Hello, I can't speak for the core team but I am a bit surprised any CMS would be working on this. Can you give us some example of CMS doing this?

From what I understand, it is the responsibility of the data people using the CMS and gathering or processing data to deal with the regulation. Concrete5 certainly offers more than one way to gather, process, and manage data and that should be enough for the use to comply with the regulation.

So my questions are:
1- what should the software do to comply?
2-Why should it be the software responsibility?
3- And do you have examples of CMS doing it to try to understand how they do it?

Thank you

Hello,
1, In the case of personal data collection in the contact form, registration and general comments:
- Right to erasure
- Data portability
- Consent to the processing of personal data
- Records of activities with personal data (name, ip, e-mail etc.)
- Right to change personal data
- Encryption personal data

etc.
2, If you want to continue running Concrete5 and you have a registration, contact form, demand etc., you can't no run this CMS in the EU without these changes. Good Reason? I have to overwrite a large part of Concrete5 for my Client.

3,
Wordpress:
https://wptavern.com/wordpress-telemetry-proposal-addresses-long-sta...

Drupal:
https://www.drupal.org/project/gdpr...

This is GDPR:https://en.wikipedia.org/wiki/General_Data_Protection_Regulation...

Is big change for Personal data ... I know it's hard, but if others put at least part of the need for GPDR and Concrete5 not, it will be difficult to continue using it. That's why I ask about the future of CMS. Otherwise, I have no reason to spend longer. It's just a question ......

I apologize for the brevity, but my English is bad :o)

At first glance, the Wordpress link can be summarised as:
- We could add a bunch of extra user activity tracking to see what aspects of wordpress the sites are actually using
- Then later.... that sort of tracking functionality will be subject to GDPR

If you don't implement such tracking, the privacy implications of such tracking are not relevant.

- Page Statistics should be turned off


A few thoughts on other aspects

- The act of registering grants consent to use data within the scope of that registration (as per previous data protection legislation), but not any further.

- Encryption can be handled by the server.

- If a user has access to their profile, they can edit their personal attributes.


Which leaves portability and erasure.

- C5 could implement a button or link from a user's profile that says 'Delete me and all attributable traces of me'. On an eCommerce system, that could also mean 'delete all records of my purchase, and hence make it impossible to manage any warranty associated with that purchase'.

- Do we really need worry about universal portability of data before our governments manage to achieve it? Notorious government IT failures continue to feature data portability as a reason for the farce. We could pay lip service to it with a data download/upload from a user's profile in a common format such as csv, xml or json. That would be of more use as a bulk facility to site owners when moving sites than to individual users.

Very much agree with what John said. Most duties apply to who the site runs,
but a deletion/Export feature would be nice, given the need to not interfere with accounting/warranty things.

By how the law will be applied, (site hosted in US but has EU customers) it will be necessary for anybody running a website, if you don't want to lock EU citizens out.

It's very easy to setup GDPR with GDPR Buster app (http://gdprbuster.com/ ) this app can prevent pixels to fire before they provide consent for it.

In case you didn't notice GDPR buster is a Shopify app and this is a Concrete5 forum.

GDPR add-on for concrete5: https://www.concrete5.org/marketplace/addons/gdpr/...