SlideShare ist ein Scribd-Unternehmen logo

Privacy: a fundamental feature in web application development

Achilleas Papageorgiou
Achilleas Papageorgiou

Privacy and GDPR are among the most important issues for web developers, users, businesses, and governments. This presentation will introduce important requirements a web developer should take into account in order to ensure the privacy of its application users. In addition, examples of how Joomla! contributes in this direction. Privacy: a fundamental feature in web application development” in JoomlaTalks 2019 (Athens, Greece), https://joomlatalks.gr/en/

Technologie
1 von 45
Privacya fundamental feature in web application development Achilleas Papageorgiou Alkaios Anagnostopoulos
Intro ● Privacy and why it matters ● Personal data protection ● GDPR requirements ● Key points to the path for compliance ● How to adapt your development actions & efforts ● The Joomla! 3.9 Privacy Tool Suite and its great features ● The Joomla! Compliance team (scope and goals)
Alkaios ● MSc student in Distributed Systems, Security and Emerging Information Technologies, University of Piraeus ● Software Developer in idcs, Business Unit of Intelligent Media LTD ● Member of Compliance Team in Joomla! ● NOT a lawyer!
Achilleas ● PhD candidate in Personalized Health Services & Privacy, University of Piraeus ● Researcher at the EU H2020 OPERANDO Project (GA no. 653704) ● Head of Digital Strategy in idcs, Business Unit of Intelligent Media LTD ● Leader of Compliance Team in Joomla! (July 2018 - now) ● NOT a lawyer!
Members of the Joomla! Compliance team The Project has to evaluate the impact of the privacy related regulations, such as GDPR and update its privacy policy and internal process accordingly. This is about Open Source Matters Inc. (OSM) the not-for profit organization that supports the Joomla! Project, not the CMS. https://volunteers.joomla.org/teams/compliance-team Definitely NOT an easy task!
Privacy: A human fundamental right
Privacy: A human fundamental right
GDPR - The after 25/05/2018 era Do you choose Panic? KEEP CALM AND TAKE ACTION Do you choose Apathy?
GDPR: A game changer in privacy ● Definitions of Controllers, Processors, Joint Controllers ● Responsibilities, roles and the DPO role ● Upfront consent, lawful basis consent, implicit vs explicit consent ● Specified advance data subjects rights - Chapter 3 Articles 12 to 23 ● Right to be forgotten and Retention periods - Article 17 ● Data Protection Impact Assessment (DPIA) - Article 35 ● Security measures - Article 32 ● Data breaches and administrative fines - Article 83
What is Personal data... ...and where can you spot them https://ec.europa.eu/justice/smedataprotect/index_en.htm
Map personal data flows Forms Cookies DBs APIs Emails Data entry points Data entry points Data processing Data storage
Privacy risks “We are witnessing the phenomenon of the development of an online ‘heaven’ of personal data sharing that can be potentially transformed to a personal ‘hell’ for any individual or company” Papageorgiou, A., GDPR Awareness: From privacy risks to the need for countermeasures, https://magazine.joomla.org/issues/issue-mar-2018/item/3314-gdpr-awareness-from-privacy-risk s-to-the-need-for-countermeasures
Privacy risks GDPR & OWASP mapping on: Top 10 Privacy Risks owasp.org Papageorgiou, A., GDPR Awareness: From privacy risks to the need for countermeasures, https://magazine.joomla.org/issues/issue-mar-2018/item/3314-gdpr-awareness-from-privacy-risks-to-the-need-for-countermeasures
So, what is Privacy in Web development - Trend to be forgotten? (i.e. pop-ups that will be forgotten) - A software extension? Many extensions together? (i.e. plug and play solutions) - Is it an only legal area of practice? (i.e. it’s all related to the legal text onsite)
Define your role (GDPR based) (Art. 4 of GDPR) Data Controller Data Processor Controls the data flow of a service Processes the data on behalf of this data flow Determines the purposes and means of the processing of personal data Processes personal data on behalf of the controller
Controller & Processor Controller Examples: ● An owned and self-hosted website ● An owner of a service that uses third party software Processor Examples: ● Automated Mailing Company that sends newsletters ● A third party form SaaS solution ● A third party analytics service for websites
Privacy is related (not limited) to... ● Personal data protection measures ● Confidentiality (i.e. Encryption, Hash, TLS, etc) ● Integrity (i.e. Action Logs, Data Isolation, Role-based Access, etc) ● Availability (i.e. Firewall, DDoS prevention, IDS/IPS, Backup, etc) ● Responsible, transparent and secure data management ● Collaboration between all involved parties (1st party, 3rd party services, etc)
User rights ● The Right to Be Informed ● The Right of Access ● The Right to Rectification ● The Right to Erasure ● The Right to Restrict Processing ● The Right to Data Portability ● The Right to Object
Retention policies When you result to an end of the necessity of data processing based on the scope that they have been collected, then you must delete them (‘right to be forgotten’)
Data minimization Your users hold a lot of personal information so make sure that you collect and process only what you need!
Privacy by default Always make sure that your user’s default settings are pre-defined to the most private (ensure freely given consents) Koho, R., Privacy by default and GDPR, examples and best practises: https://magazine.joomla.org/issues/issue-apr-2018/item/3318-privacy-by-de fault-and-gdpr-examples-and-best-practises
Privacy by design Align your project’s methodologies and internal procedures with privacy & security standards
How Joomla! CMS assists the whole script - Privacy Tool Suite, introduced in Joomla! 3.9 thanks to the huge work done by Michael Babker (Release Lead) and all the other volunteers who coded, tested & translated https://www.joomla.org/3/thank-you - Action User Logs - Consent Management - Personal Data Edit and Management (right to rectification) - Export all user’s personal data to a valid and machine readable format (right to data portability) - Anonymize all user’s data and by extension delete them (right to be forgotten)
Plugin Configuration Enable and setup the Privacy System Plugin. If the user doesn’t feel like giving consent, will be redirected to Profile Editing Section
Provide your Privacy Policy
Meanwhile - Change Password Policy
First Login ● Edit Personal Data ● Accept (or not ) Privacy Policy
Collect & Manage Consents
Check for expired consents ● Set consent expiration time ● Check for nearly expiring consents ● Set reminders before expiration
User Action Logs
Remove & Export Requests
Remove & Export Requests Based on the “right to be forgotten” and the “right to portability”, choose weather to export or remove your user’s data ( always according to their request! )
Remove Request Send a confirmation mail to your user with a 24 hours unique token binded on the request and the email address
Remove Request The user must visit the confirmation URL and submit the removal request
Remove Request As long as the request is confirmed, we can proceed to the deletion of the user and mark the request as completed:
Remove Request As long as the request is completed we can take a look to our users’ information
Export Request As described in the “Remove Request”, the process for the “Export Request” is almost the similar. The only difference is that we can either download user’s data or send to the user’s email an attachment. Both choices produce an xml file (machine-readable format) with all the required information.
Export Request XML All of user’s Personal Data are exported in XML format, including: ● Personal Information ● User ID ● Registration Date ● Last Visit Date ● Account Parameters ● User Custom Fields ● User’s Action Log
Export Request XML
Remove & Export Requests Set up a date plan as a reminder for pending requests to be considered “urgent”
Download it and adapt your compliance plan https://downloads.joomla.org/
Some words about the Compliance team ● Main focus on the joomla.org/OSM properties ● Weekly meetings ● Tasks priority and severity, evaluated based on Eisenhower Matrix ● GDPR requirements mapping & web properties assessment ● Members from Italy, France, Germany, The Netherlands, Finland, UK, Greece ● The most important thing that keep us focused & productive: we love Joomla & we are having fun! :D
● Third parties & DPAs ● SSO & Identity Management System ● Cookie audit & policies ● Backup Policy ● Incident Response Plan ● Articles in Joomla Community Magazine ● & more…! Joomla! Compliance current team & tasks https://volunteers.joomla.org/teams/compliance-team
Cross-CMS privacy coalition and Joomla! Members from: Drupal, Wordpress, Typo3, Umbraco CMS and ofcourse... Joomla! Compliance Team members are collaborating in weekly meetings!
Many thank you for your attention!

Empfohlen

Data Protection Forum meetup 23052017
Data Protection Forum meetup 23052017 Data Protection Forum meetup 23052017
Data Protection Forum meetup 23052017 John M Walsh
 
Information security and research data
Information security and research dataInformation security and research data
Information security and research dataTomppa Järvinen
 
Niall Rooney FD Event 05.09.19
Niall Rooney FD Event 05.09.19Niall Rooney FD Event 05.09.19
Niall Rooney FD Event 05.09.19Niall Rooney
 
GDPR Is Around the Corner - Don't Panic
GDPR Is Around the Corner - Don't PanicGDPR Is Around the Corner - Don't Panic
GDPR Is Around the Corner - Don't PaniceZ Systems
 
GDPR Overview
GDPR OverviewGDPR Overview
GDPR OverviewTrish McGinity, CCSK
 
Simple GDPR Overview
Simple GDPR OverviewSimple GDPR Overview
Simple GDPR OverviewGydeline Ltd
 
Data Protection GDPR Basics
Data Protection GDPR BasicsData Protection GDPR Basics
Data Protection GDPR BasicsElizabeth Dunne B.L. PC.dp
 
ABM Display Advertising Success in the World of GDPR [PPT]
ABM Display Advertising Success in the World of GDPR [PPT]ABM Display Advertising Success in the World of GDPR [PPT]
ABM Display Advertising Success in the World of GDPR [PPT]Kwanzoo Inc
 

Empfohlen

Data Protection Forum meetup 23052017
Data Protection Forum meetup 23052017 Data Protection Forum meetup 23052017
Data Protection Forum meetup 23052017 John M Walsh
 
Information security and research data
Information security and research dataInformation security and research data
Information security and research dataTomppa Järvinen
 
Niall Rooney FD Event 05.09.19
Niall Rooney FD Event 05.09.19Niall Rooney FD Event 05.09.19
Niall Rooney FD Event 05.09.19Niall Rooney
 
GDPR Is Around the Corner - Don't Panic
GDPR Is Around the Corner - Don't PanicGDPR Is Around the Corner - Don't Panic
GDPR Is Around the Corner - Don't PaniceZ Systems
 
GDPR Overview
GDPR OverviewGDPR Overview
GDPR OverviewTrish McGinity, CCSK
 
Simple GDPR Overview
Simple GDPR OverviewSimple GDPR Overview
Simple GDPR OverviewGydeline Ltd
 
Data Protection GDPR Basics
Data Protection GDPR BasicsData Protection GDPR Basics
Data Protection GDPR BasicsElizabeth Dunne B.L. PC.dp
 
ABM Display Advertising Success in the World of GDPR [PPT]
ABM Display Advertising Success in the World of GDPR [PPT]ABM Display Advertising Success in the World of GDPR [PPT]
ABM Display Advertising Success in the World of GDPR [PPT]Kwanzoo Inc
 
2014 vienadom-presentation
2014 vienadom-presentation2014 vienadom-presentation
2014 vienadom-presentationVienadom
 
Preparing for general data protection regulations (gdpr) within the hous...
Preparing for general data protection regulations (gdpr) within the hous...Preparing for general data protection regulations (gdpr) within the hous...
Preparing for general data protection regulations (gdpr) within the hous...Stephanie Vasey
 
Webinar: An EU regulation affecting companies worldwide - GDPR
Webinar: An EU regulation affecting companies worldwide - GDPRWebinar: An EU regulation affecting companies worldwide - GDPR
Webinar: An EU regulation affecting companies worldwide - GDPRpanagenda
 
General Data Protection Regulation
General Data Protection RegulationGeneral Data Protection Regulation
General Data Protection RegulationGrittyCC
 
GDPR: The Catalyst for Customer 360
GDPR: The Catalyst for Customer 360GDPR: The Catalyst for Customer 360
GDPR: The Catalyst for Customer 360DataStax
 
GDPR, User Data, Privacy, and Your Apps
GDPR, User Data, Privacy, and Your AppsGDPR, User Data, Privacy, and Your Apps
GDPR, User Data, Privacy, and Your AppsCarl Brown
 
GDPR for dummies
GDPR for dummies GDPR for dummies
GDPR for dummies Benoît De Nayer
 
Gdpr brief and controls ver2.0
Gdpr brief and controls ver2.0Gdpr brief and controls ver2.0
Gdpr brief and controls ver2.0Finto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
 
Toreon adding privacy by design in secure application development oss18 v20...
Toreon adding privacy by design in secure application development oss18 v20...Toreon adding privacy by design in secure application development oss18 v20...
Toreon adding privacy by design in secure application development oss18 v20...Sebastien Deleersnyder
 
Cedar Day 2018 - Is Your PeopleSoft Ready for the GDPR - Sarah Hurley
Cedar Day 2018 - Is Your PeopleSoft Ready for the GDPR - Sarah HurleyCedar Day 2018 - Is Your PeopleSoft Ready for the GDPR - Sarah Hurley
Cedar Day 2018 - Is Your PeopleSoft Ready for the GDPR - Sarah HurleyCedar Consulting
 
Prep your app for gdpr compliance
Prep your app for gdpr compliancePrep your app for gdpr compliance
Prep your app for gdpr complianceAsanka Nissanka
 
GDPR solutions (JS Event 28/2/18) | Greenlight Computers
GDPR solutions (JS Event 28/2/18) | Greenlight Computers GDPR solutions (JS Event 28/2/18) | Greenlight Computers
GDPR solutions (JS Event 28/2/18) | Greenlight Computers Gary Dodson
 
DATA PROTECTION IMPACT ASSESSMENT TEMPLATE (ODPC).docx
DATA PROTECTION IMPACT ASSESSMENT TEMPLATE (ODPC).docxDATA PROTECTION IMPACT ASSESSMENT TEMPLATE (ODPC).docx
DATA PROTECTION IMPACT ASSESSMENT TEMPLATE (ODPC).docxSteveNgigi2
 
Impact of GDPR on Third Party and M&A Security
Impact of GDPR on Third Party and M&A SecurityImpact of GDPR on Third Party and M&A Security
Impact of GDPR on Third Party and M&A SecurityEQS Group
 
Search Inform DLP
Search Inform DLPSearch Inform DLP
Search Inform DLPSergei Yavchenko
 
Setting the right GDPR priorities
Setting the right GDPR prioritiesSetting the right GDPR priorities
Setting the right GDPR prioritiesAlberto Canadè
 
Symantec Webinar Part 5 of 6 GDPR Compliance, the Operational Impact of Cross...
Symantec Webinar Part 5 of 6 GDPR Compliance, the Operational Impact of Cross...Symantec Webinar Part 5 of 6 GDPR Compliance, the Operational Impact of Cross...
Symantec Webinar Part 5 of 6 GDPR Compliance, the Operational Impact of Cross...Symantec
 
Privacy by Design as a system design strategy - EIC 2019
Privacy by Design as a system design strategy - EIC 2019 Privacy by Design as a system design strategy - EIC 2019
Privacy by Design as a system design strategy - EIC 2019 Sagara Gunathunga
 
IRJET- Data Leak Prevention System: A Survey
IRJET- Data Leak Prevention System: A SurveyIRJET- Data Leak Prevention System: A Survey
IRJET- Data Leak Prevention System: A SurveyIRJET Journal
 
Information protection and compliance
Information protection and complianceInformation protection and compliance
Information protection and complianceDean Iacovelli
 
apidays LIVE Paris 2021 - How password managers are built for Privacy and Sec...
apidays LIVE Paris 2021 - How password managers are built for Privacy and Sec...apidays LIVE Paris 2021 - How password managers are built for Privacy and Sec...
apidays LIVE Paris 2021 - How password managers are built for Privacy and Sec...apidays
 
Tizor_Data-Best-Practices.ppt
Tizor_Data-Best-Practices.pptTizor_Data-Best-Practices.ppt
Tizor_Data-Best-Practices.pptwebhostingguy
 

Weitere ähnliche Inhalte

Was ist angesagt?

2014 vienadom-presentation
2014 vienadom-presentation2014 vienadom-presentation
2014 vienadom-presentationVienadom
 
Preparing for general data protection regulations (gdpr) within the hous...
Preparing for general data protection regulations (gdpr) within the hous...Preparing for general data protection regulations (gdpr) within the hous...
Preparing for general data protection regulations (gdpr) within the hous...Stephanie Vasey
 
Webinar: An EU regulation affecting companies worldwide - GDPR
Webinar: An EU regulation affecting companies worldwide - GDPRWebinar: An EU regulation affecting companies worldwide - GDPR
Webinar: An EU regulation affecting companies worldwide - GDPRpanagenda
 
General Data Protection Regulation
General Data Protection RegulationGeneral Data Protection Regulation
General Data Protection RegulationGrittyCC
 
GDPR: The Catalyst for Customer 360
GDPR: The Catalyst for Customer 360GDPR: The Catalyst for Customer 360
GDPR: The Catalyst for Customer 360DataStax
 
GDPR, User Data, Privacy, and Your Apps
GDPR, User Data, Privacy, and Your AppsGDPR, User Data, Privacy, and Your Apps
GDPR, User Data, Privacy, and Your AppsCarl Brown
 

Was ist angesagt? (7)

2014 vienadom-presentation
2014 vienadom-presentation2014 vienadom-presentation
2014 vienadom-presentation
 
Preparing for general data protection regulations (gdpr) within the hous...
Preparing for general data protection regulations (gdpr) within the hous...Preparing for general data protection regulations (gdpr) within the hous...
Preparing for general data protection regulations (gdpr) within the hous...
 
Webinar: An EU regulation affecting companies worldwide - GDPR
Webinar: An EU regulation affecting companies worldwide - GDPRWebinar: An EU regulation affecting companies worldwide - GDPR
Webinar: An EU regulation affecting companies worldwide - GDPR
 
General Data Protection Regulation
General Data Protection RegulationGeneral Data Protection Regulation
General Data Protection Regulation
 
GDPR: The Catalyst for Customer 360
GDPR: The Catalyst for Customer 360GDPR: The Catalyst for Customer 360
GDPR: The Catalyst for Customer 360
 
GDPR, User Data, Privacy, and Your Apps
GDPR, User Data, Privacy, and Your AppsGDPR, User Data, Privacy, and Your Apps
GDPR, User Data, Privacy, and Your Apps
 
GDPR for dummies
GDPR for dummies GDPR for dummies
GDPR for dummies
 

Ähnlich wie Privacy: a fundamental feature in web application development

Toreon adding privacy by design in secure application development oss18 v20...
Toreon adding privacy by design in secure application development oss18 v20...Toreon adding privacy by design in secure application development oss18 v20...
Toreon adding privacy by design in secure application development oss18 v20...Sebastien Deleersnyder
 
Cedar Day 2018 - Is Your PeopleSoft Ready for the GDPR - Sarah Hurley
Cedar Day 2018 - Is Your PeopleSoft Ready for the GDPR - Sarah HurleyCedar Day 2018 - Is Your PeopleSoft Ready for the GDPR - Sarah Hurley
Cedar Day 2018 - Is Your PeopleSoft Ready for the GDPR - Sarah HurleyCedar Consulting
 
Prep your app for gdpr compliance
Prep your app for gdpr compliancePrep your app for gdpr compliance
Prep your app for gdpr complianceAsanka Nissanka
 
GDPR solutions (JS Event 28/2/18) | Greenlight Computers
GDPR solutions (JS Event 28/2/18) | Greenlight Computers GDPR solutions (JS Event 28/2/18) | Greenlight Computers
GDPR solutions (JS Event 28/2/18) | Greenlight Computers Gary Dodson
 
DATA PROTECTION IMPACT ASSESSMENT TEMPLATE (ODPC).docx
DATA PROTECTION IMPACT ASSESSMENT TEMPLATE (ODPC).docxDATA PROTECTION IMPACT ASSESSMENT TEMPLATE (ODPC).docx
DATA PROTECTION IMPACT ASSESSMENT TEMPLATE (ODPC).docxSteveNgigi2
 
Impact of GDPR on Third Party and M&A Security
Impact of GDPR on Third Party and M&A SecurityImpact of GDPR on Third Party and M&A Security
Impact of GDPR on Third Party and M&A SecurityEQS Group
 
Setting the right GDPR priorities
Setting the right GDPR prioritiesSetting the right GDPR priorities
Setting the right GDPR prioritiesAlberto Canadè
 
Symantec Webinar Part 5 of 6 GDPR Compliance, the Operational Impact of Cross...
Symantec Webinar Part 5 of 6 GDPR Compliance, the Operational Impact of Cross...Symantec Webinar Part 5 of 6 GDPR Compliance, the Operational Impact of Cross...
Symantec Webinar Part 5 of 6 GDPR Compliance, the Operational Impact of Cross...Symantec
 
Privacy by Design as a system design strategy - EIC 2019
Privacy by Design as a system design strategy - EIC 2019 Privacy by Design as a system design strategy - EIC 2019
Privacy by Design as a system design strategy - EIC 2019 Sagara Gunathunga
 
IRJET- Data Leak Prevention System: A Survey
IRJET- Data Leak Prevention System: A SurveyIRJET- Data Leak Prevention System: A Survey
IRJET- Data Leak Prevention System: A SurveyIRJET Journal
 
Information protection and compliance
Information protection and complianceInformation protection and compliance
Information protection and complianceDean Iacovelli
 
apidays LIVE Paris 2021 - How password managers are built for Privacy and Sec...
apidays LIVE Paris 2021 - How password managers are built for Privacy and Sec...apidays LIVE Paris 2021 - How password managers are built for Privacy and Sec...
apidays LIVE Paris 2021 - How password managers are built for Privacy and Sec...apidays
 
Tizor_Data-Best-Practices.ppt
Tizor_Data-Best-Practices.pptTizor_Data-Best-Practices.ppt
Tizor_Data-Best-Practices.pptwebhostingguy
 
Tizor_Data-Best-Practices.ppt
Tizor_Data-Best-Practices.pptTizor_Data-Best-Practices.ppt
Tizor_Data-Best-Practices.pptwebhostingguy
 
Unraveling the GDPR Compliance
Unraveling the GDPR ComplianceUnraveling the GDPR Compliance
Unraveling the GDPR ComplianceCleverTap
 
Personal Data Protection in Indonesia
Personal Data Protection in IndonesiaPersonal Data Protection in Indonesia
Personal Data Protection in IndonesiaEryk Budi Pratama
 
BigID GDPR Compliance Automation Webinar Slides
BigID GDPR Compliance Automation Webinar SlidesBigID GDPR Compliance Automation Webinar Slides
BigID GDPR Compliance Automation Webinar SlidesDimitri Sirota
 

Ähnlich wie Privacy: a fundamental feature in web application development (20)

Gdpr brief and controls ver2.0
Gdpr brief and controls ver2.0Gdpr brief and controls ver2.0
Gdpr brief and controls ver2.0
 
Toreon adding privacy by design in secure application development oss18 v20...
Toreon adding privacy by design in secure application development oss18 v20...Toreon adding privacy by design in secure application development oss18 v20...
Toreon adding privacy by design in secure application development oss18 v20...
 
Cedar Day 2018 - Is Your PeopleSoft Ready for the GDPR - Sarah Hurley
Cedar Day 2018 - Is Your PeopleSoft Ready for the GDPR - Sarah HurleyCedar Day 2018 - Is Your PeopleSoft Ready for the GDPR - Sarah Hurley
Cedar Day 2018 - Is Your PeopleSoft Ready for the GDPR - Sarah Hurley
 
Prep your app for gdpr compliance
Prep your app for gdpr compliancePrep your app for gdpr compliance
Prep your app for gdpr compliance
 
GDPR solutions (JS Event 28/2/18) | Greenlight Computers
GDPR solutions (JS Event 28/2/18) | Greenlight Computers GDPR solutions (JS Event 28/2/18) | Greenlight Computers
GDPR solutions (JS Event 28/2/18) | Greenlight Computers
 
DATA PROTECTION IMPACT ASSESSMENT TEMPLATE (ODPC).docx
DATA PROTECTION IMPACT ASSESSMENT TEMPLATE (ODPC).docxDATA PROTECTION IMPACT ASSESSMENT TEMPLATE (ODPC).docx
DATA PROTECTION IMPACT ASSESSMENT TEMPLATE (ODPC).docx
 
Impact of GDPR on Third Party and M&A Security
Impact of GDPR on Third Party and M&A SecurityImpact of GDPR on Third Party and M&A Security
Impact of GDPR on Third Party and M&A Security
 
Search Inform DLP
Search Inform DLPSearch Inform DLP
Search Inform DLP
 
Setting the right GDPR priorities
Setting the right GDPR prioritiesSetting the right GDPR priorities
Setting the right GDPR priorities
 
Symantec Webinar Part 5 of 6 GDPR Compliance, the Operational Impact of Cross...
Symantec Webinar Part 5 of 6 GDPR Compliance, the Operational Impact of Cross...Symantec Webinar Part 5 of 6 GDPR Compliance, the Operational Impact of Cross...
Symantec Webinar Part 5 of 6 GDPR Compliance, the Operational Impact of Cross...
 
Privacy by Design as a system design strategy - EIC 2019
Privacy by Design as a system design strategy - EIC 2019 Privacy by Design as a system design strategy - EIC 2019
Privacy by Design as a system design strategy - EIC 2019
 
IRJET- Data Leak Prevention System: A Survey
IRJET- Data Leak Prevention System: A SurveyIRJET- Data Leak Prevention System: A Survey
IRJET- Data Leak Prevention System: A Survey
 
Information protection and compliance
Information protection and complianceInformation protection and compliance
Information protection and compliance
 
apidays LIVE Paris 2021 - How password managers are built for Privacy and Sec...
apidays LIVE Paris 2021 - How password managers are built for Privacy and Sec...apidays LIVE Paris 2021 - How password managers are built for Privacy and Sec...
apidays LIVE Paris 2021 - How password managers are built for Privacy and Sec...
 
Tizor_Data-Best-Practices.ppt
Tizor_Data-Best-Practices.pptTizor_Data-Best-Practices.ppt
Tizor_Data-Best-Practices.ppt
 
Tizor_Data-Best-Practices.ppt
Tizor_Data-Best-Practices.pptTizor_Data-Best-Practices.ppt
Tizor_Data-Best-Practices.ppt
 
Gdpr presentation
Gdpr presentationGdpr presentation
Gdpr presentation
 
Unraveling the GDPR Compliance
Unraveling the GDPR ComplianceUnraveling the GDPR Compliance
Unraveling the GDPR Compliance
 
Personal Data Protection in Indonesia
Personal Data Protection in IndonesiaPersonal Data Protection in Indonesia
Personal Data Protection in Indonesia
 
BigID GDPR Compliance Automation Webinar Slides
BigID GDPR Compliance Automation Webinar SlidesBigID GDPR Compliance Automation Webinar Slides
BigID GDPR Compliance Automation Webinar Slides
 

Kürzlich hochgeladen

Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 

Kürzlich hochgeladen (20)

Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 

Privacy: a fundamental feature in web application development

  • 1. Privacya fundamental feature in web application development Achilleas Papageorgiou Alkaios Anagnostopoulos
  • 2. Intro ● Privacy and why it matters ● Personal data protection ● GDPR requirements ● Key points to the path for compliance ● How to adapt your development actions & efforts ● The Joomla! 3.9 Privacy Tool Suite and its great features ● The Joomla! Compliance team (scope and goals)
  • 3. Alkaios ● MSc student in Distributed Systems, Security and Emerging Information Technologies, University of Piraeus ● Software Developer in idcs, Business Unit of Intelligent Media LTD ● Member of Compliance Team in Joomla! ● NOT a lawyer!
  • 4. Achilleas ● PhD candidate in Personalized Health Services & Privacy, University of Piraeus ● Researcher at the EU H2020 OPERANDO Project (GA no. 653704) ● Head of Digital Strategy in idcs, Business Unit of Intelligent Media LTD ● Leader of Compliance Team in Joomla! (July 2018 - now) ● NOT a lawyer!
  • 5. Members of the Joomla! Compliance team The Project has to evaluate the impact of the privacy related regulations, such as GDPR and update its privacy policy and internal process accordingly. This is about Open Source Matters Inc. (OSM) the not-for profit organization that supports the Joomla! Project, not the CMS. https://volunteers.joomla.org/teams/compliance-team Definitely NOT an easy task!
  • 6. Privacy: A human fundamental right
  • 7. Privacy: A human fundamental right
  • 8. GDPR - The after 25/05/2018 era Do you choose Panic? KEEP CALM AND TAKE ACTION Do you choose Apathy?
  • 9. GDPR: A game changer in privacy ● Definitions of Controllers, Processors, Joint Controllers ● Responsibilities, roles and the DPO role ● Upfront consent, lawful basis consent, implicit vs explicit consent ● Specified advance data subjects rights - Chapter 3 Articles 12 to 23 ● Right to be forgotten and Retention periods - Article 17 ● Data Protection Impact Assessment (DPIA) - Article 35 ● Security measures - Article 32 ● Data breaches and administrative fines - Article 83
  • 10. What is Personal data... ...and where can you spot them https://ec.europa.eu/justice/smedataprotect/index_en.htm
  • 11. Map personal data flows Forms Cookies DBs APIs Emails Data entry points Data entry points Data processing Data storage
  • 12. Privacy risks “We are witnessing the phenomenon of the development of an online ‘heaven’ of personal data sharing that can be potentially transformed to a personal ‘hell’ for any individual or company” Papageorgiou, A., GDPR Awareness: From privacy risks to the need for countermeasures, https://magazine.joomla.org/issues/issue-mar-2018/item/3314-gdpr-awareness-from-privacy-risk s-to-the-need-for-countermeasures
  • 13. Privacy risks GDPR & OWASP mapping on: Top 10 Privacy Risks owasp.org Papageorgiou, A., GDPR Awareness: From privacy risks to the need for countermeasures, https://magazine.joomla.org/issues/issue-mar-2018/item/3314-gdpr-awareness-from-privacy-risks-to-the-need-for-countermeasures
  • 14. So, what is Privacy in Web development - Trend to be forgotten? (i.e. pop-ups that will be forgotten) - A software extension? Many extensions together? (i.e. plug and play solutions) - Is it an only legal area of practice? (i.e. it’s all related to the legal text onsite)
  • 15. Define your role (GDPR based) (Art. 4 of GDPR) Data Controller Data Processor Controls the data flow of a service Processes the data on behalf of this data flow Determines the purposes and means of the processing of personal data Processes personal data on behalf of the controller
  • 16. Controller & Processor Controller Examples: ● An owned and self-hosted website ● An owner of a service that uses third party software Processor Examples: ● Automated Mailing Company that sends newsletters ● A third party form SaaS solution ● A third party analytics service for websites
  • 17. Privacy is related (not limited) to... ● Personal data protection measures ● Confidentiality (i.e. Encryption, Hash, TLS, etc) ● Integrity (i.e. Action Logs, Data Isolation, Role-based Access, etc) ● Availability (i.e. Firewall, DDoS prevention, IDS/IPS, Backup, etc) ● Responsible, transparent and secure data management ● Collaboration between all involved parties (1st party, 3rd party services, etc)
  • 18. User rights ● The Right to Be Informed ● The Right of Access ● The Right to Rectification ● The Right to Erasure ● The Right to Restrict Processing ● The Right to Data Portability ● The Right to Object
  • 19. Retention policies When you result to an end of the necessity of data processing based on the scope that they have been collected, then you must delete them (‘right to be forgotten’)
  • 20. Data minimization Your users hold a lot of personal information so make sure that you collect and process only what you need!
  • 21. Privacy by default Always make sure that your user’s default settings are pre-defined to the most private (ensure freely given consents) Koho, R., Privacy by default and GDPR, examples and best practises: https://magazine.joomla.org/issues/issue-apr-2018/item/3318-privacy-by-de fault-and-gdpr-examples-and-best-practises
  • 22. Privacy by design Align your project’s methodologies and internal procedures with privacy & security standards
  • 23. How Joomla! CMS assists the whole script - Privacy Tool Suite, introduced in Joomla! 3.9 thanks to the huge work done by Michael Babker (Release Lead) and all the other volunteers who coded, tested & translated https://www.joomla.org/3/thank-you - Action User Logs - Consent Management - Personal Data Edit and Management (right to rectification) - Export all user’s personal data to a valid and machine readable format (right to data portability) - Anonymize all user’s data and by extension delete them (right to be forgotten)
  • 24. Plugin Configuration Enable and setup the Privacy System Plugin. If the user doesn’t feel like giving consent, will be redirected to Profile Editing Section
  • 26. Meanwhile - Change Password Policy
  • 27. First Login ● Edit Personal Data ● Accept (or not ) Privacy Policy
  • 28. Collect & Manage Consents
  • 29. Check for expired consents ● Set consent expiration time ● Check for nearly expiring consents ● Set reminders before expiration
  • 31. Remove & Export Requests
  • 32. Remove & Export Requests Based on the “right to be forgotten” and the “right to portability”, choose weather to export or remove your user’s data ( always according to their request! )
  • 33. Remove Request Send a confirmation mail to your user with a 24 hours unique token binded on the request and the email address
  • 34. Remove Request The user must visit the confirmation URL and submit the removal request
  • 35. Remove Request As long as the request is confirmed, we can proceed to the deletion of the user and mark the request as completed:
  • 36. Remove Request As long as the request is completed we can take a look to our users’ information
  • 37. Export Request As described in the “Remove Request”, the process for the “Export Request” is almost the similar. The only difference is that we can either download user’s data or send to the user’s email an attachment. Both choices produce an xml file (machine-readable format) with all the required information.
  • 38. Export Request XML All of user’s Personal Data are exported in XML format, including: ● Personal Information ● User ID ● Registration Date ● Last Visit Date ● Account Parameters ● User Custom Fields ● User’s Action Log
  • 40. Remove & Export Requests Set up a date plan as a reminder for pending requests to be considered “urgent”
  • 41. Download it and adapt your compliance plan https://downloads.joomla.org/
  • 42. Some words about the Compliance team ● Main focus on the joomla.org/OSM properties ● Weekly meetings ● Tasks priority and severity, evaluated based on Eisenhower Matrix ● GDPR requirements mapping & web properties assessment ● Members from Italy, France, Germany, The Netherlands, Finland, UK, Greece ● The most important thing that keep us focused & productive: we love Joomla & we are having fun! :D
  • 43. ● Third parties & DPAs ● SSO & Identity Management System ● Cookie audit & policies ● Backup Policy ● Incident Response Plan ● Articles in Joomla Community Magazine ● & more…! Joomla! Compliance current team & tasks https://volunteers.joomla.org/teams/compliance-team
  • 44. Cross-CMS privacy coalition and Joomla! Members from: Drupal, Wordpress, Typo3, Umbraco CMS and ofcourse... Joomla! Compliance Team members are collaborating in weekly meetings!
  • 45. Many thank you for your attention!