It’s now been over a year since I have had the opportunity to work with Sitecore in a hands on capacity. As you may or may not know Sitecore has continued to make it on the top right hand corner of the Gartner Magic Quadrant.
Sitecore has a huge amount of functionality and in my opinion one of the most functionally rich and scalable content management platforms out there. More importantly it comes with a lot of key features that can be leveraged for GDPR conformance.
A key feature of Sitecore is to personalise content for its users and it can do it at a very granular level. Features such as displaying the most relevant content make Sitecore a pleasure to use. On the other hand I feel that many people might be under the misconception that by utilising Sitecore’s marketing features they will not be GDPR compliant.
The following are my list of key points that support my view that by good configuration its perfectly straightforward to become compliant.
- Since version 8.2 IP addresses are already anonymised and are hashed, or there is the option not to save the IP address at all. Instead Sitecore can use a Cookie on the user machine, obviously this would need to be in the website privacy statement.
- With XDB there is a way to find, update and remove personal data that’s been collected. This is great for managing a situation where people have the right to update their information or the right to get forgotten.
- EXM support double opt in and verification of identify and there is a sophisticated List manager.
- There are built in configurable audit logs to prove data has been added, updated or deleted, one can choose how long these logs are kept. More importantly they can be used for proof that data was actually deleted.
- Data exchange framework for integration with other systems can be a powerful way to synchronize changes, including bidirectional sync.
Further Sitecore is built on infrastructure that is GDPR compliant, there is the option to use Mlabs for the XDB database and as its delivered as SaaS encryption of data at rest or in transit is provided as standard with both Amazon and Google cloud hosting options.
I am really getting into Sitecore and am excited about its capabilities, so am devoting more time learning about this amazing customer experience solution.
The GDPR (General Data Protection Regulation) is a set of rules reforming privacy and security regulations that takes effect on 25th May, 2018. There are severe penalties for breaching the GDPR regulation and these can reach as high as 20 million euros or 4% of turnover. We can either look at this as a pain in the backside or as an opportunity
Why GDPR regulation necessary?
GDPR defines personal data as anything that can be used to directly or indirectly identify the person. Names, photos, email addresses, bank details, posts on social networking websites, medical information or even IP addresses.
Since then, Internet usage has become a great deal more widespread, and technological advances such as cloud storage and social media have changed the way data is processed and transferred. The rules needed updating, they needed to be uniform, and they needed to be applied more rigorously.
- Appoint one of your directors to be accountable. This person should be suitably competent to handle the technicalities involved, and it’s worth considering where you want the accountability to fall – with IT, legal, marketing or elsewhere.
- Ensure you have safeguards in place: procedures to ensure data is confidential, accurate, available when necessary, backed up and encrypted.
- Ensure your suppliers are GDPR-compliant. Any service provider you use to process data has to comply with GDPR standards – and ensuring they do is on you.
- Ensure your customers, clients or website users have explicitly consented to their data being stored. This is a significant change, and most current measures are not sufficient. Your records need to prove that users have agreed to you storing their data – and failing to disagree is not enough. Crucially, users will also have a statutory right to have their data erased permanently from your records – so you’ll need the capacity to do that too.
- Ensure you’re explaining to users, in plain language, what data you’re holding, how long you’re holding it for, and how users can withdraw their consent. Your policy has to be simple and appropriate, as well as containing all the required information.
- Report breaches. Under GDPR, any breach of data protection must be reported to the Information Commissioner’s Office within 72 hours. You’ll need a robust process for detecting, reporting and responding to data breaches.
- Be prepared for more access requests. As people become more aware of their data privacy rights, they are likely to query the data you’re holding, and you’ll need to turn those requests around in good time.
- Ensure that any IT / Marketing related project has relevant process in place to screen against GDPR regulation. E.g. Agile project with user stories or IT projects with necessary risks highlighted and mitigated against
Key steps for preparation
- Awareness, create necessary user stories for Agile projects / Make it part of requirements for all new projects. Log as Risks in projects that and make sure its mitigated
- Keep track of all personal data you hold and where it came from, from a website perspective this could be:
- Contact Us Forms
- Even signups
- User Registration
- Orders / Donations if ecommerce enabled
- Sharing / comments on blogs
- Update your privacy statement, incorporate how rights will be adhered too
- Check for the following rights are addressed for individuals
- the right to be informed;
- the right of access;
- the right to rectification;
- the right to erasure;
- the right to restrict processing;
- the right to data portability; (NEW)
- the right to object;
- the right not to be subject to automated decision-making including profiling
- If storing data particularly in the cloud or with external suppliers make sure data is:
- Encrypted at rest and in motion, use https when submitting details.
- The encryption keys should be managed by the organisation and the the SaaS vendor
- Evaluate each SaaS offering to make sure it complies with GDPR