Upcoming GDPR-focused features for Liferay DXP

May 25 is fast approaching. Every business impacted by GDPR should be well underway in preparing for the changes to data processing set forth by the regulation. To address the heightened requirements for empowering users' control of their personal data, Liferay has been evaluating and building features into Liferay DXP to aid our customers in their journey toward compliance. I wanted to share what customers can expect in the upcoming release of Liferay Digital Enterprise 7.1 this summer (with an update to DE 7.0 scheduled thereafter with the same features).

But First...

Before jumping into the details of what Liferay is building, allow me to reiterate something I've been stressing in our papers, blogs, and talks: GDPR compliance cannot be achieved by simply checking off a list of technical requirements. True compliance requires businesses to holistically adopt both organizational and technical practices of greater protection for their users' personal data. This may include training personnel, auditing all stored user data, establishing data breach response strategies, appointing a data protection officer, redesigning websites to obtain consent for targeted marketing, responding to users' right to be forgotten, etc. Beware of vendors that supposedly provide turnkey solutions for GDPR compliance, regardless of what they promise (and how much they cost). No such solution exists.

In regards to the technical measures GDPR stipulates, the heart of the regulation is encapsulated by the requirement of data protection by design and by default. As businesses select Liferay DXP to build their digital transformation solution, the responsibility falls on the business to design their solution in a way that satisfies this concept of “data protection by design and by default.”

Though no software product can truthfully claim to be “GDPR compliant,” the platform and tools provided by the product can greatly accelerate or hinder a business’s journey toward compliance. Out of the box, Liferay DXP already provides rich capabilities for designing and managing privacy-centric solutions (some of which are described in our Data Protection for Liferay Services and Software whitepaper), but there's much more we can provide to help our customers.

After wrestling with the couple hundred pages of regulation, we decided to first focus on the concrete requirements that are most painful for customers to implement themselves. Specifically, we evaluated GDPR's data subject rights and identified the right to be forgotten and right to data portability to be the most challenging to tackle given Liferay DXP’s current feature set. Google trends also affirms these two are of greatest interest (and likely anxiety) among users.

So here's what Liferay's engineering team has been working on:

Right To Be Forgotten

The right to be forgotten (technically known as the “right to erasure”) requires organizations to delete an individual’s personal data upon his/her request (excluding data the organization has a legitimate reason to retain like financial records, public interest data, etc.). Personal data is considered erased when the data can no longer be reasonably linked to an identifiable individual and thus no longer subject to GDPR. This can be accomplished by simply deleting or carefully anonymizing the personal data. Proper anonymization is difficult and tedious but may be the preferred option depending on the business’s use case. For example, Liferay want to keep the technical content on our community forums, but we must sanitize the posts and scrub personal data if a user invokes his right to be forgotten.

Our engineering team is adding a tool to the user management section to review a user's personal data stored on Liferay. The UI will present the user's personal data per application (Blogs, Message Boards, Announcements, third-party apps, etc.). Administrators can either delete the data or edit the content in preparation for anonymization. For example, if a community member writes a blog post containing useful technical information (for example: DXP upgrade tips) but also started the blog with an anecdotal story that contains personal information (for example: “My daughter Alyssa once told me …”), an administrator may want to remove the personal story. After satisfactorily editing the content, the data erasure tool can automatically scrub data fields like userName and userId. The tool will also automatically scrub these data fields from system data tables like Layout and BackgroundTask.

Accompanying the UI is a programmatic interface to mark data fields potentially containing personal data. Any third-party application can implement these interfaces to surface personal data through the UI. The interface also allows custom logic to anonymize or delete personal data. For example, instead of deleting a user's entire postal address, customers may want to keep just the zip code for analytics purposes.

Right To Data Portability

The right to data portability requires organizations to provide a machine-readable export of a user's personal data upon request. The regulation's goal is to prevent vendor lock-in where users find the cost of switching service providers is too burdensome. In theory, this right empowers individuals to migrate their data from their current mortgage provider to a competitor, for example. The regulation even stipulates that organizations should transfer a user's personal data directly to another organization where “technically feasible,” though this likely won't be a reality in the near future.

Alongside our data erasure tool, our engineering team is building a tool to export a user's personal data. This will behave similar to Liferay's import/export pages feature except the focus will be on exporting personal data rather than page data. The administrator UI will list a user's personal data per application and asynchronously export the data.

Down The Road

This is only the beginning of privacy-focused features we plan to bake into our platform. Though the roadmap for 7.2 is still up in the air, we're evaluating ideas like changes to service builder's data schema to potentially aid pseudonymization (separating personal data from identifiable individuals via some key). We've considered building a privacy dashboard for end users to visualize and control their own personal data. We've also thought about baking in a consent manager so businesses can better comply with the strengthened consent requirements.

Privacy is a justifiably growing concern that ultimately reaches beyond the territorial scope of GDPR. The May 25 deadline is forcing organizations to evaluate and implement the ethical impact of data collection in this brave new digital world. Currently much of that conversation stems from FUD leading to rubbish misinformation. But the dust will settle in the coming months and years. Organizations caught unprepared will potentially face costly penalties. Better and best privacy practices will eventually emerge and become standard practice, not unlike standard InfoSec practices that have developed over the last couple decades. Throughout that process, Liferay will continuously evaluate what our platform and services can provide to aid our customers in their journey toward thoughtfully guarding their users' data.

If you'd like to better understand how your organization can prepare for GDPR, check out our webinar: GDPR: Important Principles & Liferay DXP.