Plone and the GDPR

hvelarde · May 7, 2018, 12:43pm

for people who still don't know about it, Europe’s General Data Protection Regulation is coming on May 25 and that has implications even for companies hosting sites outside the EU:

as good latinos we're leaving things until the last moment (minute 45 of the second half, they use to say over here).

my question is this: are there any Plone add-ons to show a message to site visitors like this one on El Pais website?

the message is about terms of service, cookies policy and some other stuff, and it's shown only once to every visitor.

UPDATE: in case there no such add-on I found the following code that could be useful:

erral · May 7, 2018, 1:07pm

For cookie messages we have used collective.cookiecuttr:

In some other site we used also the Cookie Consent solution, which requires to paste some code on the analytics box: https://cookieconsent.insites.com/download/

cekk · May 7, 2018, 1:15pm

We use this: https://github.com/PloneGov-IT/rer.cookieconsent
It basically works, but it needs a bit of love, because for example it has an old version of cookieconsent plugin (#4)

hvelarde · May 7, 2018, 1:16pm

thanks, @erral, this seems to be exactly what I'm looking for, but seems a little bit abandoned.

anybody from Four Digits over here? can we move/fork this package into the Collective? can you give permissions to the collective account on PyPI?

zopyx · May 7, 2018, 1:27pm

Sorry guys but the requirements related to the GDPR are broader than you might think. This included documentation of processes and e.g. to delete or export customer related data and content on request by a user...nothing of that is available out of the box in Plone.

-aj

hvelarde · May 7, 2018, 1:33pm

yes, I'm aware of that but is out of the scope I'm trying to reach at this time.

for the vast majority of our sites we don't store any customer related data besides the IP address on web logs and that's fine as long as we erase it periodically (encrypting old logs may be needed also).

UPDATE: here are some good articles:

You can’t collect and store any personal data without having obtained, and being able to document that you obtained, consent from the persons you’re collecting data from. You can, however, collect and store personal data as part of web servers logs for the purposes of detecting and preventing fraud and unauthorized access and maintaining the security of your systems.

"Under GDPR, organisations of less than 250 employees will not have to employ or train a data-protection officer (DPO)." Essentially, they won't have to change the structure of their organisation, whereas larger businesses probably will.

Smaller organisations will also benefit from no longer having to notify the ICO of data-processing activities. The GDPR instead requires businesses to keep detailed records on their own processing activity.

djay · May 8, 2018, 4:16am

Has anyone looked into the right to be forgotten with regard to the ZODB transaction history and also backups?

BTW, plone users themselves count as personal data since it includes name and email.

MatthewWilkes · May 8, 2018, 2:42pm

ZODB is no different to any other database with regard to compliance related to backups. You should bear the time since the last pack in mind when considering the state of your backups and manage your pack and backup schedules accordingly.

Also, consent is not the only legal basis for processing. You are allowed to retain data for (for example) legal defence or to comply with local laws. Secondly, you can be transparent with your users about how you apply their rights. It's fine to tell them that it will take some time for their data to be fully removed from non-operational sources such as backups as long as your restore processes handle the withdrawal of consent not being reverted.

hvelarde · May 10, 2018, 1:57pm

I analyzed collective.cookiecuttr and I decided not to go ahead with it; I prefer simple stuff and, IMO, this looks more like an unmaintained hack: all browsers have configuration options to disable cookies and I think that's the way a user has to proceed.

I ended up creating a new add-on only to display a disclaimer the first time a user visits a site:

as a side note, it doesn't use cookies at all: it stores the information in the HTML5 Storage just because it's more fun and we are in 2018.

share and enjoy!

agitator · May 11, 2018, 6:21am

I'm all in for simple solutions and showing transparency about how user data is handled is imho in the sense of the GDPR.

In terms of cookies it seems to me the way to comply best with is, grouping cookies for example by required/functional/advertising and to let the user decide what is acceptable. Also sending a user to the browsers cookie settings and expect to manage his gazillions of cookies there, isn't acceptable in the probably near future.

There are already some commercial solutions to kind of allow this (not advertising any of the shown services)

Not knowing all of the technical implications, can somebody explain what's necessary to make something this possible within Plone and are there maybe already OSS solutions for it?

hvelarde · May 11, 2018, 12:48pm

The chief cause of problems is solutions.
—Eric Sevareid

so you think that's complex and unacceptable? then think twice; I was reviewing this yesterday:

http://advertisingconsent.eu/

and I can tell you this "solution" is ridiculously complex and probably not affordable in the short/medium term; just take a look at a couple of slides on their presentation:

and don't forget the problems they are trying to "solve" were mainly caused by the advertisers themselves in the first place.

IMO, managing cookies like this is completely out of the scope of Plone; things we must care are simpler.

I don't believe neither that managing transactions at the DB level for a former employee of a company is covered by the GDPR, for instance.

but I'm not a lawyer, neither a EU citizen, nor I live in Europe; my only problem right know is unstable weather

Rotonen · May 11, 2018, 1:18pm

For people striving to get this ultimately right: That does not yet take into account the layer of inactive users whom have only agreed to some previous iterations of your ToS / marketing registry inclusions and is thus not yet a complete solution for the scope.

hvelarde · May 14, 2018, 10:24pm

I have released collective.disclaimer 1.0a1 to accomplish this task (already in production in the site of one of our customers).

The package is fully compatible with Plone 4.3 and Plone 5.1.

Share and enjoy!

kcleong · May 15, 2018, 10:16am

As the GDPR is more than a cookie warning/disclaimer, here are two articles which I found useful:

GDPR – A practical guide for developers - https://techblog.bozho.net/gdpr-practical-guide-developers/
GDPR Requirements in Plain English - https://blog.varonis.com/gdpr-requirements-list-in-plain-english/

hvelarde · May 15, 2018, 6:19pm

great information, thanks!

these ones are pretty good also:

seems the consent process will be outsourced to web browsers at some point.

the following months are going to be pretty interesting

agitator · May 29, 2018, 8:05pm

So I tried out a cookie consent service (cookiebot) and it works like a charm.
Register the domain, they scan the site, tell what cookies are active, pregroup them in necessary, statistic, marketing,...
Implementation is a js snippet, which disables/enables cookies according to the users settings, without touching any of the existing js/cookie/tracking implementations.

Can someone explain how this "sorcery" works?

hvelarde · August 28, 2018, 1:36pm

for all interested in the topic, @MatthewWilkes came with a solution for this, sponsored by Jazkarta and YES! Magazine:

kudos to them!