How to Make Your TYPO3 Application GDPR Compliant
The European General Data Protection Regulation coming into effect on 25 May 2018 has implications that affect every aspect of planning, developing, and maintaining websites and web applications. GDPR promises users greater protection, transparency, and control. Find out what you need to know about GDPR.
In this article, we’ll look at how the upcoming TYPO3 GDPR release will help you design GDPR compliant applications. We’ll look at both TYPO3 core features available out of the box, as well as how the GDPR extension helps you build GDPR compliant applications.
Important note: This article does not constitute legal advice.
GDPR Compliance and TYPO3
For those who are designing applications and websites, the regulations affect every aspect of designing, building, and maintaining services that handle personal data and users.
Data: What data is captured? How is it captured and stored? How do these interact with third-party systems?
Consent: Did you get explicit consent from users?
Control: Do users have control over the data you store? They must also be able to withdraw their consent.
Accountability: Nominated data protection officer. Regular review of policies and impact assessments.
Communications: Is it clear who to contact? Are there procedures in place for breach notifications?
I’ve been collaboration on the GDPR initiative to make TYPO3 CMS core “GDPR ready.” This will mean it’s easier for TYPO3 agencies and developers to create applications that protect users’ privacy by default and design.
TYPO3 CMS and Privacy by Default
TYPO3 acts defensively when it comes to collecting privacy-related data and follows the principle of “privacy by default”.
By default, no cookies are set for anonymous website visitors. Cookies are only set for required functionality such as logins and shopping carts. Likewise, access for users such as editors, administrators, and maintainers always requires setting cookies to ensure authorization and handle permissions.
The following modules collect the IP address during user interactions, but they can be configured to anonymize these IP addresses to protect user data. See Anonymize IP addresses below.
indexed_search: TYPO3’s default search collects the IP address for every search. It’s possible to configure this to log only the anonymized IP address.
sys_log: TYPO3 collects the IP addresses of editors in this log as they perform actions on the site. As the IP address is required to reconstruct actions and logins the IP address will be fully persisted but can be anonymized in a later action.
Content editors can embed third-party videos such as YouTube. By default, TYPO3 uses the recommended embed URL www.youtube-nocookie.com to improve the privacy of website visitors.
Privacy Improving Tools and APIs
TYPO3 CMS core provides the following APIs to improve website users’ privacy and help website owners comply with the GDPR.
Access and User Management
TYPO3 CMS has sophisticated user and group management in order to grant permission to required information only. Private data like orders or submitted forms are only visible to editors who need to interact with this data.
Read more about User Management in TYPO3 CMS.
TYPO3 developers can employ several different strong password hashing algorithms to secure user passwords. By using random salts, developers can avoid the possibility that an attacker could extract passwords from rainbow tables.
Read more about Salted Passwords in TYPO3 CMS.
Removal of Old Data
A scheduler task makes it possible to remove not relevant data from the system. Typical examples are:
Remove logs after 180 days
Remove sent emails after 90 days
Read more about TYPO3 CMS Scheduler to manage tasks.
Anonymize IP addresses
An extension developer can use an API to retrieve the anonymized IP address and use only that for further processing.
A scheduler task makes it also possible to anonymize IP address of database records after a given time, e.g. anonymize the IP addresses of logs after 180 days.
Read more about scheduling tasks.
TYPO3 CMS Supports HTTPS/TLS which makes it possible to enforce a secure connection for frontend and backend users.
Individual Data Protection by GDPR Extension
Beyond my activities as a TYPO3 CMS core team member, I have also developed the GDPR extension to extend the basic functionality of TYPO3 core API. I provide support for the extension through a paid professional plan, which helps me maintain the extension and support those use it. There are two support tiers.
The free basic plan provides an API that controls visibility information based on a particular role (data owner, website visitor, website maintainer, etc.)
The professional plan includes sophisticated data protection as well as pseudonymization and anonymization.
Most important features are:
Randomizing data is a good way to keep data but remove the personal or private information from it. This use case makes sense, for example, are e-commerce orders that should stay in the database to generate statistics like sales to specific countries.
GDPR extension editors can randomize data with a scheduler task. For example, randomizing orders older than 180 days. Or editors can manually randomize data as needed.
Flag, Hide & Remove Data
Editors can flag database records to identify those that hold sensitive data. After a record is “flagged”, it won’t be visible anymore, neither in the backend nor in the frontend—no matter which access level is granted to a user.
Control over flagged data is only given to specific editors. With an additional module they decide what happens to those records next:
Re-enable the record
Randomize the record
Delete the record
An extended search makes it possible to search for already deleted data. For example, GDPR editors can search for and identify sensitive data which still exists in the database, so they can manage it.
Log of Action
As GDPR extension users change settings or use the features, the extension logs all changes so changes can be reconstructed.
Improved Embedded YouTube & Vimeo Videos
Before videos from the platforms YouTube and Vimeo are actually loaded, the user is asked for consent. This improves the privacy and as an additional benefit also the loading time.
The TYPO3 CMS GDPR Initiative aims to make it easier for TYPO3 developers to create applications and websites that protect users by default and by design. In the short term, we’ve worked on essential improvements to TYPO3 CMS that helps clients, agencies, and integrators with tools to comply with these new European privacy laws. In addition, I’ve built an extension to take this default functionality a step further, and I provide support for website owners to improve their GDPR compliance.
Hi, thanks for that great post and all the work from the people who are involved!
Maybe the cookie part can be edited, because there is currently a frontend feature in TYPO3, that sets a cookie that many users and also integrators might not be aware of. It's the form builder. When adding a form to the frontend, an fe_typo_user cookie is set because of the honeypot. The honeypots field name is generated using session data. Therefore, the session cookie has to be set.