encourage a healthy regard for privacy. As a community, Umbraco has a lot to offer, and with the support of our sister CMS projects in rising to the occasion, there’s never been a better time for us to put privacy front and centre on the agenda.
Additional thanks to Kevin Giszewski for his excellent Cross-CMS Privacy banner illustration for this article, Paul Seal for V8-ifying his Community Health Checks package ahead of the Privacy Health Check release and finally — to my fellow members of the Cross-CMS Privacy Working Group: Heather Burns - WordPress Core Privacy Team, Achilleas Papageorgiou - Joomla Compliance Team, Luca Marzo - Joomla Compliance Team, Jamie Abrahams - Drupal & Chris Teitzel - Drupal, among other contributors, for helping to move the privacy discussion forward in the CMS community.