JoomShaper’s approach to GDPR compliance - JoomShaper

JoomShaper’s approach to GDPR compliance

20 April 2018
Hits 10,731
3 min read
JoomShaper’s approach to GDPR compliance

Joomla is the second most used web technology, powering 3.1% of all the websites (CMS market share of 6.2%), has a lot to do to address all GDPR issues. Making Joomla-based sites GDPR compliant is indeed a tough job. The EU General Data Protection Regulation (GDPR) is the most important change in data privacy regulation in last several years. This post is to inform all of our users that we are aware of GDPR, and we are taking this seriously.

What is GDPR?

GDPR (General Data Protection Regulation) was designed to harmonize data protection and privacy laws across Europe. The GDPR applies to both organisations located within and outside of the European Union upon offering goods or services to, or monitoring the behaviour of, EU data subjects. It means that if you handle EU customers even if your online business is not based in EU, this directive applies to you too. Tip for UK webmasters, the GDPR will come into effect before the UK leaves the EU.

The policy was approved and adopted by the European Union parliament and will be effective from May 25, 2018. The EU ePrivacy Regulation (ePR) has the same territorial scope as the GDPR, carries an identical penalty regime for non-compliance and is also intended to come into effect on this same day.

What are the penalties for non-compliance? Your company can be fined up to 4% of annual global turnover or €20 Million for breaching GDPR. Making your website GDPR compliant is indeed crucial.

The GDPR-ePR stuff and JoomShaper's approach

GDPR will have a huge impact on almost all web businesses, which will have a ripple effect on how your website integrates with your other digital activities. Email marketing, social media, e-commerce, registration, and even basic contact forms are also included.

We are well aware of the seriousness of the changes in the law, which is why we have already started the process of discovering what adjustments may be necessary for our extensions and templates including Helix to meet the requirements.

Here are some examples of what you can expect in the future to address GDPR compliance:

  • Checkboxes (Opt-in) for all forms used in the extensions (like Contact and Form Builder Addon already have).
  • Cookie notice bar for Helix Ultimate and Helix3 template framework.
  • Extensions that allow user registration to create a new account (SP LMS, for example) will get systems that give users the option to entirely delete an applicable user account (“Right to Be Forgotten”).
  • Access to information collected or submitted by them (via form) on your Joomla site.
  • We will integrate options for users to modify or remove their submitted personal information.
  • And other necessary measures.

In this post, our intention is to inform you about new regulations, and reassure you that we are carefully keeping an eye on what changes would be necessary to meet GDPR and ePR requirements. We suggest you to also check the 3rd party products that you are using (e.g. VM3, J2Store, HikaShop, AcyMailing etc.), to compare their features with GDPR requirements. Good luck!

 

Comments (45)

J
Joy
This comment was minimized by the moderator on the site

Sounds good, but where can i find those cookie notice bar? And its a well good move to improve gpdr in the solutions.

A
afgn751    Joy
This comment was minimized by the moderator on the site

GDPR is not cookie notice bar. Read careful article above!

Paul Frankowski
Paul Frankowski    afgn751
This comment was minimized by the moderator on the site

Cookie bar is one of many request, beside it should prevents any cookies sent by Joomla, and any JavaScript cookies from being set until the user accepts them.

pepperstreet
pepperstreet
This comment was minimized by the moderator on the site

Paul Frankowski
Paul Frankowski    pepperstreet
This comment was minimized by the moderator on the site

MMDoege
MMDoege
This comment was minimized by the moderator on the site

Up to now we use a 3rd party extension as Cookie Policy is in existence already for years in EU and nothing new: https://www.perfect-web.co/joomla-extensions/cookie-policy-for-joomla. Have a look. Would be great to have an extension by Joomshaper.

Paul Frankowski
Paul Frankowski    MMDoege
This comment was minimized by the moderator on the site

Yes, it will be something similar, but we have to think about form, plugin or part of helix. Don't you think that EU e-Privacy Directive module is much better?

pepperstreet
pepperstreet    MMDoege
This comment was minimized by the moderator on the site

Happy Birthday, it has become a free plugin
https://www.joomshaper.com/joomla-extensions/cookieconsent

Chris Hall
Chris Hall
This comment was minimized by the moderator on the site

Good post, thanks!

Any thoughts on how backups might be affected by the 'right to be forgotten'?

Paul Frankowski
Paul Frankowski    Chris Hall
This comment was minimized by the moderator on the site

Thanks.
Right, I almost forgot about that topic. I think you should talk with IT lawyers.
Because backup can be made by You and/or hosting company automatically (each day). And if we talk about 2nd option, you do not have access to their backup server.

Paul Frankowski
Paul Frankowski    Chris Hall
This comment was minimized by the moderator on the site

There is one trick...
In Akeeba backup you can disable selected tables from backup. It can prevent make backup from "component" which collect user data. But it can be painful in case of real shop crash, no customers list.

M
Mark
This comment was minimized by the moderator on the site

Hello,

there are already two solutions that handle this matter:

It would be great, if all this functionality would be implemented in Helix 3 / Helix Ultimate.

If the the sites we build / have built are not updated accordingly until May 25 it can get really problematic.

Especially in Germany where we have law firms that are specialized in "Abmahnungen", where these legally make german website owners pay for not having compliant websites (e.g. wrong or missing legal notice) even without having a client mandate for this. They will surely be starting to look for not GDPR compliant...

Hello,

there are already two solutions that handle this matter:

It would be great, if all this functionality would be implemented in Helix 3 / Helix Ultimate.

If the the sites we build / have built are not updated accordingly until May 25 it can get really problematic.

Especially in Germany where we have law firms that are specialized in "Abmahnungen", where these legally make german website owners pay for not having compliant websites (e.g. wrong or missing legal notice) even without having a client mandate for this. They will surely be starting to look for not GDPR compliant websites.

But as you stated in the article the new rules apply to every site that does business within the EU. So this also includes the Joomshaper site. As well as to every site that is and has been built with a Joomshaper template that is used for business with EU customers.

So a full featured solution that is already implemented in Helix 3 and Helix Ultimate would be very much welcome.

Read More
Paul Frankowski
Paul Frankowski    Mark
This comment was minimized by the moderator on the site

Thanks, I know both software solutions.
Not only in Germany you have "blackmail" law firms, it's popular over whole EU. This process started several years ago. And it has intensified during the implementation of the requirements of private cookies notify bar. How low you have to fall to do this "law" profession.

I
ingosun
This comment was minimized by the moderator on the site

Hi,
When I read comments regarding GDPR and cookies I get a feeling that many think they are already legal when they have a cookie bar solution. Just a cookie bar is not enough from the 25th of May. And I think a majority of all webpages has a private policy which doesn't include all information you need to have in it after the 25th of May. Also you have to be sure that your cookie bar isn't just an information bar.

Just as an example I have 3 common issues which I think many cookie bars doesn't support:
1. You are not allowed to store a cookie before the visitor has accepted cookies, as...

Hi,
When I read comments regarding GDPR and cookies I get a feeling that many think they are already legal when they have a cookie bar solution. Just a cookie bar is not enough from the 25th of May. And I think a majority of all webpages has a private policy which doesn't include all information you need to have in it after the 25th of May. Also you have to be sure that your cookie bar isn't just an information bar.

Just as an example I have 3 common issues which I think many cookie bars doesn't support:
1. You are not allowed to store a cookie before the visitor has accepted cookies, as Paul mention above. A lot of cookie bars are just information bars today and the CMS has already stored cookies when the visitor arrives to the site. This is not legal.
So, if you have an old cookie bar you have to make sure the module load the cookies after the user has accepted cookies. If not, it's not legal. In fact, it's not even legal today with the old rules, however, nobody has taken this seriously and with the new GDPR law you better make sure you have a module which follows the requirements in GDPR.

2. It's not any longer acceptable to inform the user e.g. "if you continue to use this site you have accepted cookies". This is not legal. The user has to do an active choice.

3. The visitor shall be able to change their choice whenever they want, so, you need a button on the first page so the visitors can do a new choice about cookies when they visit your site later.

My suggestion is that a module which should handle the cookie part of the GDPR shall not be a bar anymore. It must be a popup so the visitor can't miss it. The visitor has to accept cookies on a curtain level because your site doesn't work without cookies, therefore I want to be able to set in the Joomla backend which cookies belongs to required cookies, functional cookies and advertising cookies. I think that's the way to be able to handle this seriously against your visitors.

The easy way is of course to inform your visitor that on this site they accept all kind of cookies, which you list in the private policy documentation, when they push the accept button. However, as a webpage owner I want to show my visitors that we take this serious and if they don't want that we analyses their behavior etc they shall be able to not accept this.

A good example is the the IBM homepage cookie popup which is powered by TrustArc: https://www.ibm.com/us-en/

They have 3 levels of cookies and the user can set the preferences for following:
1. Required cookies, this is cookies to enable core site functionality as e.g. security cookies. The visitor has to accept this level otherwise they can continue viewing your site.
2. Functional cookies, e..g. Google Analytics. To be able to improve your site.
3. Advertising cookies.
This is something we looking for. But TrustArc is to "heavy" for us.
Has anyone seen this kind of component/module for Joomla?

//Peter

Read More
Paul Frankowski
Paul Frankowski    ingosun
This comment was minimized by the moderator on the site

thanks, fully agree with you.
Check features of "EU e-Privacy Directive" module , it's still free.

P
Prometheus661    ingosun
This comment was minimized by the moderator on the site

Has anyone found something like TrustArc for Joomla yet ?

Gavin Bates
Gavin Bates
This comment was minimized by the moderator on the site

Good article - do you have any practical advice on how to prepare / update a privacy policy or cookie policy.

On reading other articles and looking at GDPR websites - people are charging a fortune to provide GDPR compliant privacy policies - if there is a cheaper / free option it would be good to know.

Paul Frankowski
Paul Frankowski    Gavin Bates
This comment was minimized by the moderator on the site

Although I am a lawyer by education, each country has its own guidelines, besides it is still wandering, because there is no judicial decisions in this matter (too fresh). So to be honest all lawyers are one hand in legislation fog. It's better to describe each aspect of using private data as much as possible. Inform the user about the collected data, offer the possibility of viewing this data and even removing it.

Paul Frankowski
Paul Frankowski    Gavin Bates
This comment was minimized by the moderator on the site

What is "funny/weird" result some small companies from US/Canada started to block traffic from EU (via IP) to reduce legal problems with GDPR regulations.

S
ssnobben
This comment was minimized by the moderator on the site
Paul Frankowski
Paul Frankowski    ssnobben
This comment was minimized by the moderator on the site

Default features will fit. On others we are working on.

H
Hu
This comment was minimized by the moderator on the site

Since there are only two weeks left, is there a timeline for the new release?

Paul Frankowski
Paul Frankowski    Hu
This comment was minimized by the moderator on the site

You asking in general or in the subject of a specific product (framework or extension) ?

H
Hu
This comment was minimized by the moderator on the site

We use the revibe template.

Paul Frankowski
Paul Frankowski    Hu
This comment was minimized by the moderator on the site

In Revibe, if you do not have shop or social network there - just update SPPB to 3.2.x which have checkbox in contact form, delete contact override from template, then install cookie plugin, rewrite Private Policy and wait for official Joomla update.

H
Hu    Paul Frankowski
This comment was minimized by the moderator on the site

Thanks, will try it.

Paul Frankowski
Paul Frankowski    Hu
This comment was minimized by the moderator on the site

We all wait for GDPR changes in Joomla core. So far we have seen only preview, not working code.

H
Hu    Paul Frankowski
This comment was minimized by the moderator on the site

I had a look at the recommended EU e-privacy plugin. In my opinion, this does not fulfill GDPR, at least for Germans. You have to distinguish between necessary and optional cookies. Or miss I something?

Paul Frankowski
Paul Frankowski    Hu
This comment was minimized by the moderator on the site

E-privacy is just a plugin, and in Germany you need more advanced solution for GDPR.
So far I have seen 2 good, but they are commercials only.
---
Nobody said that GDPR implementation in whole EU would be easy.
More advanced site needs more advanced solution, for basic site there are easy ways.
About two months ago there was training meeting about GDPR regulation they told us that nobody is going to punish with fee small site owners at the beginning, warning mostly. Beside the most important is good Privacy Policy document. All extra software is on 2nd place.

H
Hu    Paul Frankowski
This comment was minimized by the moderator on the site

So, we will wait for your update ...

Paul Frankowski
Paul Frankowski    Hu
This comment was minimized by the moderator on the site

Yes, we are also waiting for Joomla update.
BTW You should ask your clients for extra money for GDPR implementation to buy extra component.

H
Hu    Hu
This comment was minimized by the moderator on the site

I got an email tody grom you regardings this plugin:
Your text to link
"Get it now to stay one step ahead of your GDPR compliance process."

I don't think that this is sufficient to be GDPR compliant.

P
pamaed
This comment was minimized by the moderator on the site

the big difference between Wordpress and joomla is:

17.05.2018 - WordPress 4.9.6 Privacy and Maintenance Release
22.05.2018 - Joomla! 3.9 ... Coming soon!

this is why "30% of the web uses WordPress"

Paul Frankowski
Paul Frankowski    pamaed
This comment was minimized by the moderator on the site

“If you want to make the world a better place, take a look at yourself, and make a change.”
― Michael Jackson

Nobody stops you to join to Joomla Team. Every hand & mind may help.


https://image.ibb.co/jwWeao/ext.jpg

Paul Frankowski
Paul Frankowski    Paul Frankowski
This comment was minimized by the moderator on the site

Beside you can install commercial components which offers this feature already. So don't tell me about uniqueness of Wordpress.

P
pamaed    Paul Frankowski
This comment was minimized by the moderator on the site

http://quotesideas.com/wp-content/uploads/2015/11/greagory-house-house-md-nane-omar-epps-quote-Favim.com-132848.jpg

pepperstreet
pepperstreet    pamaed
This comment was minimized by the moderator on the site

Please, install WP and live happily ever after.

Seriously, the only difference in the privacy release is the "personal data export", which is a more complex task in WP, because it has to support the integrated comments. Everything else is possible with Joomla core now. It's a matter of setup, configuration and foremost communication(!) with the site user. I am referring to Joomla core and basic user registration and optional profile plugin.

Paul Frankowski
Paul Frankowski    pepperstreet
This comment was minimized by the moderator on the site

Indeed, beside not all sites collect users profiles.
Most basic sites have only simple contact form. Which also doesn't collect any data in CMS, all messages are auto-transferred into e-mail box. So for them you do not need personal data export. Until you have you keep mail, you resend message to user if he ask. Good idea is inform in Private Policy that all, not order, emails from contact form are stored max 30 or 60 days in inbox, then deleted. So you are clean in face of the law.

JP
James Peter
This comment was minimized by the moderator on the site

Hello, Paul

May i know how will this fit with Joomla GDPR initiative? https://www.joomla.org/announcements/release-news/5731-joomla-3-9-and-joomla-3-10.html

Thanks & Regards,
James

Paul Frankowski
Paul Frankowski    James Peter
This comment was minimized by the moderator on the site

In general is okay, but if you have advanced website you have to install GDPR component. BTW
And use less SPAM links in your comments. I deleted one.

S
sherylbrock
This comment was minimized by the moderator on the site

This guide is very useful and interesting but unfortunately requires all users to be registered before sending a form.
A user who wants to remove the data entered in a form will probably want to remove them from Joomla! too.
Regarding all websites that didn't require registration, the problem of data deletion now arises for the user's data stored in the database, and Joomla! provides no way for a user to remove his account by himself.

Paul Frankowski
Paul Frankowski    sherylbrock
This comment was minimized by the moderator on the site

Probably you have never read GDPR regulation, and you repeat unverified myths.

D
dadwarner
This comment was minimized by the moderator on the site
Paul Frankowski
Paul Frankowski
This comment was minimized by the moderator on the site

"for long" ??
it's plugin for members.
You can use this one or others from JED.
Maybe it's time to order one of our products.

J
Janette
This comment was minimized by the moderator on the site

They correctly said that "beside not all sites collect users profiles.
Most basic sites have only simple contact form". However, as we know, the Internet remembers everything. This is clearly seen in copyright for any text. Copying is sometimes necessary but I'm still glad that the GDPR law is being implemented.

There are no comments posted here yet

Sign up for our newsletter

Don’t miss any updates of our new templates and extensions and all the astonishing offers we bring for you.