How to be GDPR Compliant with eZ Platform or eZ Publish
GDPR is just around the corner and many eZ Platform and eZ Publish users are likely asking how they can comply with this complex legislation. The good news is that you can start by implementing different features already available on the eZ Platform and eZ Publish frameworks. Before we jump to the available features, a bit of context around GDPR will be of use.
What is GDPR?
General Data Protection Regulation (GDPR) is a new regulation on data protection and data privacy for all European Union (EU) citizens. The regulation is set to go into effect on May 25, 2018. GDPR's goal is to strengthen data privacy by securing EU citizens' rights to be forgotten or their right to inquire about personal data that is collected on their behalf by different entities that they come in contact with. GDPR requires that data controllers and data processors implement certain measures to meet new data protection requirements.
Data Controller vs Data Processor
A data controller is any entity that decides the purpose and means of personal data processing. On the other hand, a data processor is the entity that is responsible for processing data on behalf of the controller. It is necessary to understand the distinction between these two roles. Gdpreu.org uses the following example to distinguish between the two roles: "Acme Co. sells widgets to consumers and uses Email Automation Co. to email consumers on their behalf and track their engagement activity, then with regard to such email activity data, Acme Co. is the data controller, and Email Automation Co. is the data processor." According to GDPR the data controller is the principal party responsible for collecting consents, managing the revoking of consents and the deletion of personal data. The data processor implements these actions on behalf of the controller's request.
What Are the Ramifications of Breaching GDPR?
The law states that any entity that collects personal data of EU citizens will be responsible and accountable for how that data is handled. According to Article 4 of the GDPR, 'personal data' means "any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person."
A breach of the GDPR regulation can cause a company to be fined up to €20 million or 4% of its worldwide annual revenue (the biggest being applied).
Now that we have provided some context for those who are not familiar with GDPR, let's look at how to comply.
How to Address GDPR with eZ Platform
GDPR is a complex legislation that for many is still difficult to understand and prepare for. Since the legislation is often vague, it is difficult to understand how it will be enforced starting May 25th. Although we are not experts on the matter, we have done great amounts of research on this topic. Here we share with you some guidance on how to implement the right features on your eZ Platform or eZ Publish website to ensure you comply with these upcoming policies.
This past week I interviewed our rockstar Technical Product Manager, Bertrand Dunogier about steps eZ clients who use eZ Platform can take to address the GDPR predicament.
Question: What is the first step organizations should consider when preparing for GDPR?
BD: The first steps are actually not about technology or about eZ Platform at all. Organizations need to first take a good look at themselves and begin to understand and document what data they are collecting and how it is being stored. Companies must ask themselves the following questions:
- What type of data are we collecting?
- How relevant is the data we have collected?
- Are we communicating to our users/visitors the type of data we are collecting?
- Did we ask visitors for permission to collect data?
- What is our consent management process?
- What is the purpose of the data we have collected?
- How will this data be utilized?
One of the best measures companies can take is to eliminate old and irrelevant data. We need to understand that 95% of data collected holds no relevance. Therefore, the best thing a company can do is to get rid of irrelevant data. The second measure companies can take is to begin documenting all personal data that is collected and its purpose as well as the processes on how it is collected.
Question: How can you ask for consent with eZ Platform?
The places where personal data is collected using eZ Platform or eZ Publish are user profile creation, forms using user generated content (UGC) in eZ content repository and forms independent of the content repository using our form builder, some forms developed custom by the developer of the site or even a third-party solution or library. Let's first define how personal data is collected using these different instances.
- User Profile Creation - A person creating a user profile on eZ Platform or eZ Publish. Depending on the projects, you might have pre-defined personal fields that users must fill out such as email and their first and last names.
- UGC Form - On a UGC form a user creates content in the repository. For example, posting a review or listing a product for sale on a community based e-Commerce site.
- Independent Form - For example, a form builder in eZ Platform or eZ Survey extension in eZ Publish.
In all three of these scenarios you can (and should) implement a consent management solution that will allow your organization to comply with GDPR regulations. We recommend that you add a new field description that is mandatory. For new registrants who create user profiles, we suggest that you implement an email field. Requiring users to provide you with an email will allow you, as the controller, to send a follow-up email to users that details the type of information you are collecting on them and the purpose of collecting that data. Secondly, a follow-up email lets you authenticate the user, allowing you to create a double opt-in mechanism.
Another solution that can address all three scenarios is the addition of a checkbox field. The checkbox field will require users to check the consent box prior to registration. This will provide you with proof that the user has provided you with his consent/permission to gather data on them. The checkbox should also be used to confirm in a UGC scenario that the user has agreed to use the license and contribute content on the platform.
Additionally, make sure to be explicit about the purpose for which you collect data in your consent request and not to conceal what type of information you will be collecting on your user.￼￼
Question: What can be done if a user requests to be deleted?
BD: A registered user can ask for his account and personal data to be deleted. Deleting the account and the personal data (user fields) stored within the user profile is not a problem. However, in the case of UGC, it can be tricky. If the contributions from the user are personal data (and in many case they will be), erasing them is, of course, possible but this could lead to undesired broken links and loss of content on the website for other users-and you should be aware of this.
If the contributions are not to be handled as personal data (maybe the user signed an agreement granting specific rights to this content), then deleting the user account might lead to broken links and orphan content. In this case, we recommend to disable the user account and anonymize all its fields by replacing them with dummy values, which lead to the same result without deleting the account itself.
To erase personal data, site administrators can simply use the Administration Interface by going to the User Management section to delete or disable a user as well as doing a filtered search to identify all content related to a specific user/author. And of course all of this can also be done by using lower level APIs.
Question: How can you use eZ Platform to export data?
BD: Currently we do not have an exporting button. However, we are looking to develop an out-of-the-box capability that allows users to "retrieve data" in the click of a button. This button will allow you to download and export personal data. Currently developers can customize the system using the API. The API allows you to query the content repository for all content published by an author, and can then be exported. We are also considering creating a simple "forget me" button that once pressed, will lead to all the personal data collected on a certain user to be deleted automatically.
GDPR can be a very confusing piece of legislation. The good news is that a lot can be done about it with on eZ Platform and eZ Publish, thanks to APIs and architecture. The final word on what needs to be done to comply will depends a lot on your specific installation and how you use the platform. It will require you to adjust how you address data collection and data privacy.
In the near future we hope to introduce some features that will go beyond the current capabilities for reaching GDPR compliance, making it easier and faster to implement. For example, we are looking into various features such as a consent management panel, a data export panel and a consent withdrawal tool bar.
And stay tuned, we'll post more about GDPR here as well. In the meantime, you can provide any comments or questions about how eZ Platform or eZ Publish can help you be GDPR compliant in the comment section below or our discussion forum.