How Sitecore can help you comply with GDPR
Digital marketers should be aware that the deadline for being GDPR-compliant, May 2018, is fast approaching.
But what is GDPR? There is a wealth of information online and it can be quite confusing to someone trying to understand it for the first time. The Information Commissioners Office (ICO) can be seen as definitive guide, but we have looked to boil down some key principals for quick reference.
The General Data Protection Regulation Act aims to give individuals more control over their personal data.
The increased control for individuals comes in the form of more rights:
These rights will affect any organisation that processes personally identifiable information (PII) for citizens of the European Union (EU) or European Economic Area (EEA).
The effects of GDPR on businesses means that in many cases organisation-wide changes will have to take place. In fact, you’ve probably already made plenty of adjustments already.
But have you considered the impact of GDPR compliance within your Sitecore Experience platform? What about all those different data entry points that customers interact with every day? You likely have a back-catalogue of customer data, potentially going back years. The thought of opening up all that history in order to comply with a new law can be daunting.
But fear not – Sitecore 9 has a number of privacy features that can assist in handling data in line with the General Data Protection Regulation. Some of these features are available in Sitecore 8.2 and previous versions.
Want to upgrade to Sitecore 9? Here’s why you should consider a Sitecore upgrade.
Every institution that processes data, such as a business, will become a ‘controller’ under GDPR law. Each ‘controller’ institution must designate someone within the organisation structure to ensure data protection compliance. This may involve formally designating someone as ‘data protection officer’, which can be an in-house member of the organisation.
The right to be informed is one of the key individual rights being introduced from May 2018. Put short, this means that companies, or data ‘processors’ as they are known under the act, will now have to transparently communicate to their customers what data they collect and how they collect it.
Using Sitecore’s content editor you can update and present your various policies to be clear on the data you collect and how you process it, allowing you to achieve full-transparency on how you’re going to use customer data.
This transparency is particularly important when considering your personalisation strategy and what affirmative actions by users lead to the collection of PII within the SItecore xDB.
Under GDPR law, customers will also have ‘the right of access.’ Any personally identifiable information held by an organisation can be accessed by request. If you’re processing or storing any customer data, you should be prepared to be able to provide that data back to the customer in question, if asked.
Sitecore xConnect has a dedicated API that lets you retrieve a complete contact profile of your customers. This provides many opportunities to either allow back office or self-serve options for users to access their data. Also several opportunities to utilise full rectification, portability and erasure rights.
The nature of what you need to do will depend on your organisation, but there are many options that can also ensure a good user experience as well as regulatory compliance. As an example,depending on the functionality you offer to your clients, there’s the opportunity to introduce forms for the updating of PII information.
Sitecore’s also has the capability to irreversibly anonymise personal data, leaving previously sensitive data permanently unidentifiable. With the ‘right to be forgotten’ a real element of GDPR law, this is a feature that is essential for full compliance.
From May 2018, individuals will now have the right to restrict processing, which essentially means that your customers have the right to choose whether or not their data is used or ‘processed’ once it has been stored.
This translates to opt-in marketing lists. Opt-in lists can no longer be automatic, or already filled in with an affirmative tick box. It must now be a deliberate choice that comes from the individual.
Sitecore’s Email Experience Manager (EXM) comes equipped with a global opt-out list feature. This tool lets you disable marketing communications across chosen sections of your customer base.
Every business and website build is different. Being prepared in the way you handle and organise sensitive customer data through Sitecore is only one small aspect of the overall GDPR picture. So although ensuring one area of your business is secure is a great step towards GDPR compliance, it isn’t the complete picture. Auditing every area of your business, as we do with your Sitecore setup, will go a long way towards keeping you compliant.
As we’re the Sitecore experts, we can offer a GDPR Sitecore audit, diving into your code and highlighting areas where improvements can be made to help your business comply with the new incoming law. Besides this, we can also offer advice if your website’s data is integrated with different systems such as CRM applications and third-party platforms.
Time is running out with the 25th May on the horizon, and while there are many different organisation-wide improvements and changes that can be made, we can help you use Sitecore to better prepare your business for GDPR digitally.
Don’t be left behind, get in touch with us for a GDPR audit today.