The impact of GDPR on your Sitecore solution

The goal of this topic is not to take a deep dive into the legislation. Sidewalk is a technology focused company. That is why we identified all the features, interfaces and areas that are directly or indirectly linked to websites based on the Sitecore.

On May 25 2018 the GDPR legislation will enter into force. GDPR stands for General Data Protection Regulation and is all about the management and security of personal data of EU citizens. As an organization, you should be able to demonstrate which personal data you capture, how you use the data and how you secure it. Next to that, you probably heard of the ‘right to be forgotten’. In big organizations, it is also mandatory to appoint a DPO (Data Protection Officer).

Impact on Sitecore

In terms of documentation and organization, your website should contain a privacy statement page and a page with the contact details of your DPO. In case of a data breach every organization should have a procedure in place that allows them to notify the public. One could do this for example by showing a pop-up to all incoming visitors.       

Organizations should also think of interfaces where individuals can:

-     Opt-in / opt-out

-     Adapt the frequency or period to receive e-mails

-     Access personal data

-     Correct personal data

-     Alter the right to restrict personal data processing. From a Sitecore perspective, this would mean that individuals should be able to deactivate user journey tracking.

-     Right to be forgotten


Sitecore Experience database

Let us zoom into this last point: ‘
the right to be forgotten’. In the Experience Database from Sitecore, all individuals’ declared and undeclared data is captured and stored. When an individual asks ‘to be forgotten’, you should have a process in place that erases the profile from the Experience database. This feature should be custom build by your Sitecore partner. In most cases, a website is linked to a CRM -or ERP system. The personal data should also be removed in these locations. Secondly, GDPR expects organizations to allow individuals to provide an extract of their data in a readable format. Finally, the Experience database should only be accessible to employees who need access to fulfill their job description. This can be achieved by allocating the right permissions to Sitecore back-end user.

If you want to know more about this topic, feel free to contact Sidewalk so we can support your organization to get your Sitecore solution to comply with GDPR. Do not wait too long the clock is ticking.