Privacy in Django (GDPR)

[Johannes Hoppe]

Hi there,

I am following up on  [https://www.youtube.com/watch?v=b6KEoNVKFxM Will's great talk during DjangoConEU 2018]. If you haven't watched the talk or don't know what GDRP is, I'd highly recommend watching it before you continue reading. The following message will be a collection of the things that have been discussed during the conferences regarding GDRP.

Purpose of this post:

Discuss best ways Django as a community can do to support it's developers to deal with GDRP and build software that is GDPR compliant by design.

We had plenty of discussion afterwards here is the current common sense:

GDPR is a shift is a shift in software design and architecture. It introduces a concept of data ownership on users bases in contrast to the previous single owner (webmaster). It is within the responsibility of a web framework now to not only provide built in security but also privacy.

Furthermore Django does provide built in ways to store (process) private data, namely

- first name

- last name

- email

- username

all of which can be used to identify an individual. That being said Django does currently not supply any easy way to ensure GDPR compliance for this data.

After a lot of discussion it does not seem feasible to just go ahead and implement something in Django just now. Therefore I we should create a Django privacy workgroup. The primary focus of this workgroup would be to support the Django community. I would suggest to do this though a DEP (Django Enhancement Proposal) as well as a public tutorial. The tutorial should point out best practices on how to deal with personal or sensitive personal data. How to provide interfaces to ensure portability, the right to be forgotten or processed.

Best

-Joe

--

Johannes Hoppe

www.johanneshoppe.com

Want to chat? Let's get a coffee!

https://calendly.com/codingjoe/coffee

Lennéstr. 19
14469 Potsdam

USt-IdNr.: DE284754038

[Vasili Korol]

I outlined the problem of parent domain cookies included in Django's error reports, which may be a problem due to GDPR.

There's a ticket in the Django bugtracker:   https://code.djangoproject.com/ticket/29714

And a discussion in the 'developers' group:  https://groups.google.com/forum/#!topic/django-developers/rABXPO-xVAo

So far, the proposed solution is to implement better customization of error reports, which would allow disabling the inclusion of cookies.

[Johannes Hoppe]

A college just referred this new package to me:

https://github.com/wildfish/django-gdpr-assist