Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Jörg Zell
Interaktiv GmbH
www.interaktiv.de
We are the good guys – aren`t
we?
Privacy Experience in Plone and
other Open S...
Why does privacy
matter?
© Interaktiv GmbH 2 |
© Interaktiv GmbH 3 |
PRIVACY IS ONE PART OF USER EXPERIENCE
User
Experience
User
Design
Usability
Privacy
Many more..Secu...
© Interaktiv GmbH 4 |
Source: https://www.statista.com/statistics/290525/cyber-crime-biggest-online-data-breaches-
worldwi...
Examples of recent privacy issues
 Facebook Security Breach in September 2018
50 Millon accounts compromised
 Facebook-C...
Privacy experience is a global trend
© Interaktiv GmbH 6 |
© Interaktiv GmbH 7 |
GDP
R
Source: https://www.dlapiperdataprotection.com/index.html
APP
I
DPA
PIPEDA
Privacy Shield
Stat...
© Interaktiv GmbH 8 |
© Interaktiv GmbH 9 |
© Interaktiv GmbH 10 |
© Interaktiv GmbH 11 |
© Interaktiv GmbH 12 |
DIFFERENT APPROACHES TO PRIVACY
Opt-in Opt-out
Personal Data
Ownership
Data belongs to the
service ...
29.01.2018 © Interaktiv GmbH 13 |
Source: https://www.nytimes.com/2018/09/28/technology/facebook-
hack-data-breach.html
So...
29.01.2018 © Interaktiv GmbH 14 |
Internet Bill of Rights
transparency, privacy, control, notification,
N
net neutrality, ...
What follows from those different approaches for
a global open source community?
© Interaktiv GmbH 15 |
© Interaktiv GmbH 16 |
Source:
https://trends.builtwith.com/
cms/open-source
How can we ensure that we are the good guys?
 Awareness
 Privacy as an opportunity
 Privacy as a differentiator
Univers...
Privacy experience in open source CMS
communities
© Interaktiv GmbH 18 |
Data minimisation
Data integrity
Purpose minimisation
Lifecycle limitation
Human and technical security measures
Transpare...
1. Data minimisation
Restrict the collection and processing of data to the minimum amount necessary; restrict access to da...
Privacy Impact Assessments (PIAs) are the first step in a Privacy by Design (PbD) approach to development.
A PIA is the pr...
 GDPR Compliance Team
 Privacy roadmap: https://make.wordpress.org/core/roadmap/privacy
 Wordpress core is GDPR complia...
29.01.2018 © Interaktiv GmbH 23 |
29.01.2018 © Interaktiv GmbH 24 |
 Drupal GDPR Compliance Team
 Documentation about (more than 20) Drupal software tools for GDPR
compliance
 6 talks abo...
 Privacy tool suite: https://docs.joomla.org/J3.x:Privacy
 Privacy Dashboard, Health Check, Plugins for Privacy Consent,...
© Interaktiv GmbH 27 |
Privacy experience in Plone
© Interaktiv GmbH 28 |
© Interaktiv GmbH 29 |
© Interaktiv GmbH 30 |
© Interaktiv GmbH 31 |
© Interaktiv GmbH 32 |
Thursday, 15:20
Matthew Wilkes
Privacy best practice and Plon
Done
 https://github.com/collective/collective.privacy
 … probably many individual code snippets for cookie consent noti...
Proactive not reactive; preventive not remedial
Privacy as the default
Privacy embedded into design
Full functionality —po...
© Interaktiv GmbH 35 |
PRIVACY IN PLONE COMMUNICATION AND MARKETING
Done
Some suggestions for discussion
 Talk about Priv...
© Interaktiv GmbH 36 |
PRIVACY IN PLONE COMMUNITY WORK
Some suggestions for discussion
 People!
 Interested in an Open S...
We are the good guys – let’s show it to the world.
© Interaktiv GmbH 37 |
PRIVACY PRIORITIES
You‘ll find this presentation on
Slideshare.
© Interaktiv GmbH 38 |
THANK YOU
zell@interaktiv.de
#InteraktivKoeln
https://...
Upcoming SlideShare
Loading in …5
×

0

Share

Download to read offline

Privacy experience in Plone and other open source CMS

Download to read offline

We are the good guys - aren't we?

Related Books

Free with a 30 day trial from Scribd

See all

Related Audiobooks

Free with a 30 day trial from Scribd

See all
  • Be the first to like this

Privacy experience in Plone and other open source CMS

  1. 1. Jörg Zell Interaktiv GmbH www.interaktiv.de We are the good guys – aren`t we? Privacy Experience in Plone and other Open Source CMS
  2. 2. Why does privacy matter? © Interaktiv GmbH 2 |
  3. 3. © Interaktiv GmbH 3 | PRIVACY IS ONE PART OF USER EXPERIENCE User Experience User Design Usability Privacy Many more..Security Accessability Performance
  4. 4. © Interaktiv GmbH 4 | Source: https://www.statista.com/statistics/290525/cyber-crime-biggest-online-data-breaches- worldwide/
  5. 5. Examples of recent privacy issues  Facebook Security Breach in September 2018 50 Millon accounts compromised  Facebook-Cambridge Analytica scandal $134b loss in market value  Yahoo: 250.000 pound fine in June 2018 over breach „ Yahoo failed to take appropriate technical and organizational measures“  Credit-monitoring company Equifax 2017 data More than half of Americans affected © Interaktiv GmbH 5 | WHY PRIVACY MATTERS Equifax data breach in numbers
  6. 6. Privacy experience is a global trend © Interaktiv GmbH 6 |
  7. 7. © Interaktiv GmbH 7 | GDP R Source: https://www.dlapiperdataprotection.com/index.html APP I DPA PIPEDA Privacy Shield State legislation mix of Federal and State legislation
  8. 8. © Interaktiv GmbH 8 |
  9. 9. © Interaktiv GmbH 9 |
  10. 10. © Interaktiv GmbH 10 |
  11. 11. © Interaktiv GmbH 11 |
  12. 12. © Interaktiv GmbH 12 | DIFFERENT APPROACHES TO PRIVACY Opt-in Opt-out Personal Data Ownership Data belongs to the service provider Hard law Soft law Centralized Privacy as as part of other law subjects Privacy as a matter of law Decentralized Trust in government Trust in business
  13. 13. 29.01.2018 © Interaktiv GmbH 13 | Source: https://www.nytimes.com/2018/09/28/technology/facebook- hack-data-breach.html Source: http://time.com/5421850/facebook-google-internet-bill-of-rights/
  14. 14. 29.01.2018 © Interaktiv GmbH 14 | Internet Bill of Rights transparency, privacy, control, notification, N net neutrality, competition, accountability
  15. 15. What follows from those different approaches for a global open source community? © Interaktiv GmbH 15 |
  16. 16. © Interaktiv GmbH 16 | Source: https://trends.builtwith.com/ cms/open-source
  17. 17. How can we ensure that we are the good guys?  Awareness  Privacy as an opportunity  Privacy as a differentiator Universal privacy standards? © Interaktiv GmbH 17 | COMMUNITY RESPONSIBILITY
  18. 18. Privacy experience in open source CMS communities © Interaktiv GmbH 18 |
  19. 19. Data minimisation Data integrity Purpose minimisation Lifecycle limitation Human and technical security measures Transparency and notice User participation and rights Accountability, enforcement, and redress Choice, control, and consent Special categories of data Legal compliance “A collaborative best-practice approach to privacy in open source development outside specific regulations and laws. “ © Interaktiv GmbH 19 | PRIVACY IN OTHER OPEN SOURCE COMMUNITIES Source: https://github.com/webdevlaw/open-source-privacy-standards
  20. 20. 1. Data minimisation Restrict the collection and processing of data to the minimum amount necessary; restrict access to data to the minimum amount of people and systems necessary; do not duplicate or aggregate data by default. 2. Data integrity Ensure that the data collected and processed is correct, relevant, and up-to-date, especially if inaccurate or poor data could adversely impact the user; 3. Purpose minimisation Only collect and process personal data for the purpose it was intended for, and for which the user was clearly informed of in advance; 4. Lifecycle limitation Do not use personal data for other purposes, either active or potential. Delete data which is no longer needed, both in active use and in archives, by both the recipient and any third parties. Delete unnecessary data on a regular basis. Do not share data with others at any point its lifecycle without a justified reason and user consent. 5. Human and technical security measures Take adequate information security measures to protect the data from misuse and its subjects from harm. These measures must be technical (systems, software, code) as well as human (staff training, guidelines, and supervision). 6. Transparency and notice Inform users how their data is being collected, processed, and shared; inform users what rights and choices they have over those uses; make your privacy standards public and accountable. 7. User participation and rights Give users rights to access their data, download data, correct errors, and to control your collection and processing of it; give users the ability to ask you to stop using their data and to delete their accounts. 8. Accountability, enforcement, and redress Document your collection and processing of data; protect it in transit to and from third parties; prevent misuse and breaches as much as is possible. Fix problems when things go wrong, provide redress when data is misused, leaked, or breached; be morally and legally accountable to regulatory systems. 9. Choice, control, and consent Give users and visitors choices and options over your uses of their data; require clear, specific, and informed opt-in; inform users of changes in uses and processing; give people access to their options and rights at any time through settings and control panels. 10. Special categories of data Take extra technical and human security measures to safeguard sensitive data which could result in the people it is about being hurt. This may include information about a person's race, religion, health, sexuality, location, genetic/biometric information, etc. 11. Legal compliance Ensure that the work meets the privacy regulations of the location where it will be used to collect and process people’s data. Work cooperatively and productively with regulations, laws, and supervisory bodies. © Interaktiv GmbH 20 | UNIVERSAL PRIVACY PRINCIPALS Source: https://github.com/webdevlaw/open-source-privacy-standards
  21. 21. Privacy Impact Assessments (PIAs) are the first step in a Privacy by Design (PbD) approach to development. A PIA is the process by which questions about data collection, processing, sharing, storage, and access are asked before the work has begun. Data collection and retention What personal data is processed? How is that data collected and retained? Is the data stored locally, on our servers, or both? For how long is data stored, and when is the data deleted? Is the data collection and processing specified, explicit, and legitimate? What is the process for granting consent for the data processing, and is consent explicit and verifiable? What is the basis of the consent for the data processing? If not based on consent, what is the legal basis for the data processing? Is the data minimized to what is explicitly required? Is the data accurate and kept up to date? How are users informed about the data processing? What controls do users have over the data collection and retention? Technical and security measures Is the data encrypted? Is the data anonymized or pseudonymized? Is the data backed up? What are the technical and security measures at the host location? Personnel Who has access to the data? What data protection training have those individuals received? What security measures do those individuals work with? What data breach notification and alert procedures are in place? What procedures are in place for government requests? Subject access rights How does the data subject exercise their access rights? How does the data subject exercise their right to data portability? How does the data subject exercise their rights to erasure and the right to be forgotten? How does the data subject exercise their right to restrict and object? Legal Are the obligations of all data processors, including subcontractors, covered by a contract? If the data is transferred outside the European Union, what are the protective measures and safeguards? Risks What are the risks to the data subjects if the data is misused, mis-accessed, or breached? What are the risks to the data subjects if the data is modified? What are the risks to the data subjects if the data is lost? What are the main sources of risk? What steps have been taken to mitigate those risks? © Interaktiv GmbH 21 | PRIVACY IMPACT ASSESSMENTS Source: https://github.com/webdevlaw/open-source-privacy-standards
  22. 22.  GDPR Compliance Team  Privacy roadmap: https://make.wordpress.org/core/roadmap/privacy  Wordpress core is GDPR compliant: privacy notice, data export, data  Privacy by Design approach  Documentation and resources for developers: guidelines on how to  Resources for site administrators why privacy matters and what to do  Resources for plugin developers: https://developer.wordpress.org/plugins/privacy/ © Interaktiv GmbH 22 | PRIVACY IN OTHER OPEN SOURCE COMMUNITIES
  23. 23. 29.01.2018 © Interaktiv GmbH 23 |
  24. 24. 29.01.2018 © Interaktiv GmbH 24 |
  25. 25.  Drupal GDPR Compliance Team  Documentation about (more than 20) Drupal software tools for GDPR compliance  6 talks about privacy at Drupal Europe conference this year © Interaktiv GmbH 25 | PRIVACY IN OTHER OPEN SOURCE COMMUNITIES
  26. 26.  Privacy tool suite: https://docs.joomla.org/J3.x:Privacy  Privacy Dashboard, Health Check, Plugins for Privacy Consent, Terms and Conditions  Documentation for developers  Github: „Collaboration space to work on a privacy framework for Joomla” - 580 contributors - https://github.com/joomla-projects/privacy-framework  Marketing! © Interaktiv GmbH 26 | PRIVACY IN OTHER OPEN SOURCE COMMUNITIES
  27. 27. © Interaktiv GmbH 27 |
  28. 28. Privacy experience in Plone © Interaktiv GmbH 28 |
  29. 29. © Interaktiv GmbH 29 |
  30. 30. © Interaktiv GmbH 30 |
  31. 31. © Interaktiv GmbH 31 |
  32. 32. © Interaktiv GmbH 32 | Thursday, 15:20 Matthew Wilkes Privacy best practice and Plon
  33. 33. Done  https://github.com/collective/collective.privacy  … probably many individual code snippets for cookie consent notices… © Interaktiv GmbH 33 | PRIVACY IN PLONE DEVELOPMENT Some suggestions for discussion  Assessment: What is the status of privacy in Plone core?  Guidance: Should development documentation include privacy?  Adhere to privacy best practices and follow Privacy by Design principals  Features: Develop more privacy features: data export, data erasure, privacy notice, …  Products: What about plugins/products and themes?  Roadmap?
  34. 34. Proactive not reactive; preventive not remedial Privacy as the default Privacy embedded into design Full functionality —postive-sum, not zero-sum End-to-end security—lifecycle protection Visibility and transparency Respect for user privacy © Interaktiv GmbH 34 | PRINCIPLES OF PRIVACY BY DESIGN Privacy by Design Read on: https://medium.com/searchencrypt/7-principles-of-privacy-by-design- 8a0f16d1f9ce
  35. 35. © Interaktiv GmbH 35 | PRIVACY IN PLONE COMMUNICATION AND MARKETING Done Some suggestions for discussion  Talk about Privacy on plone.com, plone.org, Community.plone.org  Documentation  Privacy statement like Accessiblity statement in vanilla Plone  Conference talks  Promote privacy as a positive cultural value instead of a legal constraint  Use transparency and privacy as a differentiator – we are the good guys!
  36. 36. © Interaktiv GmbH 36 | PRIVACY IN PLONE COMMUNITY WORK Some suggestions for discussion  People!  Interested in an Open Space?  Sprint work?  Can we join forces with other communities? Done ?
  37. 37. We are the good guys – let’s show it to the world. © Interaktiv GmbH 37 | PRIVACY PRIORITIES
  38. 38. You‘ll find this presentation on Slideshare. © Interaktiv GmbH 38 | THANK YOU zell@interaktiv.de #InteraktivKoeln https://www.linkedin.com/in/joergzell/ https://www.linkedin.com/company/interaktiv-gmbh https://www.xing.com/profile/Joerg_Zell/ https://www.xing.com/companies/interaktivgmbh By e-mail: On Twitter: At LinkedIn: At XING: Contact me

We are the good guys - aren't we?

Views

Total views

290

On Slideshare

0

From embeds

0

Number of embeds

34

Actions

Downloads

0

Shares

0

Comments

0

Likes

0

×