<disclaimer>This article does not provide legal advise - please consult a lawer.</disclaimer>
There are millions of articles currently on the Internet discussing the European Union General Data Protection Regulation (GPRD) - last time I typed GPRD in Google I got 19,500,000 results. This regulation is planned to go into effect on May 25th, 2018 (unless a delay is granted).
As a Joomla Community Builder website owner this new regulation most likely affects you - even if your website is not located in a European Union state. If your site has a registration form, you are collecting data from your website visitors and some of those visitors might live in a European Union state - tag your it!
The simplest way to go about GDPR compliance is to address the following 7 aspects of the requlation:
Consent • Breach Notification • Right to Data Access •
Right to be forgotten • Data Portability • Privacy by Design
Potential Data Protection Officers
You will most likely not need to be concerned with the Data Protection Officers aspect as this pertains to large corporations that handle lots of personal data (but once again remember the disclaimer). Kyle's GDPR Compliance with Community Builder blog is a great starting point for these 7 points and it also provides some useful reference links. We strongly suggest you read it now.
As you see from Kyle's blog, things are not that complicated as you should keep in mind that:
- The Community Builder Terms and Conditions field helps you tackle the Consent aspect for your privacy policy along with the registration date / time stamp recorded during the CB registration process. You can also use the CB Profile Update Logger as proof of user consent.
- The Right to be forgotten aspect can be requested by configuring a simple Joomla contact form (to allow your users to request to be deleted from your website) and you can manually delete the user from the Community Builder User Management page. Yup, there is no mandate to automate the deletion process, but you can if you want with the CB Privacy Delete Me field feature.
- The Right to Access aspect can be satisfied with a simple CB profile view that allows the user to see all the data you have collected about them. As Kyle states, you can also enhance this by using a CB Code Field field or a CB Query Field.
- If the data you have gathered has been compromized, the Breach Notification directive gives you 72 hours to notify the EU authorities. You can also use the CB User Management Mass Mailer functionality to quickly notify your users of the breach.
- The Privacy by Design aspect can be addressed using the powerful Joomla ACL functionality and if needed with the CB Privacy powered user controlled privacy features.
- The Data Portability aspect can be satisfied using phpmyadmin to export user specific data from your Joomla database. You can also use CB Juice to export CB related user data and a planned future release of CB Privacy will also export user data.
Joomla 3.9 is also planning to be released with a new privacy component that Joomlapolis will be tapping into with a future Joomla 3.9 compatible plugin.
Perhaps the most important and probably most time-consuming part is to review your Privacy Policy and make it clear and easy to understand and GDPR-compliant, like Kyle explains in his blog.
Key take-aways from this article:
- don't panic
- read Kyle's excellent blog
- you don't have to automate everything day one
- you already have the tools to be compliant
- more tools will follow with Joomla 3.9
We are here to help you!