GDPR – How Sitecore gets around it

GDPR – General Data Protection Regulation

GDPR (General Data Protection Regulation) is a regulation on data privacy and protection for all individuals in EU. These individuals will have better control over the personal information being shared by them. This regulation is applicable to any company that process the data of EU residents irrespective of its location. The risks of not complying with GDPR is very high – fine of €20mn or approximately 4% of the company’s annual turnover. That is the price you pay for non-compliance!

There are several rights introduced with GDPR

• The right to be informed
• The right of access
• The right to rectification
• The right to erasure
• The right to object
• The right to restrict processing
• The right to data portability
• Rights in relation to automated decision making and profiling

Business Implications – Chink in the armour

As far as any business is concerned, processing data, managing and handling it is part of the business cycle. However, with GDPR, this process will be under scanner for any violation or improper control over the data. GDPR would ensure that company-wide compliance is followed as it will affect all the domains of a business.

CMS – Where does it find itself

CMS contains basically tons of data over the years the company has been active. There will be a lot of data transactions and campaigns stored over multiple projects and processes. This data, some very crucial, while some unused, will be present in every nook and corner of any CMS. There will be data present in databases, forms, commerce, user accounts & indexes to name a few. This is an era of data-driven organizations and CMS finds itself at the heart of it. As anybody would have figured out by now, GDPR is going to drastically change the landscape of CMS in businesses. And CMS needs to adapt to this change. This change is not possible overnight; Companies need to get under the hood of CMS and analyse all the data flow with entry/exit points.

Sitecore 9 – GPDR Support

Luckily, the good guys at Sitecore had GDPR in mind while developing the latest release of Sitecore i.e. Sitecore 9. There have been many features and mods inculcated, that support the GDPR rights –

• Privacy by Design –

  Sitecore 9 follows design-by-privacy approach. With this it provides multiple data protection control features:

  1. It provides companies to choose how to identify PII (Personally Identifiable Information) and select how it will processed or configured
  2. Data is secured in database by encryption and not used by any other processes
  3. The default settings of the PII data has its indexing disabled by default
  4. Protecting the PII throughout the product lifecycle
• Right to erasure (Right to be forgotten) –

  Sitecore 9 can completely render a contact anonymous but maintain a referential integrity with the database. Hence, it provides an alternative to deleting a contact from the database. It deletes all the personal identifiers such as values or attributes pointing to the contact. This is done using ExecuteRightToBeForgotten method.

• Sitecore xConnect & xDB –

  In Sitecore 9, data is totally encrypted in xDB – be it in transit or at rest. The ‘right to access’ when exercised by a customer, Sitecore xConnect with a dedicated API would fetch all the details of the customer profile in a readable format.

• ‘Do Not Market’ –

  Customers also have the right to call off their consent to receive any marketing information. This is implemented by DoNotMarket method wherein only transaction/service emails would be sent but none related to marketing. With this, it becomes very easy and simple for end users to unsubscribe to the undesired mails.

• Opt-in/out & EXM (Email Experience manager) –

  In addition to above, customers would be able to choose whether to let their stored data be processed or not. This is their ‘right to restrict processing’. Hence, opt-ins cannot be automated with a default ‘Yes’ like before but needs to be specified by the customer. For opt-out, EXM has a feature of global opt-out functionality.

• Sitecore Content Editor –

  It can be used to display a company’s privacy policies and enables a sense of transparency within the data processing. This follows the ‘right to be informed’.