Privacy Laws like GDPR introduced several new requirements that changed the way we think the data management and the pathway to the privacy compliance.

Privacy by design and by default were just some of the requirements that web developers should take under consideration before they develop new apps. But of course, apps were online also before GDPR effectiveness and as expected the Joomla Project and more specifically the Joomla Compliance Team, has started to evaluate the current situation to result to effective, security and privacy solutions.

The problem

As said, with the upcoming changes in privacy laws and the GDPR coming into effect we had to do something about our Joomla properties. The Joomla properties are the websites we all use like the Extension Directory, Volunteer Portal, etc.

The first step is to consolidate all the data we have in all these 30+ sites. This means we bring all the data to a single Identity site where we can manage all our profiles. The result will be that we only need to document and manage one site with all sensitive data. One place to manage your Joomla profile.  Roland Dalmulder and Sander Potjer from the Compliance Team developed a Single Sign On (SSO) system integrated with the Joomla core that will allow users to have only one profile and use it across all the properties in which the SSO is deployed.

All sites will make use of the identity provider to authenticate the login, this is done through Single Sign On. Another advantage is that our users will only need 1 login for all the Joomla properties instead of a username and password for each site.

The identity site will contain the consents that are required to make use of a Joomla site. Using the consents we can track who has given consent for what and when.

Users Privacy empowerment - The Consent Management System

Another crucial part of the solution is the Consent Management System, also known as, Identity Manager, a place where we can manage and track all the consents from the users.

The Identity Manager will allow us to define which data fields are needed by each property and use different/specific consent statements for each usage of data. Consent statements will be added for each field used/transferred to the endpoint property. After the first login to a property, the users will be prompted a window where they can give their consents to authorize the transfer of data to the website they’re trying to visit.

The Identity Manager will track also any changes in consents or in data managed by each property, seeking the consents from users in case new data or new consent is needed. From the Identity Manager users will be able to check their consents and can withdraw any of them at any time

Current status

Currently we have the Single Sign On working, and some tests are performed by Developers and Consultants to better improve the final result. Once that is done we can start looking at the data migration to the identity site. The view to edit the user profile on the Identity website is ready too.

Next steps

The Joomla Compliance Team will work together with the Operations Department and the Webmasters Team in particular, to prioritize the adoption of the SSO and Identity Management Systems across the properties. Ideally, directories like JED and JRD and the Joomla Forum will migrate to the new authentication system in a second stage.

More about Login, Identities and Consents