Contrib.social

Scope and guideline for privacy and compliance

Open on Drupal.org β†’
Created on 13 August 2024, 6 months ago

Objective

As the Starshot strategy v1.0 describes, supporting the Open Web is our responsibility. Drupal's Open Web Manifesto β†’ clarifies, that the Open Web is strengthened by every individual’s right to choice, privacy, and security. The Open Web must be designed to protect β€” not exploit β€” personal data and public discourse.

The "Starshot Track 8 Privacy and Compliance" is governed by this responsibility. It will deliver the necessary technical implementation but also provide educational material and advice for other tracks and the whole product to get it right on all levels.

This track's outcome should not be perceived as judgement, it's about education and recommendation. Users of Starshot should be able to make their own (risk) assessment and make conscious decisions about privacy and compliance. However, we are not lawyers and do NOT provide legal advice.

At the same time, we shouldn't forget to move fast, whatever that means for this track.

Define the key requirements / features for the recipe

This requires research with target persona, agencies and about existing legislation around the world. We will then have to discuss whether several recipes per region will be required, or if a single recipe can deliver a super-set to address global requirements.

Keep in mind that data protection and compliance have to deal with many conflicting interests: Marketing, Legal, IT, users and others. At this point, most stakeholders don't even seem to be aware of the implications, so they can't possibly know what they want.

Whether a website owner wants to comply with regulations and/or respect the privacy of their users is entirely their decision, not ours. For those who want to, Starshot makes it accessible and easy to do.

If the website operator's business model is based on the monetization of user data, the recommendations, sample content, etc. must look thoroughly different.

Research

This can be done by survey, individual interviews and collecting data from trusted sources.

  • Marketers
  • Other non-Drupal experts who will be tasked to build a website

Other tracks may have the same issue to get a list of contacts to get in touch. Maybe we can share?

Individuals can be approached directly. A survey can be posted by the DA to make the community aware and hopefully let them respond.

Analyse the legislation collected and provided at Data Protection Laws of the World.

Establish review role for other tracks

To ensure privacy and compliance on a Drupal site, this is not only about what to install and configure. It's even more so about what not to install and configure.

This applies to all tracks and the Starshot product as such. The following tracks are in particular the candidates for potential overlap:

Ongoing site audits

Privacy and compliance is not a feature, it's a process. Therefore, this track needs to provide an answer for ongoing audits as well, not only for the initial site set-up.

Competitive Research

  • Describe feature parity
  • How do we differentiate, how is our solution better than others

Collect, compare and select modules

Which modules can do the job, and what are the feature gaps?

Define and drive required user experience improvements to contributed modules.

Build recipe

  • Default config
  • Default/sample content

Acceptance testing

Test that the recipe meets the requirements and expectations of the target persona

Quality/integration tests

Make sure the recipe keeps working

Basic documentation

  • End-user
  • The Starshot leader team(s) with dos and don'ts.

Metadata

  • Logo
  • Summary
  • Screenshots

Next steps

  • Discuss, improve and finally agree upon the above scope and guidelines
  • Finalize a super-set "feature" list that provides all required features on a global scale: #3467855: Super-set feature set for privacy compliance β†’
  • Run survey A with (selected) Drupal agencies to learn about additional compliance requirements in their countries, and which of the features in the super-set they would want to avoid under all circumstances
  • Run survey B with target persona to learn about their knowledge, preferences and requirements
  • Perform the competitive analysis
  • Finalize the "feature" list
  • Prioritize items on the feature list and decide which ones will go into the initial "release"
  • Provide initial marketing material (value proposition, slides for Dries-note, educational material for other Starshot tracks, the Drupal community in general, and the target audience)
  • To be continued with module selection, implementation, testing and documentation. Detailed planning and task breakdown will be provided later, there's no value in laying that out just now
🌱 Plan
Status

Active

Component

Track: Privacy

Created by

πŸ‡©πŸ‡ͺGermany jurgenhaas Gottmadingen

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @jurgenhaas
  • Comment 6 months ago β†’
    πŸ‡¦πŸ‡ΉAustria Grienauer Vienna

    I am happy to assist here and give my knowledge around this topic.

  • Comment 6 months ago β†’
    πŸ‡¬πŸ‡§United Kingdom tonypaulbarker Leeds

    @jurgenhaas please could we add the Media Management track to the list of tracks for attention? https://www.drupal.org/project/drupal_cms/issues/3461533 πŸ“Œ [META] Track 15: Proposal for media management Active

    In particular, we need to consider privacy and compliance for embedded media, such as embedded YouTube videos that track users. I am conscious too of identifiable data relating to media such as names, faces and location especially if we have exif data uploaded or at some point we use features like face detection AI.

  • Comment 6 months ago β†’
    πŸ‡©πŸ‡ͺGermany jurgenhaas Gottmadingen

    @tonypaulbarker this is a great suggestion, I totally missed that. Added your track to the list, thanks.

  • Comment 5 months ago β†’
    πŸ‡©πŸ‡ͺGermany jurgenhaas Gottmadingen

    An additional aspect came out of a discussion with @rkoller who stated that we may also have to provide some mechanism to encrypt sensitive data to protect users from getting data points exposed after a data breach.

  • Comment 5 months ago β†’
    πŸ‡©πŸ‡ͺGermany rkoller NΓΌrnberg, Germany

    aside the aspect of providing an opportunity to encrypt sensitive data, another important point to mention and maybe to consider might be the creation of technical organizational measures (TOMs).

    https://thegdprcomplianceconsultancy.co.uk/the-meaning-of-technical-and-...
    https://aigner-business-solutions.com/en/blog/gdpr-explained-simply-toms...

    The scope of TOMs is definitely broader than just the CMS, but it might be worth to consider the option to autogenerate a TOMs template for a site. It is impossible to autogenerate a complete TOMs template but based on the sites config you already know the technical measure in place for the drupal site (which modules and configuration are used and which process are defined, and for example certain workflows in eca that have processes in place that are relevant to the gdpr, same as content moderation workflows and so forth). the other relevant points for the TOMs could be left blank and the user is able to fill those blanks. so the user has a template speeding up the generation of the initial TOMs as well as making it easier to keep those up to date?

  • Comment 5 months ago β†’
    πŸ‡¨πŸ‡­Switzerland boromino

    At the very least, the European Data Protection Regulation applies not only to companies and authorities based in Europe, but to anyone who processes the personal data of European citizens. On the World Wide Web, a website operator is therefore likely to have to comply with the regulations of different countries, not just those of the country in which its website is located. Consequently, the recipe should cover the sum of all regulations, not just those of the website's home country. Presumably we cover everything if we go by the most restrictive legislation.

    This is a broad topic and a lot of information has already been collected here. Considering that Drupal CMS is due to be released at the end of 2024, we should start creating tasks for concrete implementation steps and discuss details there. The selection of features should initially be based on the target audience: Content creators and marketers and a broader range of budgets.

  • Status changed to Needs review 5 months ago
  • Comment 5 months ago β†’
    πŸ‡©πŸ‡ͺGermany jurgenhaas Gottmadingen

    I've updated the issue description. In particular removed the "education" and replaced that with "information" as discussed and agreed last week. Also added a status summary for where we're now, right at the beginning of executing the plan.

    Please review, comment, update, as you see fit and let us know if you're OK with it, setting this to RTBC. I'm planning to mark this fixed by the end of this week.

  • Comment 5 months ago β†’
    πŸ‡¬πŸ‡§United Kingdom kjay
  • Comment 5 months ago β†’
    πŸ‡¦πŸ‡ΊAustralia murrayw
  • Comment 5 months ago β†’
    πŸ‡³πŸ‡ΏNew Zealand RoSk0 Wellington
  • Comment 5 months ago β†’
    πŸ‡©πŸ‡ͺGermany jurgenhaas Gottmadingen

    Granting credits to interview partners. Thank you so much for your time and input.

  • Comment 3 months ago β†’
    πŸ‡©πŸ‡ͺGermany jurgenhaas Gottmadingen

    Closing issue as work is being captured in separate issues.

  • Status changed to Fixed 2 months ago
  • Comment 2 months ago β†’
    System Message

    Automatically closed - issue fixed for 2 weeks with no activity.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024