Open-source projects have become the mainstay in the digital world. With almost every website developer, app, and travel review website including a forum or public coding, open-sourcing is now how the internet functions. However, the passing of the General Data Protection Regulation (GDPR) by the EU has some open-source websites hot under the collar.

Open-source projects are fundamentally different than traditional websites and apps and potentially face more data security risks as everything is open to the public. What then are open-source projects supposed to do to protect the data and how are they to maintain compliance with the GDPR?

Check out below to see some of the major GDPR regulations open-source projects should pay attention to and how to comply with the GDPR.


Open-Source Projects and the GDPR

The GDPR will largely affect open-source projects the same way it affects other websites and companies. The GDPR applies to companies that collect the data of European citizens, no matter where the company is located. Companies and businesses that collect private information such as emails, credit card information, and unique device identifiers all must comply with the GDPR's new data protection rules.

Open-source projects aren't excluded from these regulations. Yes, open-source projects are communities, forum boards, open-source coding, and software. However, they still collect personal data from the contributors at some point.

For example, to contribute or follow a forum on Squarespace you must first log in or create a profile by providing a name and email address.

While many open-source projects may not collect as sensitive information as Social Security Numbers, open-source websites and software companies are still feeling the new strict regulations the GDPR is laying down. Since open-source projects are open to the public, protecting the data of users is even more important for open-source communities and forums than other types of websites.

Let's take a look at some of the key GDPR features open-source projects need to pay attention to and how they can comply.

One of the biggest changes the GDPR made was related to consent. Companies are now required to obtain consent that has been "freely given, specific, informed, and unambiguous." Implied consent is no longer accepted, it must be expressly given by the user.

If your website or software includes a community or forum for users to contribute to, you likely require them to register by email or sign up before contributing to the community. Before you can do this simple data collection you must first obtain consent from the user.

The best way of obtaining consent and informing your user of the collection of their data is through a Privacy Policy. Providing a robust and understandable Privacy Policy explaining how data is collected, why it is collected, and what you do with the data protects your open-source project. Also, if your open-source project has European users the GDPR requires a Privacy Policy to be included.

Leading the charge in open-source software compliance with the GDPR is Automattic. Automattic is the open-source software behind the powerhouse websites Wordpress and Tumblr. Its Privacy Policy complies with the GDPR and states in simple language how the company collects the data and what it does with the data:

Automattic Privacy Policy: Intro clause

Automattic goes even farther to comply and includes a section dedicated to the GDPR and the rights European citizens have underneath them:.

Automattic Privacy Policy: GDPR clause

You can notify contributors to your community or forum of your Privacy Policy by including a pop-up when they visit the page or provide a link on the sign-up form as Discourse does.

Discourse Create Account form

Right to Be Forgotten

The most concerning feature of the GDPR for open-source projects is the Right to be Forgotten. Found in Article 17 of the GDPR, the Right to be Forgotten gives a user the right to request their data be deleted from the forum or code. Companies are required to delete the data unless a few specific exceptions apply.

A company may keep the data only if there are no "overriding legitimate grounds," legal obligations, and public interest. If you are able to show deleting the post would fall under one of these restrictions then your company does not have to delete the data.

This requirement is a major concern for open-source projects since it's the nature of the forum or community to thrive off of public contributions made by users. In a forum setting, it is easier to delete a post since it won't substantially affect the forum. However, in an open-source code situation, deleting a contributor's code could negatively affect the coding.

What happens then if a user requests their post on the forum or their individual code to be deleted? How do you maintain the forum and code while also complying with the GDPR? Here are three steps you can follow to comply.

First, you should include in your Privacy Policy that contributors do have the right to request their data to be deleted. Including this clause maintains you comply with the consent requirement and are notifying the user of their right to request deletion.

Lonely Planet states in its Privacy Policy that contributors have the right to request a deletion for certain reasons and it may obtain the right not to delete if they are not required:

Lonely Planet Privacy Policy: Right to Request Deletion clause

Second, the GDPR does not provide any specific ways of deleting the data, but you must include features in your software that record the request for deletion, notify the user of the deletion, and how the data is deleted. The best way to do this is by providing a process for a user to delete or edit their post through a separate support page or a link to contact the company.

TripAdvisor offers a page explaining how users can delete or edit their posts and if there are any restrictions on the edit:

TripAdvisor Help Center: How to edit or delete forum posts

Third, when you are required to delete the data you can put in place deletion notifications.

This type of deletion benefits forums the most. A removal author notification or deletion notification in the forum or community maintains the flow of the forum but also complies with the request by the user. If you simply leave the post under an anonymous name and maintain the post, you could still face issues as it's not completely complying with the Right to be Forgotten.

TripAdvisor's author deletion notification stays in the forum notifying a visitor the post has been removed and how the author may change their request or delete the request for good:

TripAdvisor: Removed Post notice

For open-source coding sites, it is a little harder to comply with this new right. Including a deletion notification doesn't really work in coding. However, open-source coding sites may be able to contend that deleting a contributor's coding can substantially affect the overall code. In this case, you could argue there is "legitimate interest" to keep the data to maintain the code.

These rules are still fairly new so nothing is guaranteed and it's best to err on the side of caution and look at all of your options.

Privacy by Design and Data Protection

The GDPR was created for the "protection of natural persons with regard to the processing of personal data." This means data protection is at the center of the GDPR. Privacy by Design, or "data protection through technology design," is when data protection is integrated into every software, forum, and technology used by a website. To comply with the GDPR, this data protection integration must be present.

This requirement can pose a major issue for open-source projects. Open-source projects by nature allow users to freely enter code or posts and every change is open to the public. Constantly protecting the data when there are so many contributors can be a nightmare, especially as open-source software has now become the norm for websites.

There is still some confusion as to exactly what Privacy by Design is and how to implement it. Thankfully, the GDPR does give some clues to processes open-source projects can use to incorporate Privacy by Design. These can include:

  • User identification
  • Use of ISO standards
  • Inclusion of state of art and reasonable implementation costs
  • Use of encryption, anonymization of data, and pseudonymization when necessary
  • Analysis of scope and type of data process
  • Regular data testing

Regular data testing is one of the major ways to comply with the GDPR's protection requirements. Data testing allows your company (in this case open-source projects) to check for any security issues in the forums or misuse of the coding.

WordPress has security procedures that state how it runs regular testing of all of its services to check for potential issues. Since Wordpress is a community, it also asks users to help in identifying potential issues as well:

WordPress Support: Security Testing section

There is no one way to protect the data, but what we can understand from the GDPR is that many processes should be used to fully protect private data.

Right to Access

The GDPR extended a user's rights on their data, in particular, the right to access their information a company has collected. The right to access is important for open-source projects because it is the starting point for all other rights (i.e., Right to be Forgotten). Making your users and contributors aware of their rights is required by the GDPR.

Wix helps people create personal blogs along with providing support forums. Wix notifies users of their rights through its Privacy Policy. The policy states the rights users and forum contributors have to their information and how to make a request to access the data:

Wix Privacy Policy: Your rights in relation to your personal information clause

Use your Privacy Policy to explain user rights as well as your practices regarding these rights. Include contact information where users can reach out to you if they wish to exercise these rights or just have general questions for you about anything related to privacy.

Open-Source Support Software

Open-Source Support Software

Open-source forums and companies are slowly adapting and implementing the GDPR's requirements. Even though there are some grey areas when it comes to the Right to be Forgotten and Privacy by Design, fortunately, companies have been creating software to help you comply with the GDPR.

Since the GDPR was enacted in 2018, open-source software companies have been updating and creating GDPR Compliance Kits to help partners who use their software comply with the GDPR. These compliance kits can include encryption features, file auditing, security testing, and even GDPR-approved plug-ins.

Magento created a GDPR Compliance Kit and includes multiple versions of the GDPR-compliant software and information on how it maintains compliance. Magento also provides support for its partners when dealing with the GDPR:

Magento and GDPR: Compliance summary

Many of these open-source companies also are open-source themselves. GitHub has an open-source code where contributors can create code to help complete the GDPR checklist and continually update GitHub's GDPR compliance:

GitHub Privacy: GDPR checklist open-source files

These software programs are continually changing (thanks to that open-source coding) and many more are sure to pop up as time goes on.

Open-sourcing is now how companies and websites create communities and profit. Open-source projects are different from traditional websites with their forums and public coding, but they still must follow the GDPR and data protection laws.

Fortunately, there are some simple ways to comply with the GDPR and software programs are being developed daily to help open-source websites make the transition to GDPR compliance easier.