You, or your company, want to build a website. Maybe you already have one, but want to start using a Content Management System (CMS), or switch to another from your current one. Here’s a refresher on what a CMS is: it’s a software content system that enables you to create and modify digital content, such as website pages. A few well-known CMS examples that we will touch on in this post are Wordpress, Joomla, Drupal, and HubSpot.
Wordpress, Joomla, and Drupal are open source software you can use to create a website, blog, or app. For the sake of optimised functionality, very few businesses use these CMSs just in themselves, without having it connected to additional software, such as plug-ins in Wordpress, modules in Drupal, extensions in Joomla, or integrations in HubSpot.
HubSpot’s CMS is aimed towards marketing, it contributes to marketing efforts by providing detailed insight into your customers and leads data, using tracking technology in your website and emails.
Every organisation has different needs, therefore the pros and cons of the various CMSs will also differ accordingly. As such, this blogpost is not meant to give you a list of pros and cons, rather to provide an idea on what to look out for from a privacy perspective when deciding on a certain CMS. In the end, you, as a privacy professional, business owner, or enthusiast, know best what your organisation truly needs. It’s important that you do some research though, through posts like this one for instance, as making the wrong choice of CMS could come with a large price tag, with penalties up to €20 million, or 4% of your organisation’s worldwide annual revenue as per the GDPR.
In broad strokes, to make an informed choice, you will need to investigate your website’s security with a specific CMS: what information you’ll share with the CMS, and what information you’ll share with third parties. You will need to set this off against the cost, ease of use, and other needs.
A key principle of the GDPR is that you process personal data securely by means of “appropriate technical and organisational measures” (Article 32 GDPR). This includes third parties, like processors, for which your organisation is responsible. Some security issues might already be covered by the measures required to get certified. Keep in mind that neither acquired certification, nor having a CMS with great security plug-ins will make you GDPR compliant by themselves.
WordPress, Drupal, Joomla, and HubSpot all have a security pages on their websites where you can check which security measures they have taken exactly. Bear in mind, that you might need additional plug-ins to secure your website, especially in case you use the CMSs WordPress, Drupal, or Joomla. HubSpot takes care of a lot of your CMS’ security issues, whereas with the other CMSs, it depends on your hosting provider’s security and plug-ins that take care of firewalling, routing, intrusion prevention, and behaviour analytics.
While using plug-ins which offer extra security measures for your CMS is advised, unexpectedly, this might actually increase the risk that one of those used plug-ins isn’t sufficiently free from all security vulnerabilities. This is because more plug-ins mean more software management when it comes to maintenance and security concerns; outdated plugins can prove to be a way in which hackers steal information or get control of your site.
Specifically, for the sake of compliance, it’s important to ask the following questions when choosing a CMS or an additional plug-in for the software:
I. Would the CMS or plug-ins get access to personal data?
II. If so, how can they use this personal data?
III. Which types of personal data does the CMS or do plug-ins already have access to?
IV. Which personal data would the CMS get access to if integrated with other, currently used tools?
A. In which country do CMSs and plug-ins store said personal data?
V. If outside the EEA, do the terms and conditions include the EC Standard Contractual Clauses or a Privacy Shield Certification Clause?*
VII. Which third parties would get access to this data?
A. Where do these third parties store their data?
B. If outside the EEA, do the terms and conditions include the EC Standard Contractual Clauses or a clause referring to an Adequacy Decision by the Commission, such as the Privacy Shield Certification Clause?*
*It remains to be seen if these survive the Schrems II ECJ case, but currently they are the preferred mechanisms of ensuring the personal data remains safe.
Once you know the answers to these questions, you can become GDPR compliant if you disclose this information to the visitors of your site and ask their consent to proceed with the processing, in the same manner as in the following paragraph under I and III.
3. Cookies and other tracking technology
Cookies are small files that are downloaded and stored on a computer or smartphone when visitors access a website. Once these files are downloaded, the cookie owner (the owner of the domain the cookie leads back to) can then recognise the same device over time, and collect and store further information about the user’s preferences, behaviour, or past actions (such as downloading a whitepaper). Cookies and similar technology are a major part of each website.
What you need to do is find out what cookies you use, who exactly sets them, and why. To accomplish this, you can use a tool, or, if you’re up for the task, do it manually.1
In the pre-GDPR era, businesses that used websites aimed at EU visitors were required to simply give notice about the website using cookies. Since the enforcement of GDPR, this has changed substantially. So what is needed to make sure your website is compliant? It needs to:
I. Inform visitors about what tracking technologies are used through the website, what data it collects, and for which purposes. Furthermore, it should inform visitors about their rights concerning the data being tracked, like deletion, modification and access/portability.
II. Keep all but strictly necessary cookies from loading until the visitor has given consent.
B. ‘Strictly necessary’ means essential to provide a service explicitly requested by the visitor and does not mean essential for your own purposes, like analytics.
III. Enable visitors to withdraw their consent at any moment.
IV. Include a log, with all given consents.
V. Enable visitors to reject all but strictly necessary cookies and still use the website.
HubSpot has its own consent banner for these purposes. It allows for consent by positive action, consent withdrawal, includes a consent log, as well as options for deletion, modification and access/portability. It currently does not allow for visitors to select preferences for cookies with different purposes in the same banner and the cookie banner only applies to HubSpot cookies. HubSpot is unable to control the cookies placed by other scripts on your website. Some plug-ins for Wordpress, Drupal and Joomla function in a similar way to HubSpot's banner. Many cookie plug-ins for WordPress, Drupal, and Joomla, that explicitly claim to make your website GDPR compliant, actually do not do this. It is important you check the functionality they provide meets the requirements set out above.
It is also key that you always check which cookies and similar technologies are loaded by your website when visitors give consent, and which ones when they decline it. This might seem like an open door, but you’d be surprised how many websites have a consent banner that doesn’t do what it is supposed to.
Finding the perfect content management system that satisfies all website privacy requirements is a futile search. As open-source software, Wordpress, Joomla and Drupal have a lot in common. At the same time, there are a lot of differences, making them ideal for distinct target groups. HubSpot’s CMS is a different beast entirely. For that reason, this CMS comparison presents no clear winner, but instead outlines the characteristics of the systems, and how to weigh them on the privacy scale.
The choice is now up to you. You need to take a look at the features and capabilities of each CMS and then decide which is most suitable for your particular needs.
1In case you want to check your cookies manually, you will need to start up a new incognito window and visit your website. Open the Developer Tools. Depending on your browser this can be done in different ways. For Google Chrome go to View > Developer > Developer Tools or CMD + ALT + I on Mac or F12 on Windows. On Firefox go to Menu > Developer > Toggle Tools.
Now open the tab called ‘application’ and check the cookies for each individual page. Usually the cookies have names that resemble the party that sets them. HubSpot, for instance, mostly uses names which include ‘hs’. You can also check the what the domain cookies lead back to and the period they will be stored on devices. Additionally, you can search the cookie names to find specific information about them, reach out to the developer who helped build the website, or even to the cookie provider, and seek further information.