Umbraco and GDPR
Why the focus on GDPR
Because it’s necessary. As I’m sure you all know, the deadline for GDPR is coming up in 4 months’ time (25th of May 2018). GDPR have had many faces, it has been seen as unnecessary, been feared, perhaps even detested and many other not so nice things. And admittedly, it sounded like a big scary beast – initially.
But as with so many other things, once we dive into it, it’s not all that bad. It requires work - perhaps quite a lot. But it will also generate a better culture around data security. There are still many uncertainties. This is somewhat unchartered territory and law is not an exact science. Things are still not 100% clarified and how some things end up are still to be determined.
So please continue reading with this disclaimer in mind.
Umbraco and GDPR
As discussed in great length on Our, it is as much a processual question as a technical question. The rules GDPR replaces/supports obviously vary from country to country, but for Umbraco, residing in Denmark, the rules don’t change that much as they are more or less the same as the current Danish ones.
During our work with Umbraco and GDPR we found that the big difference from the old rules, is that now, companies have to document that they have data security/protection under control.
So, to put things into a relatable context, the GDPR change resembles the case when lorries and busses were fitted with tachographs thus, documenting the vehicle’s speed, distance and the driver’s working hours. The rules of rest/driving were the same as before the change. The new thing was that the driver now had to document that he was complying within the law. It’s the same story with Umbraco and GDPR.
GDPR at Umbraco falls into 4 categories:
1. The products – CMS and Forms
As described in the discussion on our, it is already possible to use Umbraco CMS and Forms and be compliant with GDPR. However, that doesn’t mean it can’t be made simpler. Thus, we are working on making it simpler to use the CMS and Forms and comply.
These are the areas we are working with:
- General API for "logging of consent" which can provide a simple way of registering that a person has given consent of any given action. This will allow for reporting and querying of an audit trail for consent for a person/action.
- More detailed logging of user actions in the back office since as part of GDPR it should be possible to find out who has done what. For instance: "User X has given User Y permission to section Z"
- The ability to mark Members and Form properties as 'sensitive'. If these are marked as sensitive, the values will not be displayed in the back office to any user unless they are part of a User Group that has been flagged to be able to read sensitive data.
- Forms will have an option to not store values at all in its default data store which will allow developers to use the Form’s workflows to store the form data in their own custom data store.
- You will have the ability to export a member's saved data as a file.
We will release these improvements successively. All of them will be available in updates expected no later than end February, allowing you time to implement the upgrades.
2. Umbraco Cloud
Because the Umbraco CMS and Forms are part of Umbraco Cloud, the above goes for Umbraco Cloud as well.
We are a data processor; we are data processing your data, but we don’t know what data you are storing or whether this is protected data. Therefore, we treat all data as if they were protected. Hence, we have made a so called Data Processor Agreement (DPA) assuring that we as a data processor comply to the rules and regulations (this DPA will be available end January 2018).
Many lawyers have given their version of how such a DPA should look like and whether it should be physically signed by each and every individual customer/user one has. The consensus seems to be that it satisfies the rules if the company issues a general DPA allowing the customers/users in return to document that their supplier is complying thus, themselves are complying. Further, the agreement has to reflect that how to implement Umbraco Cloud is entirely in our customers’ hands. Finally, as Umbraco Cloud is a standard product there are limited, if any, room for variations in how we treat the data. In other words, it has to be a standard DPA otherwise it doesn’t scale for us.
At Umbraco we have made this DPA and it will be linked to our general Terms and Conditions hence, clients can download it and document that they are compliant. We expect to have it finalised by our legal counsel within a few weeks.
3. Getting DPA from our own suppliers
As we are using suppliers for many things we need to document that our suppliers have their data processing in place. We started out by mapping what data we hold, what systems we have (ERP, Mail system, salary system etc.) and whether we were data controller and/or data processor.
Once in place we appointed a person responsible for each system. He/she is responsible for collecting relevant DPA’s ensuring that the storing of data is with a relevant purpose, that it is revised/deleted on a regular basis etc.
For the analog systems (yes we receive physical letters/applications from time to time) we also need to have the data security in place - including a paper shredder 😊
4. Applying best practice and improving the data security culture
The fourth area we’re working on is to constantly improve our methods, standards, process etc. so we at any point in time are applying best practice. This includes, but is not limited to; making sure we have two factor authentication, relevant purpose for having any given data access, encryptions where relevant, pseudonymization/anonymization, signed confidentiality agreement by all staff etc.
We, as others, need to establish and follow not only best practice but also actively work for a culture that ensures that data are looked after and handled as it should be. We have a history of transparency on this field as far as goes for our products and services. We will continue this work.
Keep yourself updated on the latest initiatives by Umbraco on GDPR on this page.