TYPO3 updates and GDPR: Why "running after all" is expensive

Note: I am not a lawyer, but a TYPO3 integrator. This article reflects my assessment of the legal situation, but does not replace legal advice.

"The website is still running" - I hear this sentence regularly when it comes to TYPO3 updates. Customers often don't understand why they should spend money on something that doesn't seem to bring any visible benefit. Unfortunately, both customers and some agencies overlook an important detail: the GDPR turns updates from a "nice idea" into a legal necessity.

What the GDPR really requires

The GDPR does not explicitly stipulate that you must always use the latest TYPO3 version. That would also be unrealistic - not everyone can manage a major update every 1.5 years. But it does require something else: the "state of the art" (Article 32).

In concrete terms, this means that your system must be as secure as is reasonably possible. And this is where it gets interesting for all those who like to postpone updates.

The moment when "it works" becomes a problem

Imagine this: You are running a TYPO3 installation for which there have been no security updates for two years. Then what was bound to happen at some point happens - an attack via a known security vulnerability. Customer data is gone, you have to report the incident within 72 hours (Article 33) - and the responsible data protection supervisory authority takes action.

Now "we saved money" quickly becomes "we should have invested". Because the authorities don't ask whether the update would have been expensive. They ask whether you acted negligently. And anyone who operates a system with known security vulnerabilities can be judged negligent from their point of view.

The expensive truth about saved updates

Here are the dimensions we have to reckon with:

Fines: Up to 20 million euros or 4% of annual turnover - whichever is higher. Sound like problems for large corporations? Small companies can still quickly receive four- to five-figure fines(Article 83).

Compensation: Affected persons can claim individual compensation. This adds up in the event of a major data leak.

Reputational damage: If it becomes known that your systems were insecure, trust is lost. Customers change, orders are lost.

That suddenly makes a 3,000 euro update a bargain, doesn't it?

What many people overlook: It's about more than TYPO3

The GDPR requirements don't just affect the TYPO3 core. Extensions, PHP, the database and the web server must also be kept up to date. An outdated extension with a security vulnerability is enough to cause a problem.

This means that you need a maintenance concept for the entire system, not just for TYPO3 itself.

When do you really need to update?

Here's the good news: you don't have to install every new version immediately. The decisive factor is the support status:

• Is regular support still running? You have to install all security updates, but not a major upgrade.
• Is Extended Support (ELTS) still running? Same game, but you pay for support.
• No more support? Now it's getting critical. Upgrade is mandatory.

With TYPO3, you usually have several years to plan due to the LTS versions. Even longer with paid Extended Long Term Support (ELTS). But at some point, even the longest support period is over.

What agencies owe their customers

As an agency or freelancer, you have a responsibility. If you know that a customer system is insecure and say nothing, you could be partly to blame. You should:

1. Educate: Inform clients about the risks of outdated systems
2. Advise: Outline realistic upgrade paths
3. Document: Record your advice in writing

If you just say "it works" and remain silent, you could be held liable later.

Tips for service providers

Convince customers without panicking: Don't talk about "GDPR compulsion", but about security and stability. Comparisons help: "Would you drive on the highway with worn tires?" Or show concrete examples of hacked websites in your industry. This usually works better than talking in paragraphs. If that doesn't help, feel free to get out the "GDPR hammer" - some people only get it the hard way.

What to do with stubborn refusers: Document your consultation in writing. Send an email with a clear explanation of the risks and ask for written confirmation that the customer will refrain from updates despite the warning. This protects you legally. In critical cases (completely outdated systems with customer data), you should honestly check whether you need to terminate the support.

My advice: Make updates the standard process, not the exception. Plan maintenance budgets right from the start. And explain to your customers that security updates are not an option, but an obligation.

Because in the end, it's like a car: if you don't go for an inspection, you risk damage. This happens more slowly with websites, but the consequences can be just as life-threatening - customer data, reputation and hefty fines are at stake here.

The GDPR has turned the maintenance of your TYPO3 systems into a legal obligation. If you ignore this, you are playing Russian roulette - with your own business at stake.

Legal protection: The legal aspects presented here are based on my interpretation as a TYPO3 integrator. For binding legal advice on GDPR compliance and liability issues, please contact specialized lawyers for data protection and IT law.