JoomShaper’s approach to GDPR compliance - JoomShaper

JoomShaper’s approach to GDPR compliance

20 April 2018
Hits 12,361
3 min read
JoomShaper’s approach to GDPR compliance

Joomla is the second most used web technology, powering 3.1% of all the websites (CMS market share of 6.2%), has a lot to do to address all GDPR issues. Making Joomla-based sites GDPR compliant is indeed a tough job. The EU General Data Protection Regulation (GDPR) is the most important change in data privacy regulation in last several years. This post is to inform all of our users that we are aware of GDPR, and we are taking this seriously.

What is GDPR?

GDPR (General Data Protection Regulation) was designed to harmonize data protection and privacy laws across Europe. The GDPR applies to both organisations located within and outside of the European Union upon offering goods or services to, or monitoring the behaviour of, EU data subjects. It means that if you handle EU customers even if your online business is not based in EU, this directive applies to you too. Tip for UK webmasters, the GDPR will come into effect before the UK leaves the EU.

The policy was approved and adopted by the European Union parliament and will be effective from May 25, 2018. The EU ePrivacy Regulation (ePR) has the same territorial scope as the GDPR, carries an identical penalty regime for non-compliance and is also intended to come into effect on this same day.

What are the penalties for non-compliance? Your company can be fined up to 4% of annual global turnover or €20 Million for breaching GDPR. Making your website GDPR compliant is indeed crucial.

The GDPR-ePR stuff and JoomShaper's approach

GDPR will have a huge impact on almost all web businesses, which will have a ripple effect on how your website integrates with your other digital activities. Email marketing, social media, e-commerce, registration, and even basic contact forms are also included.

We are well aware of the seriousness of the changes in the law, which is why we have already started the process of discovering what adjustments may be necessary for our extensions and templates including Helix to meet the requirements.

Here are some examples of what you can expect in the future to address GDPR compliance:

  • Checkboxes (Opt-in) for all forms used in the extensions (like Contact and Form Builder Addon already have).
  • Cookie notice bar for Helix Ultimate and Helix3 template framework.
  • Extensions that allow user registration to create a new account (SP LMS, for example) will get systems that give users the option to entirely delete an applicable user account (“Right to Be Forgotten”).
  • Access to information collected or submitted by them (via form) on your Joomla site.
  • We will integrate options for users to modify or remove their submitted personal information.
  • And other necessary measures.

In this post, our intention is to inform you about new regulations, and reassure you that we are carefully keeping an eye on what changes would be necessary to meet GDPR and ePR requirements. We suggest you to also check the 3rd party products that you are using (e.g. VM3, J2Store, HikaShop, AcyMailing etc.), to compare their features with GDPR requirements. Good luck!

 

J
Joy
4 years ago
Sounds good, but where can i find those cookie notice bar? And its a well good move to improve gpdr in the solutions.
A
afgn751
4 years ago
GDPR is not cookie notice bar. Read careful article above! :)
Paul Frankowski
Paul Frankowski
4 years ago
Cookie bar is one of many request, beside it should prevents any cookies sent by Joomla, and any JavaScript cookies from being set until the user accepts them.
pepperstreet
pepperstreet
4 years ago
Paul Frankowski
Paul Frankowski
4 years ago
MMDoege
MMDoege
4 years ago
Up to now we use a 3rd party extension as Cookie Policy is in existence already for years in EU and nothing new: https://www.perfect-web.co/joomla-extensions/cookie-policy-for-joomla. Have a look. Would be great to have an extension by Joomshaper.
Paul Frankowski
Paul Frankowski
4 years ago
Yes, it will be something similar, but we have to think about form, plugin or part of helix. Don't you think that EU e-Privacy Directive module is much better?
pepperstreet
pepperstreet
4 years ago
Happy Birthday, it has become a free plugin ;)
https://www.joomshaper.com/joomla-extensions/cookieconsent
Chris Hall
Chris Hall
4 years ago
Good post, thanks!

Any thoughts on how backups might be affected by the 'right to be forgotten'?
Paul Frankowski
Paul Frankowski
4 years ago
Thanks.
Right, I almost forgot about that topic. I think you should talk with IT lawyers.
Because backup can be made by You and/or hosting company automatically (each day). And if we talk about 2nd option, you do not have access to their backup server.
Paul Frankowski
Paul Frankowski
4 years ago
There is one trick...
In Akeeba backup you can disable selected tables from backup. It can prevent make backup from "component" which collect user data. But it can be painful in case of real shop crash, no customers list.
M
Mark
4 years ago
Hello,

there are already two solutions that handle this matter:

It would be great, if all this functionality would be implemented in Helix 3 / Helix Ultimate.

If the the sites we build / have built are not updated accordingly until May 25 it can get really problematic.

Especially in Germany where we have law firms that are specialized in "Abmahnungen", where these legally make german website owners pay for not having compliant websites (e.g. wrong or missing legal notice) even without having a client mandate for this. They will surely be starting to look for not GDPR compliant websites.

But as you stated in the article the new rules apply to every site that does business within the EU. So this also includes the Joomshaper site. As well as to every site that is and has been built with a Joomshaper template that is used for business with EU customers.

So a full featured solution that is already implemented in Helix 3 and Helix Ultimate would be very much welcome.
Paul Frankowski
Paul Frankowski
4 years ago
Thanks, I know both software solutions.
Not only in Germany you have "blackmail" law firms, it's popular over whole EU. This process started several years ago. And it has intensified during the implementation of the requirements of private cookies notify bar. How low you have to fall to do this "law" profession.
I
ingosun
4 years ago
Hi,
When I read comments regarding GDPR and cookies I get a feeling that many think they are already legal when they have a cookie bar solution. Just a cookie bar is not enough from the 25th of May. And I think a majority of all webpages has a private policy which doesn't include all information you need to have in it after the 25th of May. Also you have to be sure that your cookie bar isn't just an information bar.

Just as an example I have 3 common issues which I think many cookie bars doesn't support:
1. You are not allowed to store a cookie before the visitor has accepted cookies, as Paul mention above. A lot of cookie bars are just information bars today and the CMS has already stored cookies when the visitor arrives to the site. This is not legal.
So, if you have an old cookie bar you have to make sure the module load the cookies after the user has accepted cookies. If not, it's not legal. In fact, it's not even legal today with the old rules, however, nobody has taken this seriously and with the new GDPR law you better make sure you have a module which follows the requirements in GDPR.

2. It's not any longer acceptable to inform the user e.g. "if you continue to use this site you have accepted cookies". This is not legal. The user has to do an active choice.

3. The visitor shall be able to change their choice whenever they want, so, you need a button on the first page so the visitors can do a new choice about cookies when they visit your site later.

My suggestion is that a module which should handle the cookie part of the GDPR shall not be a bar anymore. It must be a popup so the visitor can't miss it. The visitor has to accept cookies on a curtain level because your site doesn't work without cookies, therefore I want to be able to set in the Joomla backend which cookies belongs to required cookies, functional cookies and advertising cookies. I think that's the way to be able to handle this seriously against your visitors.

The easy way is of course to inform your visitor that on this site they accept all kind of cookies, which you list in the private policy documentation, when they push the accept button. However, as a webpage owner I want to show my visitors that we take this serious and if they don't want that we analyses their behavior etc they shall be able to not accept this.

A good example is the the IBM homepage cookie popup which is powered by TrustArc: https://www.ibm.com/us-en/

They have 3 levels of cookies and the user can set the preferences for following:
1. Required cookies, this is cookies to enable core site functionality as e.g. security cookies. The visitor has to accept this level otherwise they can continue viewing your site.
2. Functional cookies, e..g. Google Analytics. To be able to improve your site.
3. Advertising cookies.
This is something we looking for. But TrustArc is to "heavy" for us.
Has anyone seen this kind of component/module for Joomla?

//Peter
Paul Frankowski
Paul Frankowski
4 years ago
thanks, fully agree with you.
Check features of "EU e-Privacy Directive" module , it's still free.
P
Prometheus661
4 years ago
Has anyone found something like TrustArc for Joomla yet ?
Gavin Bates
Gavin Bates
4 years ago
Good article - do you have any practical advice on how to prepare / update a privacy policy or cookie policy.

On reading other articles and looking at GDPR websites - people are charging a fortune to provide GDPR compliant privacy policies - if there is a cheaper / free option it would be good to know.
Paul Frankowski
Paul Frankowski
4 years ago
Although I am a lawyer by education, each country has its own guidelines, besides it is still wandering, because there is no judicial decisions in this matter (too fresh). So to be honest all lawyers are one hand in legislation fog. It's better to describe each aspect of using private data as much as possible. Inform the user about the collected data, offer the possibility of viewing this data and even removing it.
Paul Frankowski
Paul Frankowski
4 years ago
What is "funny/weird" result some small companies from US/Canada started to block traffic from EU (via IP) to reduce legal problems with GDPR regulations.
S
ssnobben
4 years ago
How will this fit with Joomlas GDPR initiative? https://www.joomla.org/announcements/release-news/5731-joomla-3-9-and-joomla-3-10.html
Paul Frankowski
Paul Frankowski
4 years ago
Default features will fit. On others we are working on.
H
Hu
4 years ago
Since there are only two weeks left, is there a timeline for the new release?
Paul Frankowski
Paul Frankowski
4 years ago
You asking in general or in the subject of a specific product (framework or extension) ?
H
Hu
4 years ago
We use the revibe template.
Paul Frankowski
Paul Frankowski
4 years ago
In Revibe, if you do not have shop or social network there - just update SPPB to 3.2.x which have checkbox in contact form, delete contact override from template, then install cookie plugin, rewrite Private Policy and wait for official Joomla update.
H
Hu
4 years ago
Thanks, will try it. :D
Paul Frankowski
Paul Frankowski
4 years ago
We all wait for GDPR changes in Joomla core. So far we have seen only preview, not working code.
H
Hu
4 years ago
I had a look at the recommended EU e-privacy plugin. In my opinion, this does not fulfill GDPR, at least for Germans. You have to distinguish between necessary and optional cookies. Or miss I something?
Paul Frankowski
Paul Frankowski
4 years ago
E-privacy is just a plugin, and in Germany you need more advanced solution for GDPR.
So far I have seen 2 good, but they are commercials only.
---
Nobody said that GDPR implementation in whole EU would be easy. :(
More advanced site needs more advanced solution, for basic site there are easy ways.
About two months ago there was training meeting about GDPR regulation they told us that nobody is going to punish with fee small site owners at the beginning, warning mostly. Beside the most important is good Privacy Policy document. All extra software is on 2nd place.
H
Hu
4 years ago
So, we will wait for your update ... :)
Paul Frankowski
Paul Frankowski
4 years ago
Yes, we are also waiting for Joomla update.
BTW You should ask your clients for extra money for GDPR implementation to buy extra component.
H
Hu
4 years ago
I got an email tody grom you regardings this plugin:
[url="https://www.joomshaper.com/joomla-extensions/cookieconsent"]Your text to link[/url]
"Get it now to stay one step ahead of your GDPR compliance process."

I don't think that this is sufficient to be GDPR compliant.
P
pamaed
4 years ago
the big difference between Wordpress and joomla is:

17.05.2018 - WordPress 4.9.6 Privacy and Maintenance [b]Release[/b]
22.05.2018 - Joomla! 3.9 ... [b]Coming soon![/b]

this is why "[b][i]30% of the web uses WordPress[/i][/b]"
Paul Frankowski
Paul Frankowski
4 years ago
[quote]“If you want to make the world a better place, take a look at yourself, and make a change.”[/quote] ― Michael Jackson

Nobody stops you to join to Joomla Team. Every hand & mind may help.


[img]https://image.ibb.co/jwWeao/ext.jpg[/img]
Paul Frankowski
Paul Frankowski
4 years ago
Beside you can install commercial components which offers this feature already. So don't tell me about uniqueness of Wordpress.
P
pamaed
4 years ago
[img]http://quotesideas.com/wp-content/uploads/2015/11/greagory-house-house-md-nane-omar-epps-quote-Favim.com-132848.jpg[/img]
pepperstreet
pepperstreet
4 years ago
Please, install WP and live happily ever after. ;)

Seriously, the only difference in the privacy release is the "personal data export", which is a more complex task in WP, because it has to support the integrated comments. Everything else is possible with Joomla core now. It's a matter of setup, configuration and foremost communication(!) with the site user. I am referring to Joomla core and basic user registration and optional profile plugin.
Paul Frankowski
Paul Frankowski
4 years ago
Indeed, beside not all sites collect users profiles.
Most basic sites have only simple contact form. Which also doesn't collect any data in CMS, all messages are auto-transferred into e-mail box. So for them you do not need personal data export. Until you have you keep mail, you resend message to user if he ask. Good idea is inform in Private Policy that all, not order, emails from contact form are stored max 30 or 60 days in inbox, then deleted. So you are clean in face of the law.
JP
James Peter
4 years ago
Hello, [b]Paul [/b]

May i know how will this fit with Joomla GDPR initiative? [url="https://www.joomla.org/announcements/release-news/5731-joomla-3-9-and-joomla-3-10.html"]https://www.joomla.org/announcements/release-news/5731-joomla-3-9-and-joomla-3-10.html[/url]

Thanks & Regards,
[b]James[/b]
Paul Frankowski
Paul Frankowski
4 years ago
In general is okay, but if you have advanced website you have to install GDPR component. BTW
And use less SPAM links in your comments. I deleted one.
S
sherylbrock
4 years ago
This guide is very useful and interesting but unfortunately requires all users to be registered before sending a form.
A user who wants to remove the data entered in a form will probably want to remove them from Joomla! too.
Regarding all websites that didn't require registration, the problem of data deletion now arises for the user's data stored in the database, and Joomla! provides no way for a user to remove his account by himself.
Paul Frankowski
Paul Frankowski
4 years ago
Probably you have never read GDPR regulation, and you repeat unverified myths.
D
dadwarner
4 years ago
It's become a free plugin for long[url="https://morpheus-tv.com/morpheus-tv-for-pc/"].[/url]?
[url="https://www.joomshaper.com/joomla-extensions/cookieconsent"]https://www.joomshaper.com/joomla-extensions/cookieconsent
[/url]
Paul Frankowski
Paul Frankowski
4 years ago
"for long" ??
it's plugin for members.
You can use this one or others from JED.
Maybe it's time to order one of our products.
J
Janette
3 years ago
They correctly said that "beside not all sites collect users profiles.
Most basic sites have only simple contact form". However, as we know, the Internet remembers everything. This is clearly seen in copyright for any text. Copying is sometimes necessary but I'm still glad that the GDPR law is being implemented.

Sign up for our newsletter

Don’t miss any updates of our new templates and extensions and all the astonishing offers we bring for you.