This May will see the implementation of the European General Data Protection Regulation (GDPR), a move to harmonise data protection law across the EU. It is intended to bring greater accountability and transparency to businesses which hold personal data.
This basically applies to all businesses which have data flows – perhaps using and maintaining individuals’ data for membership records or any sort of marketing correspondence. It not only applies to digitally kept data but to any records kept on paper too.
The biggest change which GDPR brings is around consent. Currently, implied consent is enough. Under GDPR, consent must be freely given, specific, informed and unambiguous – with a positive opt-in option offered.
Accountability is also key – as businesses should be able to show how they have complied with the new regulations; knowing where data has come from, where it is kept and who it is shared with.
The costs to a business of not complying are increasing substantially. Currently, the maximum fine is £500,000. Post May 2018, it will be 4% of a business’ global annual turnover or €20 million, whichever is the greatest.
If your business is using a Sitecore platform for its website, then you’re probably a savvy marketer who relies on holding and using customer data on a daily basis – whether that be email addresses, IP addresses or contact details. But Sitecore has taken this new legislation onboard and, as a Sitecore Partner, Lake Solutions is working with our customers to help them with this vital GDPR compliance requirement.
Sitecore XP 9, the latest upgrade, which was released last year, has mechanisms built in for managing personal identifiable information (PII) ahead of GDPR.
According to a recently published Sitecore white paper: “The Sitecore XP can provide a consolidated view on the totality of every interaction your end customers have with your brand, accessible in one place, and can provide you a full, granular audit trail of what, where, how, and when you collected and stored all end-customer related data, down to the individual level.”
Among the requirements of GDPR is a customer’s ‘right to erasure’ or the ‘right to be forgotten’ – meaning that individuals may request you delete or remove their personal data. To support this, Sitecore has a feature ‘Execute Right To Be Forgotten’ which irreversibly anonymises an individual’s data, so that the data is no longer identifiable.
Under GDPR, individuals also have a ‘right to access’ and Sitecore xConnect allows you to retrieve a full contact profile for each end customer. You can specify whether you wish to retrieve all known data about the contact, including their full profile and historical behaviour. Individuals also have a right to obtain and reuse their personal data for either their own use or for a different service. Again, Sitecore xConnect allows you to do this.
As we mentioned at the beginning of this blog, one of the key aspects of GDPR is transparency; you must be transparent about what you collect from customers and how you use it. Utilising Sitecore Content Editor, you can define and manage your privacy policies, as versioned content, and present these to your end customers as part of your solution.
If you’re assuming that, if Brexit goes ahead, none of this will affect you, think again… The intention is for the UK to continue to receive personal data flows and maintain its ability to share data with EU members and internationally post any Brexit deal.
If you’re worried about complying with GDPR through Sitecore, get in touch with us.