On May 25th, users of online services will enjoy broader protections of their personal data thanks to the General Data Protection Regulation (GDPR). While these regulations have been put into place by the EU, they apply to any service provider that processes or controls personal data of EU citizens. Which includes SilverStripe in New Zealand, as well as many of our customers who use our products and services.
We’re happy to see data ownership and privacy becoming a worldwide focus, and would like to give you a quick rundown on how SilverStripe fits into this picture.
SilverStripe Websites and Community
Our commercial presence on silverstripe.com and community website on silverstripe.org are both covered by a shared, plain english privacy policy. When joining our community or our forums, you can opt-in to receive various communications from us. The only required personal information is an email address, and all voluntary information can be edited through your profile. We have also added explicit opt-in to all of our customer-facing forms on silverstripe.com.
SilverStripe Open Source Software
As a provider of open source products, we neither act as a Data Controller or Data Processor. Most of our software (such as the SilverStripe CMS) is covered by a BSD License, and provided “as-is”. Your obligations under GDPR arise from how you use this software.
If you’re collecting personal data via forms on your particular SilverStripe-powered website or application, and your customer base might include EU citizens, you’re in charge of complying with GDPR. You’ll likely need to describe how this data will be used, and ask your users for explicit consent. When working with our user editable forms module, this can be as simple as adding a checkbox field which automatically records the consent alongside the submission.
The SilverStripe CMS does not provide any built-in mechanisms for users to submit personal data, or register a user account. CMS authors are created by administrators through the CMS UI. Since even the email address required to create such an account can be considered personal data, you might need to get consent from existing and new CMS authors, or cover this through other contractual arrangements with the individuals (read more about lawful bases for processing personal data and legitimate interests).
The primary location where SilverStripe can be configured to store personal data is the database. Individuals (“data subjects”) have the right to be forgotten, and can ask you as the website operator to remove their data. Most of the time, CMS administrators can action this without any technical help through the CMS (through the “Security” section, or specialised UIs like user defined forms). Be careful with Versioned records containing personal data: These might require development effort to completely remove. Note that CMS users aren’t versioned by default, so you can completely remove them through the UI. Depending on your implementation, you might purposely or accidentally store personal data in other places (e.g. through sending data to APIs, log messages, application exception messages, or via emails). You’ll need work with your technical contacts for the particular website to identify these. More details are available in the Developer Guides > Security > Personal Data section of our developer docs.
SilverStripe Ltd. Customers
SilverStripe builds websites for our customers. While the generic caveats for our platforms and open source software apply, each website implementation has unique constraints and requirements. We’re providing baseline GDPR training to all of our staff, and are well positioned to advise you where your responsibilities as a customer intersect with GDPR compliance. The most common areas in website implementations are forms (and their consent logic), privacy policies, and any third party products which your website might integrate with. Please contact your Account Manager if you have any concerns about your current implementation.
SilverStripe Platform
As an international company, SilverStripe processes the data for companies inside the European Union (EU). Therefore SilverStripe Platform acts as a Data Processor whilst your business (or your client’s business) running the website remains the Data Controller.
SilverStripe Platform is powered by Amazon Web Services, which makes it easy to keep your data safe. While infrastructure security in AWS is a shared responsibility (between SilverStripe and AWS), their systems are certified to the highest standards. See the AWS GDPR Centre for details.
New Zealand Common Web Platform
The Common Web Platform (CWP) is a Platform-as-a-Service (PaaS) offering for the creation and hosting of government websites in New Zealand. The CWP is managed and developed in partnership by the Department of Internal Affairs (NZ), SilverStripe Ltd, and Revera Ltd.
SilverStripe processes the data for public sector websites on CWP, some of which may be interacted by EU citizens. Therefore SilverStripe Platform acts as a Data Processor whilst the participating agency remains the Data Controller. The CWP participating agency may gather personal information from their customers via their websites and SilverStripe can process this information on platform.
Participating CWP agencies will need to assess and ensure their data collection practices comply with the regulations specified under the GDPR, specifically in cases where government websites are interacted with by EU citizens. The good news is that New Zealand is considered by the EU to have “adequate level of data protection, whether by its domestic legislation or of the international commitments it has entered into”. This means that the transfer of personal data from the EU to NZ is permitted without the need for any further contracts and agreements being necessary. See more information here.
The Public Service Intranet (PSI) has published a guide on GDPR for the NZ public sector (access restricted to Public Sector agencies).
Summary
GDPR compliance lifts privacy standards around the world, and allows users to take back control. Since even an email address can be considered personal data, and enforcement is independent of your business or hosting locations, most online services around the world will have to deal with the implications. Check your privacy policies, consent processes, educate your staff, and create an inventory of where you store or handle personal data.
SilverStripe has put internal processes in place for this, and educated our customer support staff to handle GDPR requests. If you have any concerns as a customer, please contact your Account Manager or Service Desk. For all other concerns, please use the newly established privacy@silverstripe.com email address.
Post your comment
Comments
Posted by Ingo Schommer, 17/05/2018 5:23pm (6 years ago)
I did note there is a number of references to requiring Consent from users. In the interest of helping those who are not that familiar with GDPR, its worth pointing out that Consent is not required in all cases of processing personal data for EU citizens.
Consent is one of 6 lawful bases for processing personal data. There is accurate and easy to consume information about lawful bases under the GDPR here:
https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/
For examples sake, in some of the cases described in the blog post above, the "Legitimate Interest" basis for processing personal data may apply.
There is more info on that and a 3 part purpose / necessity / balancing test here:
https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/legitimate-interests/
Hope that helps someone.
Cheers, TJ
Posted by TJ, 16/05/2018 7:31am (6 years ago)
No one has commented on this page yet.
RSS feed for comments on this page | RSS feed for all comments