SlideShare a Scribd company logo

Managing Complexity and Privacy Debt with Drupal

Exove, profile picture
Exove

The document discusses managing complexity and privacy debt in modern software, particularly through the use of Drupal. It highlights the challenges associated with intricate software systems and the implications of GDPR on data management, advocating for uniformity and centralization in handling private data. Additionally, it outlines how Drupal can effectively serve as a tool to manage privacy issues and data rights, offering various features and modules to facilitate compliance.

Software
1 of 30
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
Janne Kalliola Exove Managing Complexity and Privacy Debt with Drupal Tallinn, November 2, 2018
Agenda § About Exove and myself § Complexity in modern software § Privacy debt § Drupal to rescue
About Exove § Digital design and development company in Finland, Estonia, the UK, and Singapore § Full service portfolio from business consulting and service design to development and care § We serve both multinational giants and new start-ups alike We deliver digital growth More about us: § www.exove.com § www.exove.com/gdpr § @exove
About Janne Kalliola § Founder and CEO of Exove § Continuent, First Hop, SSH, Helsinki University of Technology § Been coding since 1983, first web stuff in 1994 § Worked with web publishing and content managements systems since 1999 § I’ve written three CMS in the past § Worked with open source since 1998, with Drupal from 2007 More about me: § www.kallio.la § linkedin.com/in/jannekalliola § @plastic
Complexity and Privacy
Complexity and Modern Software § Modern software development practices, the fast pace of the industry, and changing demands cause software platforms to be layered, multifaceted and complicated systems § A systems consists of numerous interconnected subsystems created with various technologies, deployed with different tools, and hosted in several places § The complexity of the system is easily hidden under number of layers and facades
Privacy Aspect § GDPR requires companies to specify how they manage private data § If the system is complicated – as they typically are – understanding the management is hard § Besides, there are number of places were private data is stored temporarily of permanently during processing § Log files, etc. § This is not the focus of today’s discussion, but it is good to know
Documentation Can Mislead § A typical IT system documentation is non-existent § If it does exist, the documentation is typically somewhat simplified view of the architecture § Sometimes very simplified § Finally, it is most probably also outdated § If the system’s documentation is from era before GDPR, it does not focus on data privacy much or at all
Example Architecture Diagram
The Same System, Zoomed in
§ Varnish or CDN in the front § Web server logs § Platform logs § Local caches § Uploaded binary files § Maillog of all the sent emails § Backups of the servers
§ SQL logs § Binary logs on all servers § Backups of binary logs § Database dumps made by developers § Production dumps to staging environment
§ Integration platform logs and local caches § Integration platform document DB oplogs § SaaS messaging platform logs and internal database
§ Finally the actual data master, its logs, backups and development environment
And That Was Just Data Flows and Storages § The previous example was just about data flows and storages § It was the physical architecture of a modern platform § The logical architecture should reflect the desired functionality of the system § To save time, we do not go through it right now for that system § The logical architecture can be easily even messier – as the requirements of the system change during years, new features are added, and old ones are deprecated
Debt § Every change that is not done “perfectly” creates debt § Bad architecture, wrong components, and features hacked in create technical debt § Non-uniform ways to manage private data and distributing / spreading out private data create privacy debt § Payment is due – sooner or later § Debt is paid in refactoring § Interest is paid when new features take longer to implement or cannot be done in an optimal fashion
Privacy Debt A concept in software architectures that reflects the implied cost of additional work caused by choosing a non-uniform solution to handle private data instead of using a commonly used or more centralised approach.
Privacy Debt in Practice § Every time a new way to deal with private data is added to the system, the complexity – and privacy debt – increases § And vice versa, if something is centralised or made more uniform, the debt decreases § The debt is paid every time an individual uses one of her rights § The right honouring process is more complex than it could be due to various different ways how handling of private data is implemented
Reducing the Privacy Debt § Uniformity: Define and apply uniform ways to handle private data. The data itself is typically mostly the same in most of the systems, and it can be handled using the same procedures. If possible, define the data uniformly and use that definition in all systems applicable § Reduction: Move data outside of the systems, such as using SSO solution, and minimise the personal data stored in a business system § Encapsulation: Require all new systems to expose APIs to ensure the users’ rights on that system § Centralisation: Create a centralised system that handles all – or the bulk of – users’ rights. Connect all your systems, one by one, to this centralised private data management platform
Drupal and Privacy Debt
Drupal to Rescue § Drupal has numerous built-in tools to manage arbitrary content, structured and unstructured § And more can be installed as modules § Private data is at the end just data, and it can be managed with the same tools § Besides, Drupal has also a good user rights management subsystem § GPDR requires restricting access to private data to only those that need it § This can be achieved easily with Drupal’s user rights
API and Headlessness § Drupal has extensive REST API § It can thus be used also as a headless private data repository § The centralised solution to manage privacy debt § Authentication, authorisation, and user rights allow controlling external access of private data § Thus every system does not get to see the full amount of data, but only the relevant subset – this, of course, requires careful planning of the data structures § It can also be integrated with other systems to work as a consumer of private data
Rules § Besides storage and connectivity, Drupal can be used also as a private data automatic management platform § Private data can be altered and removed using Rules functionality § Of course, creating own modules to manipulate the data is also an option § Especially, if the business logic is hard to implement with Rules
Views § As Drupal is also a publishing platform, various end-user views can be constructed easily § These can be either for viewing only or also CRUD operations for the data § Again, restricted and controlled by the user rights § Drupal admin ui provides quick and easy way to implement these § But implementing real end-user templates might make the system more approachable to a common user § And the functionality can be different for people having access to the front-end and those having access to the Drupal admin ui in its entirety
GDPR User Rights and Drupal § GDPR rights (right of rectification, right of removal, etc.) can be implemented using Drupal’s admin UI § An user wanting to exercise rights contacts an operator with admin rights and the operator makes the changes within admin UI § Another option is to provide users a self-service view to see their information as a normal Drupal provided webpage § Depending on the business/use case, there might be also possibility to remove and change the information as self-service § Or then a simple contact form or email address to send the requests to an operator
GDPR Module § There is a specific GDPR module for Drupal § https://www.drupal.org/project/gdpr § The focus of the module is to provide support for handling GDPR requirements and user rights in websites powered by Drupal § The module is not straightforwardly useful in this scenario § However, GDPR fields and GDPR tasks submodules could have benefits in organising the information § As usual, your mileage may vary when using modules to something else than their precise intended purpose § The future features look interesting – thus consider contributing
Caveat Emptor § Remember, that Drupal has a nasty habit of creating users automatically when using external authentication service § Each external user ever logged in has a Drupal account § And this feature cannot be turned off § Thus, you will end up spreading your user information to a new platform – whether you like it or not
Recap
Recap § Complexity combined with privacy requirements can make systems very hard to manage § Concept of privacy debt allows you to think the future consequences of bad choices made today § Drupal is an excellent tool to manage private data due to its versality, readymade tools, and adaptivity in various scenarios
Thank You! Questions? Comments?

More Related Content

PPTX
NoSQLDatabases
Adi Challa
 
PDF
Designing For Occasionally Connected Apps Slideshare
Dean Willson
 
PPTX
The Evolving Role of DBA
Hostway|HOSTING
 
PDF
Untangling cluster management with Helix
Kishore Gopalakrishna
 
PPTX
Enterprise Manager DBaaS
omnidba
 
PDF
Queues, Pools and Caches paper
Gwen (Chen) Shapira
 
PPTX
The Role of the DBA in the Development Shop
Blackbaud
 
PPTX
Foundations of business intelligence databases and information management
Amity University | FMS - DU | IMT | Stratford University | KKMI International Institute | AIMA | DTU
 
NoSQLDatabases
Adi Challa
 
Designing For Occasionally Connected Apps Slideshare
Dean Willson
 
The Evolving Role of DBA
Hostway|HOSTING
 
Untangling cluster management with Helix
Kishore Gopalakrishna
 
Enterprise Manager DBaaS
omnidba
 
Queues, Pools and Caches paper
Gwen (Chen) Shapira
 
The Role of the DBA in the Development Shop
Blackbaud
 
Foundations of business intelligence databases and information management
Amity University | FMS - DU | IMT | Stratford University | KKMI International Institute | AIMA | DTU
 

Similar to Managing Complexity and Privacy Debt with Drupal (20)

PDF
Enabling a Data Mesh Architecture with Data Virtualization
Denodo
 
PDF
Why Data Mesh Needs Data Virtualization (ASEAN)
Denodo
 
PDF
Govern and Protect Your End User Information
Denodo
 
PDF
InfoSphere BigInsights
Wilfried Hoge
 
PPTX
Google Products.pptx
NajeebullahSadiq1
 
PDF
A Successful Journey to the Cloud with Data Virtualization
Denodo
 
PPTX
Best practices for application migration to public clouds interop presentation
esebeus
 
PPTX
Cloud computing
Yogeshwaran Ravi
 
PDF
Cloud Migration headache? Ease the pain with Data Virtualization! (EMEA)
Denodo
 
PPTX
SAP Teched 2012 Session Tec3438 Automate IaaS SAP deployments
Chris Kernaghan
 
PPTX
North Devon Farms - Getting to know the Cloud 14th Oct 2015
Get up to Speed
 
PDF
How to Avoid Pitfalls in Big Data Analytics Webinar
Datameer
 
PPTX
Cloud 101: The Basics of Cloud Computing
Hostway|HOSTING
 
PDF
Oracle ADF Architecture TV - Design - Task Flow Data Control Scope Options
Chris Muir
 
PDF
Cassandra Summit 2014: Internet of Complex Things Analytics with Apache Cassa...
DataStax Academy
 
PPTX
Cloud Computing & Cloud Storage
Priyesh Pratap Singh
 
PPTX
The wonders of Cloud Computing.pptx
OmSatpathy
 
PPTX
Automating Infrastructure as a Service Deployments and monitoring – TEC213
Chris Kernaghan
 
PDF
Adopting the Cloud
Tapio Rautonen
 
PDF
access-control-week-3
jemtallon
 
Enabling a Data Mesh Architecture with Data Virtualization
Denodo
 
Why Data Mesh Needs Data Virtualization (ASEAN)
Denodo
 
Govern and Protect Your End User Information
Denodo
 
InfoSphere BigInsights
Wilfried Hoge
 
Google Products.pptx
NajeebullahSadiq1
 
A Successful Journey to the Cloud with Data Virtualization
Denodo
 
Best practices for application migration to public clouds interop presentation
esebeus
 
Cloud computing
Yogeshwaran Ravi
 
Cloud Migration headache? Ease the pain with Data Virtualization! (EMEA)
Denodo
 
SAP Teched 2012 Session Tec3438 Automate IaaS SAP deployments
Chris Kernaghan
 
North Devon Farms - Getting to know the Cloud 14th Oct 2015
Get up to Speed
 
How to Avoid Pitfalls in Big Data Analytics Webinar
Datameer
 
Cloud 101: The Basics of Cloud Computing
Hostway|HOSTING
 
Oracle ADF Architecture TV - Design - Task Flow Data Control Scope Options
Chris Muir
 
Cassandra Summit 2014: Internet of Complex Things Analytics with Apache Cassa...
DataStax Academy
 
Cloud Computing & Cloud Storage
Priyesh Pratap Singh
 
The wonders of Cloud Computing.pptx
OmSatpathy
 
Automating Infrastructure as a Service Deployments and monitoring – TEC213
Chris Kernaghan
 
Adopting the Cloud
Tapio Rautonen
 
access-control-week-3
jemtallon
 
Ad

More from Exove (20)

PDF
Drupalcamp Finland – Measuring Front-end Energy Consumption
Exove
 
PDF
Data security in the age of GDPR – most common data security problems
Exove
 
PDF
Provisioning infrastructure to AWS using Terraform – Exove
Exove
 
PDF
Advanced custom fields in Wordpress
Exove
 
PDF
Introduction to Robot Framework – Exove
Exove
 
PDF
Jenkins and visual regression – Exove
Exove
 
PDF
Server-side React with Headless CMS – Exove
Exove
 
PDF
WebSockets in Bravo Dashboard – Exove
Exove
 
PDF
Diversity in recruitment
Exove
 
PDF
Saavutettavuus liiketoimintana
Exove
 
PDF
Saavutettavuus osana Eläkeliiton verkkosivu-uudistusta
Exove
 
PDF
Mitä saavutettavuusdirektiivi pitää sisällään
Exove
 
PDF
Creating Landing Pages for Drupal 8
Exove
 
PDF
GDPR for developers
Exove
 
PDF
Life with digital services after GDPR
Exove
 
PDF
GDPR - no beginning no end
Exove
 
PDF
Developing truly personalised experiences
Exove
 
PDF
Customer Experience and Personalisation
Exove
 
PDF
Adventures In Programmatic Branding – How To Design With Algorithms And How T...
Exove
 
PDF
Dataohjattu asiakaskokemus
Exove
 
Drupalcamp Finland – Measuring Front-end Energy Consumption
Exove
 
Data security in the age of GDPR – most common data security problems
Exove
 
Provisioning infrastructure to AWS using Terraform – Exove
Exove
 
Advanced custom fields in Wordpress
Exove
 
Introduction to Robot Framework – Exove
Exove
 
Jenkins and visual regression – Exove
Exove
 
Server-side React with Headless CMS – Exove
Exove
 
WebSockets in Bravo Dashboard – Exove
Exove
 
Diversity in recruitment
Exove
 
Saavutettavuus liiketoimintana
Exove
 
Saavutettavuus osana Eläkeliiton verkkosivu-uudistusta
Exove
 
Mitä saavutettavuusdirektiivi pitää sisällään
Exove
 
Creating Landing Pages for Drupal 8
Exove
 
GDPR for developers
Exove
 
Life with digital services after GDPR
Exove
 
GDPR - no beginning no end
Exove
 
Developing truly personalised experiences
Exove
 
Customer Experience and Personalisation
Exove
 
Adventures In Programmatic Branding – How To Design With Algorithms And How T...
Exove
 
Dataohjattu asiakaskokemus
Exove
 
Ad

Recently uploaded (20)

PDF
Adobe Illustrator 28.6 Crack My Vision of Vector Design
ghrom2211g
 
PDF
PTS Company Brochure 2025 (1).pdf.......
pts464036
 
PDF
medical staffing services at VALiNTRY
Tiyan Grayson
 
PDF
top salesforce developer skills in 2025.pdf
CloudMetic
 
PPTX
Introduction to Artificial Intelligence
lohedi9363
 
PDF
Adobe Premiere Pro 2025 (v24.5.0.057) Crack free
ghrom2211g
 
PDF
SAP S4 Hana Brochure 3 (PTS SYSTEMS AND SOLUTIONS)
pts464036
 
PPTX
Embracing Complexity in Serverless! GOTO Serverless Bengaluru
SheenBrisals
 
PPTX
Lecture 3: Operating Systems Introduction to Computer Hardware Systems
hci7se
 
PDF
Upgrade and Innovation Strategies for SAP ERP Customers
Virendra Rai, PMP
 
PDF
EN-Survey-Report-SAP-LeanIX-EA-Insights-2025.pdf
deepakkhaitan3
 
PDF
Understanding Forklifts - TECH EHS Solution
TECH EHS Solution
 
PPTX
Agentic AI : A Practical Guide. Undersating, Implementing and Scaling Autono...
IT IDOL Technologies
 
PDF
How to Choose the Right IT Partner for Your Business in Malaysia
Asian Business Services & Technologies
 
PDF
Digital Systems & Binary Numbers (comprehensive )
fyfhqfhtv2
 
PDF
Design an Analysis of Algorithms II-SECS-1021-03
DilanEscobar1
 
PDF
Digital Strategies for Manufacturing Companies
Virendra Rai, PMP
 
PPTX
L1 - Introduction to python Backend.pptx
MoizAhmed480282
 
PDF
Internet Downloader Manager (IDM) Crack 6.42 Build 42 Updates Latest 2025
itskinga12
 
PDF
Claude Code: Everyone is a 10x Developer - A Comprehensive AI-Powered CLI Tool
William Chong
 
Adobe Illustrator 28.6 Crack My Vision of Vector Design
ghrom2211g
 
PTS Company Brochure 2025 (1).pdf.......
pts464036
 
medical staffing services at VALiNTRY
Tiyan Grayson
 
top salesforce developer skills in 2025.pdf
CloudMetic
 
Introduction to Artificial Intelligence
lohedi9363
 
Adobe Premiere Pro 2025 (v24.5.0.057) Crack free
ghrom2211g
 
SAP S4 Hana Brochure 3 (PTS SYSTEMS AND SOLUTIONS)
pts464036
 
Embracing Complexity in Serverless! GOTO Serverless Bengaluru
SheenBrisals
 
Lecture 3: Operating Systems Introduction to Computer Hardware Systems
hci7se
 
Upgrade and Innovation Strategies for SAP ERP Customers
Virendra Rai, PMP
 
EN-Survey-Report-SAP-LeanIX-EA-Insights-2025.pdf
deepakkhaitan3
 
Understanding Forklifts - TECH EHS Solution
TECH EHS Solution
 
Agentic AI : A Practical Guide. Undersating, Implementing and Scaling Autono...
IT IDOL Technologies
 
How to Choose the Right IT Partner for Your Business in Malaysia
Asian Business Services & Technologies
 
Digital Systems & Binary Numbers (comprehensive )
fyfhqfhtv2
 
Design an Analysis of Algorithms II-SECS-1021-03
DilanEscobar1
 
Digital Strategies for Manufacturing Companies
Virendra Rai, PMP
 
L1 - Introduction to python Backend.pptx
MoizAhmed480282
 
Internet Downloader Manager (IDM) Crack 6.42 Build 42 Updates Latest 2025
itskinga12
 
Claude Code: Everyone is a 10x Developer - A Comprehensive AI-Powered CLI Tool
William Chong
 

Managing Complexity and Privacy Debt with Drupal

  • 1. Janne Kalliola Exove Managing Complexity and Privacy Debt with Drupal Tallinn, November 2, 2018
  • 2. Agenda § About Exove and myself § Complexity in modern software § Privacy debt § Drupal to rescue
  • 3. About Exove § Digital design and development company in Finland, Estonia, the UK, and Singapore § Full service portfolio from business consulting and service design to development and care § We serve both multinational giants and new start-ups alike We deliver digital growth More about us: § www.exove.com § www.exove.com/gdpr § @exove
  • 4. About Janne Kalliola § Founder and CEO of Exove § Continuent, First Hop, SSH, Helsinki University of Technology § Been coding since 1983, first web stuff in 1994 § Worked with web publishing and content managements systems since 1999 § I’ve written three CMS in the past § Worked with open source since 1998, with Drupal from 2007 More about me: § www.kallio.la § linkedin.com/in/jannekalliola § @plastic
  • 6. Complexity and Modern Software § Modern software development practices, the fast pace of the industry, and changing demands cause software platforms to be layered, multifaceted and complicated systems § A systems consists of numerous interconnected subsystems created with various technologies, deployed with different tools, and hosted in several places § The complexity of the system is easily hidden under number of layers and facades
  • 7. Privacy Aspect § GDPR requires companies to specify how they manage private data § If the system is complicated – as they typically are – understanding the management is hard § Besides, there are number of places were private data is stored temporarily of permanently during processing § Log files, etc. § This is not the focus of today’s discussion, but it is good to know
  • 8. Documentation Can Mislead § A typical IT system documentation is non-existent § If it does exist, the documentation is typically somewhat simplified view of the architecture § Sometimes very simplified § Finally, it is most probably also outdated § If the system’s documentation is from era before GDPR, it does not focus on data privacy much or at all
  • 10. The Same System, Zoomed in
  • 11. § Varnish or CDN in the front § Web server logs § Platform logs § Local caches § Uploaded binary files § Maillog of all the sent emails § Backups of the servers
  • 12. § SQL logs § Binary logs on all servers § Backups of binary logs § Database dumps made by developers § Production dumps to staging environment
  • 13. § Integration platform logs and local caches § Integration platform document DB oplogs § SaaS messaging platform logs and internal database
  • 14. § Finally the actual data master, its logs, backups and development environment
  • 15. And That Was Just Data Flows and Storages § The previous example was just about data flows and storages § It was the physical architecture of a modern platform § The logical architecture should reflect the desired functionality of the system § To save time, we do not go through it right now for that system § The logical architecture can be easily even messier – as the requirements of the system change during years, new features are added, and old ones are deprecated
  • 16. Debt § Every change that is not done “perfectly” creates debt § Bad architecture, wrong components, and features hacked in create technical debt § Non-uniform ways to manage private data and distributing / spreading out private data create privacy debt § Payment is due – sooner or later § Debt is paid in refactoring § Interest is paid when new features take longer to implement or cannot be done in an optimal fashion
  • 17. Privacy Debt A concept in software architectures that reflects the implied cost of additional work caused by choosing a non-uniform solution to handle private data instead of using a commonly used or more centralised approach.
  • 18. Privacy Debt in Practice § Every time a new way to deal with private data is added to the system, the complexity – and privacy debt – increases § And vice versa, if something is centralised or made more uniform, the debt decreases § The debt is paid every time an individual uses one of her rights § The right honouring process is more complex than it could be due to various different ways how handling of private data is implemented
  • 19. Reducing the Privacy Debt § Uniformity: Define and apply uniform ways to handle private data. The data itself is typically mostly the same in most of the systems, and it can be handled using the same procedures. If possible, define the data uniformly and use that definition in all systems applicable § Reduction: Move data outside of the systems, such as using SSO solution, and minimise the personal data stored in a business system § Encapsulation: Require all new systems to expose APIs to ensure the users’ rights on that system § Centralisation: Create a centralised system that handles all – or the bulk of – users’ rights. Connect all your systems, one by one, to this centralised private data management platform
  • 21. Drupal to Rescue § Drupal has numerous built-in tools to manage arbitrary content, structured and unstructured § And more can be installed as modules § Private data is at the end just data, and it can be managed with the same tools § Besides, Drupal has also a good user rights management subsystem § GPDR requires restricting access to private data to only those that need it § This can be achieved easily with Drupal’s user rights
  • 22. API and Headlessness § Drupal has extensive REST API § It can thus be used also as a headless private data repository § The centralised solution to manage privacy debt § Authentication, authorisation, and user rights allow controlling external access of private data § Thus every system does not get to see the full amount of data, but only the relevant subset – this, of course, requires careful planning of the data structures § It can also be integrated with other systems to work as a consumer of private data
  • 23. Rules § Besides storage and connectivity, Drupal can be used also as a private data automatic management platform § Private data can be altered and removed using Rules functionality § Of course, creating own modules to manipulate the data is also an option § Especially, if the business logic is hard to implement with Rules
  • 24. Views § As Drupal is also a publishing platform, various end-user views can be constructed easily § These can be either for viewing only or also CRUD operations for the data § Again, restricted and controlled by the user rights § Drupal admin ui provides quick and easy way to implement these § But implementing real end-user templates might make the system more approachable to a common user § And the functionality can be different for people having access to the front-end and those having access to the Drupal admin ui in its entirety
  • 25. GDPR User Rights and Drupal § GDPR rights (right of rectification, right of removal, etc.) can be implemented using Drupal’s admin UI § An user wanting to exercise rights contacts an operator with admin rights and the operator makes the changes within admin UI § Another option is to provide users a self-service view to see their information as a normal Drupal provided webpage § Depending on the business/use case, there might be also possibility to remove and change the information as self-service § Or then a simple contact form or email address to send the requests to an operator
  • 26. GDPR Module § There is a specific GDPR module for Drupal § https://www.drupal.org/project/gdpr § The focus of the module is to provide support for handling GDPR requirements and user rights in websites powered by Drupal § The module is not straightforwardly useful in this scenario § However, GDPR fields and GDPR tasks submodules could have benefits in organising the information § As usual, your mileage may vary when using modules to something else than their precise intended purpose § The future features look interesting – thus consider contributing
  • 27. Caveat Emptor § Remember, that Drupal has a nasty habit of creating users automatically when using external authentication service § Each external user ever logged in has a Drupal account § And this feature cannot be turned off § Thus, you will end up spreading your user information to a new platform – whether you like it or not
  • 28. Recap
  • 29. Recap § Complexity combined with privacy requirements can make systems very hard to manage § Concept of privacy debt allows you to think the future consequences of bad choices made today § Drupal is an excellent tool to manage private data due to its versality, readymade tools, and adaptivity in various scenarios