The tech sector has undermined personal privacy in the constant pursuit of the latest shiny thing. Privacy is a core component of our democracy and is essential for free expression.

Most have assumed that it is built into the online tools that they use every day. This isn't the case. The media coverage of Cambridge Analytica and Facebook how dangerous this is. The model of surveillance capitalism put forward by Google is now very advanced. Big Data & Artificial Intelligence gives businesses more insights than Big Brother dreamed possible.

Many people are coming to the realization that some state regulation is needed if we are to protect individual freedoms.

Europe has recently instituted the General Data Protection Regulation (GDPR). This legislation is groundbreaking as it not only applies to people in Europe, but to everyone with a European citizenship. How many websites around the world know that they do not have members who have European citizenship?

For the first time, there are real fines associated with not protecting the rights of European Citizens. Violators face fines of up to 4% of annual global revenue or €20 million (whichever is greater).

Most organizations in North America are unaware of the potential implications. Most organizations here probably won't be the first targets, for the European Union, but that is a big risk. The European Commission, the EU’s legislative arm, may choose to be aggressive on the world stage.

I first got involved in looking at the GDPR in early 2017. It seemed that this regulation was something that was complex enough that it should be in Drupal Core. So I started a Drupal issue.

In a CMS like Drupal, it is fair to assume that 80% of the implementations might have some ties to the GDPR. Outside of Europe, the urgency is reduced but for most organizations, it doesn't disappear. My view was that as much as possible should be done at the root of the problem. For many organizations, that is a front facing application like Drupal or WordPress.

Now there is only a small amount that a website can do to bring you to GDPR compliance. As with accessibility, there is value in documenting what you have done for the public. Just like we have a public accessibility statement, we also one for privacy. Users need to have an easy way to know what data you are collecting and how long you keep it for.

There are good efforts in many open source communities to collaborate on building a best practice. These won't be completed for the May 25th deadline, but are still important. It is great to see the leadership from the WordPress and Typo3 communities. There are some great initiatives in Drupal too, including the formation of a Drupal GDPR Compliance Team. This is a community effort to collect and organize improve privacy in our community.

Privacy is a big thing. As with security, there are going to be some elements that really should be dealt with in Drupal Core. The GDPR legislation goes much deeper than this though and will vary much depending on the data collected. There are some great modules that released that are making this much easier. Some changes will need to be made in popular modules that collect user data. There are also challenges like dealing with backups and verifying removal.

More important than the technology is the social side of complying with the GDPR. Documenting the work that has been done, changing the organizational workflow. Ensuring that an organization is legally compliant. The biggest challenge though is in changing the culture so that we challenge ourselves to ask "why are we collecting this information?" - there is a lot of information collected that we just don't need but ask for anyway.