On May 25 2018 the GDPR legislation will enter into force. GDPR stands for General Data Protection Regulation and is all about the management and security of personal data of EU citizens. As an organization, you should be able to demonstrate which personal data you capture, how you use the data and how you secure it. Next to that, you probably heard of the ‘right to be forgotten’. In data-driven organizations, it might even be necessary to mandatory to appoint a DPO (Data Protection Officer).
Impact on Sitecore
In terms of documentation and organization, your website should contain a privacy statement page and a page with the contact details of your DPO. In case of a data breach every organization should have a procedure in place that allows them to notify the affected users within 30 days.
Organizations should also think of interfaces where individuals can:
- Opt-in / opt-out E-mail
- Access personal data
- Correct personal data
- Request to be forgotten
Sitecore Experience database
Let us zoom into this last point: ‘the right to be forgotten’. In the Experience Database from Sitecore, all individuals’ declared and undeclared data is captured and stored. When an individual asks ‘to be forgotten’, and the request is legit, you should have a process in place that irreversibly anonymizes the profile from the Experience database. This feature should be custom build by your Sitecore partner. In Sitecore 9 there is an out-of-the-box feature available to make this happen. Keep in mind that in most cases, a website is linked to a CRM - or ERP system. The personal data should also be 'forgotten' in these locations.
Secondly, GDPR expects organizations to allow individuals to provide an extract of their data in a readable format. In Sitecore 9 there is a feature available to execute this.
Whenever you have a form on your website take into account that you can only asks for data that is necessary to fulfil the request. Next to that you should also indicate to the visitors why you are requesting this data and how you are going to use it.
Finally, the Experience database should only be accessible to employees who need access to fulfill their job description. This can be achieved by allocating the right permissions to Sitecore back-end user.
If you want to know more about this topic, feel free to contact Sidewalk so we can support your organization to get your Sitecore solution to comply with GDPR.