A simple tool to facilitate GDPR conformance of your Joomla! sites
The component allows the site's visitors to:
- give or revoke their consent for personal data processing (and prevent the user from using the site if they have not provided consent).
- export all data we have on them to a commonly machine-readable format (XML).
- exercise their right to be forgotten (account removal) with a concrete audit trail.
Just like Joomla's comprivacy, the component itself does not know how to do any of that for any component's or core data. It uses plugins which tell it how to handle core Joomla and extensions' data. We ship plugins for core Joomla user data and some of our extensions. That said, DataCompliance can use the same “privacy” plugins used by Joomla's comprivacy itself.
The component also keeps an audit log of all the user profile changes, data exports and account removal.
The account removal audit log can be automatically exported to S3 (in a JSON format). This lets you comply with the GDPR requiring you to keep an audit trail of your compliance to personal data requests. Note that this audit log does NOT include any personally identifiable information, just the anonymous IDs of the information deleted.
There is a Joomla CLI integration plugin. You can use the CLI commands to, among other things, schedule periodic removal of stale accounts. This lets you comply with the data minimisation requirement of the GDPR.
Why use this component instead of Joomla's com_privacy?
- Better user experience for providing consent. Instead of being thrown to the long, confusing Joomla profile page they are shown a purpose-built page which allows them to provide consent, export their data or exercise their right to be forgotten.
- Less red tape. Exporting the user data is a single click process for logged-in users; no need to wait for an administrator to manually approve their request. Exercising their right to be forgotten is a simple, two-step process which does not involve and administrator and where the user is explicitly told what will happen to their data.
- Plugins built for DataCompliance can define limits which prevent users to exercise their right to be forgotten in accordance with the GDPR exemptions. For example, if there are any pending shipments in an e-commerce platform you don't want to let the user delete their user account before the shipment is finalised to avoid lost / misrouted packages.
- Audit trail backed up outside your site, in accordance with GDPR.
- Unlike Joomla's com_privacy, DataCompliance allows you to proactively remove stale user accounts in accordance with GDPR's requirement for data minimisation.
THIS SOFTWARE, THIS LISTING AND ALL ASSOCIATED MATERIAL DO NOT CONSTITUTE LEGAL ADVICE AND SHOULD NOT BE MISUNDERSTOOD AS SUCH. ALWAYS CONSULT WITH A LAWYER FAMILIAR WITH THE EUROPEAN UNION'S GENERAL DATA PROTECTION DIRECTIVE TO UNDERSTAND WHAT YOU NEED TO DO TO BE IN COMPLIANCE WITH THE EU GDPR.