The Joomla Privacy Journey
The Joomla Privacy Journey started back in November 2017 when the Board of Open Source Matters, Inc. realized the need to ensure compliance with GDPR and Privacy regulations. A new working group was formed and since then, several volunteers helped the Project to audit its internal Privacy and take actions to reach compliance.
The Working Group started recruiting volunteers and had the chance to involve Data Privacy Experts, Lawyers, Consultants, Students, Developers and other Professionals from Europe and the rest of the World.
In the beginning of 2018, several volunteers met in Cologne for a “GDPR Working Group” sprint to design team’s strategy and evaluate the needs of the project in terms of Privacy tools and measures.
The Team conducted an audit of all the project owned web properties to identify gaps in data protection and take appropriate actions towards compliance.
The need for a centralized place to manage “identities” emerged and Sander Potjer envisioned the technical solution.
The Team also published several articles about GDPR and privacy regulations to inform the community about the law requirements.
The Joomla Identity Portal
The largest and most complex task for the Joomla Compliance Team was the development of the Joomla Identity Portal, a place where Joomla volunteers, contributors and friends can manage their “identities”, their data, their profiles and their consents. In fact the Joomla Identity Portal serves as the central place to handle consents and where all the *.joomla.org websites connect to retrieve people’s profiles. The platform allowed the project to deploy a Single Sign On (SSO) system so from now on, there is no need to register a lot of accounts, remember thousands of passwords and profiles: one registration will allow people to access all joomla.org websites.
The portal also allows the management of all the consents, so, through the Identity Portal for example, you can choose whether to allow the portal to share your data with the Volunteers Portal or the JED or the Certification website or withdraw any of the given consent at any time with one click.
The first portal to be connected to the Identity Portal will be the Volunteers Portal; the other properties will be linked in the upcoming months.
The Cookie Management System
The Joomla Compliance Team audited and analyzed also all the cookies produced, installed and used by all the *.joomla.org websites. After an extended evaluation of the available solutions that could cover the needs of such a large-scale x-platform project, like the cookie compliance of almost 30 properties based on several platforms (not limited to Joomla! CMS), the team partnered with CIVIC, a cookie compliance solution provider (that recently became also a Joomla! extension developer), to deploy a Cookie management bar on the Joomla.org websites. This allows website users to set their preferences regarding cookies as required by the European Laws on Cookies and other Privacy regulations.
The Incident Response Plan
Kleanthis Dellios, a contributor of the Compliance Team, prepared the Incident Response Plan and the Incident Response Policy for Open Source Matters, describing the rules and defining the action plan to adopt in case of a data breach or an incident that involves personal data.
The Cross CMS Compliance/Privacy Initiative
In December 2018, Achilleas Papageorgiou and Luca Marzo from the Compliance Team arranged a meeting with Heather Burns from the WordPress Privacy Team that served as foundation for the “Cross CMS Compliance/Privacy Initiative”, a task force that included members from several CMS projects to analyze the respective compliance with the privacy regulations. The initiative involved members Joomla, WordPress, Drupal, Umbraco and has been very valuable to share experience and identify eventual gaps in the software. One of the side effects devised from this cross project collaboration was the Privacy Guidance for Joomla extensions.
A big thank you to the Volunteers
As Data Protection Officer (DPO) of Open Source Matters, I would like to take one moment to thank all the volunteers involved in the Compliance Team, past and current members:
- Achilleas Papageorgiou, who serves as Team Leader and Data Privacy Expert
- Roland Dalmulder, the main developer of the Single Sign On system.
- Sander Potjer, the main developer of the Identity Portal
- Alkaios Anagnostopoulos, the main developer of the Cookie management script.
- Sandra Decoux, former Board Member and representative of the Webmasters Team.
- Kleanthis Dellios, Privacy Consultant, who prepared the Incident Response Plan.
- Wilco Alsemgeest, Joomla volunteer and former Team Lead for the Compliance Team.
- Reino Hoko, Privacy consultant who wrote articles about privacy and regulations.
- Alberto Nutricati, Privacy consultant who wrote articles about privacy and regulations.
- Francesco Perrone, Privacy consultant who provided advice and guidance.
- Yves Hoppe, former Board Member and contributor to the strategy for the team.