Jump to Section
Understanding the High Stakes: GDPR Compliance in Umbraco#
The GDPR, enforced by EU law, establishes stringent penalties for non-compliance and emphasizes the critical nature of adhering to its regulations.
Violations can lead to fines as high as €20 million or 4% of the organization's annual global turnover, depending on which is greater.
These severe penalties underline the importance of integrating GDPR principles in managing personal data within Umbraco projects.
For detailed information, please refer to the article What is GDPR, the EU’s new data protection law.
Does Umbraco CMS collect personal data?#
Umbraco CMS gathers personal data from its users and site visitors, much like any online platform.
This data collection can occur in various ways, such as when a user fills out a contact form on your site, registers for an event, or uses your services.
You might also collect data through user behavior tracking to enhance site functionality or through forms for feedback submission.
Essentially, Umbraco CMS enables the collection of significant user information to optimize the website's functionality and user experience.
How do Umbraco websites collect user information?#
Umbraco websites gather user information through a variety of technical and interactive methods, including:
- Server and Database Logs: Maintaining logs to monitor user actions, errors, and system performance, ensuring a secure and optimized user experience.
- Database Storage: Storing data in database tables for comprehensive user management and personalized content delivery.
- Analytics Tools: Employing tools for detailed analytics and user tracking to understand site usage patterns.
- Cookies and Tracking: To analyze user behavior and preferences, implement cookies, IP address tracking, and geolocation.
- Website Forms: Utilizing contact forms, newsletter sign-ups, and other interactive elements for direct user data collection.
- Comments: Allowing users to leave comments, providing insights into user opinions and engagement.
- Payment Gateways: Integrating with payment systems to process transactions and collect financial data.
- Custom User Interactions: Capturing data from custom-built user interaction points, like quizzes, polls, or event registrations, to gain insights into user preferences and behaviors.
- Device Usage Patterns: Tracking the types of devices used to access the site (mobile, desktop, tablet) to optimize design and functionality for varied user experiences.
- Language Preferences: Identifying users' language settings to offer more personalized content and improve accessibility for a global audience.
- E-commerce Activity: Analyzing e-commerce interactions, including browsing history, purchase details, and product preferences, to tailor user experiences and enhance service offerings.
- Third-Party Integrations: Collecting user data through third-party plugins or services integrated into the Umbraco site, such as CRM systems or marketing automation tools, to enrich user profiles and personalize interactions.
- Feedback and Support Forms: Utilizing forms designed explicitly for user feedback, support queries, and service requests to understand user needs better and enhance service quality.
- Social Media: Tracking likes, shares, and social interactions to gauge content popularity and user engagement.
Finding personal data in the Umbraco database#
Umbraco stores users' data, such as email or name, in database tables.
In what tables, you may ask? It's a million-dollar question.
To locate sensitive data, you can use a simple T-SQL query.
I recommend using the script from the article Searching for text across multiple tables in SQL Server.
Let's perform an example search in three different Umbraco databases to find out.
I will pick the SQL script and adjust the target string.
I will use my last name, 'bach', to give you an overview of the tables storing personal data.
Looking for personal data in the Umbraco 8 database
Here is the query output:
Looking for personal data in the Umbraco 11 database
And here is a look up for different data set in Umbraco 11:
Looking for personal data in the Umbraco 13 database
Here is a look-up for the Umbraco 13 database with custom tables storing e-commerce data:
After examining three different Umbraco databases, it's evident that most personal data resides primarily in the [umbracoAudit], [umbracoUser], and [cmsMember] tables.
This method is also effective for identifying sensitive data in any custom tables you may have in your Umbraco setup.
For example - [EmailMessage] and [Order] if you're working with an e-commerce store.
If you want to remove users from the Umbraco database - don't miss the How to Delete Umbraco User Permanently article.
Encrypting Umbraco database file on Azure#
A lot of Umbraco solutions are hosted on Azure.
Azure is a cloud platform owned by Microsoft located in Redmond, USA - outside the EU.
If you go to the GPDR website, you will find the following:
First, if you process the personal data of EU citizens or residents, or you offer goods or services to such people, then the GDPR applies to you even if you’re not in the EU.
This means you need to secure your database files hosted on Azure or any other cloud provider outside the EU.
The good news is that Azure enables us to encrypt the database files, backups, and logs easily.
You can enable the feature in 3 steps:
- Find the database in Azure Portal.
- Navigate to the Security Section and then to Data Encryption.
- Enable "Data encryption" option under 'Transparent data encryption' tab.
You can even enable Transparent data encryption on the SQL server level with a Customer-managed key.
TIP: It's common practice to store your encryption keys in Azure Key Vault.
Finding personal data in the Umbraco log files#
Umbraco log files are another place where you should review Personal data.
Usually, you will find them in UmbracoProject.Web\umbraco\Logs path.
To illustrate, I will perform a simple search on my local file system using the popular Total Commander tool:
Compliance Strategies and Tips for Umbraco Files:
Conduct Regular Checks
Schedule a monthly review of the log files to identify any unintended storage of personal data.
Use grep or log management software to automate the search for personal identifiers.
Data Minimization
Modify logging settings in Umbraco to exclude unnecessary personal details.
Secure Storage and Encryption
For Azure cloud environments, utilize Azure Blob Storage to store log files with encryption enabled.
Ensure that the storage account is accessible only through secure channels.
Consider using private blob storage over the public to avoid potential security risks.
You will find more insights and recommendations in the article Integrating Umbraco with Azure Private Blob Storage.
Access Control
Implement role-based access controls in Umbraco and Azure, ensuring that only staff members with a legitimate need can access log files.
Regularly review and update access permissions.
Final Thoughts: Achieving and Maintaining GDPR Compliance in Umbraco#
When integrating GDPR principles into your Umbraco project, it's crucial to focus on user consent, data minimization, and the ability to easily access, rectify, and erase personal data.
You must ensure that data is securely stored and transmitted and that privacy settings are set to high by default.
Additionally, it's essential to document all data processing activities and ensure that third-party plugins used within Umbraco are also GDPR compliant.
It is also recommended that regular GDPR compliance audits be conducted and that a Data Protection Officer (DPO) be appointed for larger projects.
Addressing several key areas in your Umbraco site to ensure GDPR compliance is crucial:
- securing user data within database tables,
- protecting personal information in file logs,
- and enhancing consent mechanisms.
However, remember there are numerous other aspects to consider for full compliance.
Ready to take action?#
Many projects fail due to a lack of expertise - even from Umbraco Partners.
If you’re overwhelmed or unsure where to start, our team is here to help.
With years of experience, we specialize in identifying and resolving issues that could hold your website back.
When you choose our Umbraco Developers, you’ll receive an ultra-detailed report packed with actionable steps to implement improvements.
In fact, we typically uncover over 100 areas for improvement in every project we analyze, ensuring your website performs at its absolute best.
👉Don’t wait, and contact us today.