Sitecore & GDPR
On 25th May 2018, Europe's data protection rules will undergo substantial changes with the introduction of GDPR (European General Data Protection Regulation).
At a very high level, the changes in law from the previous 1995 directive will affect how organisations are required to handle their customer information.
GDPR introduces both a number of rights for individuals and obligations for businesses. Any organisation that holds the personal data of individuals living in the EU will have to comply…and yes, it’s likely that we’ll still have to comply even after Brexit takes place.
So, if you store any information that can be used to directly or indirectly identify an individual, including but not limited to the customers’ names, photos, email address, credit card details or IP address’, you’ll need to pay attention to the new rules.
We should also mention that this isn’t just website or app related; If you store customer information in technologies such as your CRM platform or Emailing application, the rules still apply!
There are a plethora of posts detailing the intricacies of GDPR and what it means for businesses. For more information on how to prepare for GDPR, you might like to follow this guide which has been produced by the ICO. This post will focus more specifically on how Sitecore can help its users comply with the changes in legislation.
Using Sitecore to comply with GDPR
The GDPR rulebook contains over 200 pages of information. As such, the following list of changes isn’t an exhaustive one, but it does cover some of the more pertinent issues that you might want to consider as a Website Owner or Marketing Professional:
• Any organisation that is storing someone's personal details must explicitly ask that person for consent, as well as explain why they want to store that information. As an example, it’s no longer acceptable to have a pre-filled checkbox on the end of your website forms, automatically opting-in customers. Website visitors must now tick that box themselves. There are further rules covering the retrieval of consent if you’re communicating with minors.
• Organisations must be able to tell individuals why and where their data is being stored. In Sitecore, Personal Identifiable Information (PII) is stored in xDB, the User Membership Database, and your indexing provider (Solr, Lucene, or Azure). Do make sure that your Privacy Policy, Cookie Policy, and Terms & Conditions reflect that information where required. It might also be wise to add an email link to your privacy policy that enables customers to submit their personal data information request.
• Individuals will have the right to request all the data that a company holds about them. Furthermore, they will also hold the “right to be forgotten”. In other words, they can demand that a company deletes all their personal information as well as prohibits the company from sharing their information with 3rd parties.
Interestingly, if an individual does submit a request for all of their PII that the company have on file, the company must be able to provide electronic copies of the data in response. Sitecore is currently in the process of building tools to help their users deal with this scenario more efficiently, and we’ll aim to provide more information on that as soon as we know more. For now, what we can say is this:
Sitecore 9 already makes it easier to separate PII from general non-identifying information through the use of a tagging feature. Those who use that tagging facet efficiently will subsequently have the ability to more easily report upon, and delete, a specific individual’s PII!
• It may be the case that not every software system you use has been built in-house, but it’s your responsibility to ensure that the systems you do use are compliant. So if you use Google, Salesforce, Mailchimp or any other similar system alongside your Sitecore platform, check out their policies! If you use Sitecore 9, all data being transmitted to 3rd party systems will have to flow through Sitecore’s Xconnect module, meaning there is only a single point of failure to keep an eye on!
• If you store personal information, you’ll be required to assign a Data Protection Officer (DPO) within your organisation. While the Sitecore platform can’t do much to help with finding someone capable of filling the role, it can certainly make the DPO’s life easier by implementing the suggestions made in this post!
Audit your Sitecore system to ensure GDPR compliance
Our Sitecore Audits allow us to dive in and analyse your Sitecore platform at both code & customer level. At the end of the Audit, you'll receive a digestible report which details our findings, along with costed recommendations for fixes and optimisations. It’ll also provide direction on GDPR compliance issues!
Get in touch to organise a Sitecore Audit
