The goal of this topic is not to take a deep dive into the legislation. Sidewalk is a technology focused company. That is why we identified all the features, interfaces and areas that are directly or indirectly linked to websites based on the Sitecore.
Impact on Sitecore
In terms of documentation and organization, your website should contain a privacy statement page and a page with the contact details of your DPO. In case of a data breach every organization should have a procedure in place that allows them to notify the affected users within 30 days.
Organizations should also think of interfaces where individuals can:
- Opt-in / opt-out E-mail
- Access personal data
- Correct personal data
- Request to be forgotten
Sitecore Experience database
Let us zoom into this last point: ‘the right to be forgotten’. In the Experience Database from Sitecore, all individuals’ declared and undeclared data is captured and stored. When an individual asks ‘to be forgotten’, and the request is legit, you should have a process in place that irreversibly anonymizes the profile from the Experience database. This feature should be custom build by your Sitecore partner. In Sitecore 9 there is an out-of-the-box feature available to make this happen. Keep in mind that in most cases, a website is linked to a CRM - or ERP system. The personal data should also be 'forgotten' in these locations.
Secondly, GDPR expects organizations to allow individuals to provide an extract of their data in a readable format. In Sitecore 9 there is a feature available to execute this.
Whenever you have a form on your website take into account that you can only ask for data that is necessary to fulfil the request. Next to that you should also indicate to the visitors why you are requesting this data and how you are going to use it.
Finally, the Experience database should only be accessible to employees who need access to fulfill their job description. This can be achieved by allocating the right permissions to Sitecore back-end user.