GDPR Impact for Audience Manager

This post wraps up the SDL Tridion DX GDPR Blog Post Series with Audience Manager, the Tridion Sites product add-on most focused on contact management and personal data by giving options for managing user consent with the Audience Manager APIs, a review of Data Subject Rights, 

Managing User Consent

Depending on your scenario, the "subscription status" option in Audience Manager could manage explicit opt-in if Outbound Email is your main use case for processing personal data. To support more scenarios you can use custom fields with details note, classify, and organize contacts for certain types of data processing (e.g. email, website personalization, etc.).

You can then use this information to manage things such as:

  • Send the appropriate emails to the correct users based on Address Books
  • Use the Content Delivery API to adjust the website experience
  • Give contacts granular control over their preferences in a website form

Contact Management in the Content Manager

Audience Manager has Content Manager (CM) and Content Delivery (CD) APIs to manage contacts in the context of the back-end Content Management System (Content Manager Explorer) and contact in the web application session, respectively.

Use the CM API to automatically create, read, update, or delete contacts one-at-a-time or in bulk. This can help you with scenarios that involve multiple contacts. For example, you might want to delete contacts programmatically on a regular schedule, giving CMS users time to review deletion requests by contacts to support GDPR's "right to be forgotten."

Since customer data may reside in other systems within your organization or possibly controlled by other Data Processors you may choose to use the Audience Manager APIs to make any manual processes between these systems easier to manage.

Note that deletion is available only in the Content Manager, either done manually by CMS users or programmatically with the Audience Manager CM-side API. This is by design to give control of the final deletion to your organization.

Contact Management in Content Delivery

Use the CD API to read or change a contact's profile, providing the user information in a website page with their details where they can adjust opt-in settings. If preferred, you could also capture and record details such as time-stamps to help document your opt-in process for personal data processing.

The Ambient Data Framework can easily help you move data between systems or expose attributes in the context of a visitor's session. However, not all fields should necessarily be shown to website visitors. GDPR is especially interested in minimizing the use of personally identifiable information and special information to the amount needed.

Under GDPR you should give Data Subjects a way to request to restrict processing of their personal data. Though this could be a manual process (e.g. email Support to request your data). But if using Audience Manager, you should extend your contact profile to let Data Subjects make requests or changes themselves under GDPR Data Subject rights. The scenarios will depend on your implementation, but contacts should be able to opt out of communications and otherwise adjust how you use their personal data.

Note that historical email data is not impacted by deletions of contacts by design. These counts will continue to represent what was sent at the time and don't include personally identifiable information.

Data Subject Rights

The following table revisits several of the Data Subject Rights and adds considerations for audience manager. Where applicable, I've added additional tips, details, and screenshots 

Right

Considerations for the Audience Manager

Tips, Details, and Screenshots

Right to Notice

In your Audience Manager subscription model, be sure to explicitly inform the Data Subject (prospect, customer, etc.) of how any Personal Data will be used. You must provide a legal basis for using the personal data of data subjects, which could be via consent or through a legitimate interest.

As you present other scenarios such as the commenting feature to users, you should explain that their name and any details will be stored on your servers and public on the internet. You should also explain how users can modify, remove, or otherwise report on comments that they or others have made.

It might help pointing out that anonymous comments can only be removed, and perhaps only if they violate your terms of service, as it is difficult to identify the owners of such comments.

Manage such notices in SDL Tridion Sites in order to translate and localize the text to your visitor.

Right to Access

The right of access is comprehensive and extends beyond just SDL software and components such as SDL Tridion Sites, Audience Manager, Unified Delivery Platform (Content Delivery), the Ambient Data Framework, or Experience Optimization.

You must describe the purpose and type (category) of PD collected. To whom it has been disclosed to. How the Personal Data (PD) is safeguarded and retained.

For example, you may describe your NDA or data privacy policies in place with 3rd-party support vendors. Perhaps you have company policies that prevent you from sharing PD outside your company. Or perhaps you do share select PD with certain affiliate partners, as allowed by the Data Subject (DS).

Describe the source of any inferred or ambient data not inputted directly by a Data Subject. For example, websites can use GEO-IP lookup services to determine a location for a given IP address.

You can manually provide information to a given contact in a human-readable format (Comma Separated Value) through Audience Manager’s export feature. See Exporting Contacts on the SDL Documentation Center.
 Right to Withdraw Consent

Data Subjects give consent for the use of certain data for a given purpose. They can choose to withdraw consent.

How this impacts your implementation depends on how you’ve collected consent.

You may want to make sure your privacy statement and terms & conditions are properly trackable (e.g. by date, url, or some other identifier). Let your Data Subject easily find, review, and affirm/change their opt-in preferences for these purposes.

Make this opt-in/opt-out process granular to the extent that you use select sets of PD in different ways.

If using Audience Manager, subscription statuses include unsubscribed, subscribed (someone entered email), and opted-in as a double opt-in, confirmed by email.

When sending a mailing, e-mail is automatically only sent to Contacts who have confirmed an opt-in.

Audience Manager users could choose to send emails to users that have subscribed but not confirmed their interest or to contact unsubscribed users. Under GDPR these options should only be used when warranted (e.g. inform Contacts of a data breach or interact with them in regards to a contract).

You can additionally use Keywords to control more granular opt-in scenarios.

You may want to enable self-service features to let your customers control their privacy preferences, request their data, or request removal of their data.

See a sample subscription model on the SDL Documentation Center.

If using DXA, add such details to the login form module.

Right to Rectification

Your site should also be transparent in known data about its users.

Allow users the ability to modify such data. This is possible through Audience Manager forms/profile updates, for example.

Or you may use a separate database to gather and collect more information. It may help to record time-stamps and sources of information if you choose to consolidate or otherwise integrate multiple systems that work with PD.

Note some system keep data intentionally anonymize (e.g. Google Analytics). In these cases, it is near impossible to rectify individual records because it’s impossible to identify individual users in order to change them. This kind of use should be okay under GDPR.

 

Right to be Restriction of Processing

There are situations where you may need to restrict processing of personal data but not necessarily delete all the data for a given contact.

This can be handled through the active status in Audience Manager or custom metadata in other systems to identify such restricted contacts.

You can deactivate a contact which will prevent Contacts from receiving mailings while keeping the Contact in the Address Book allowing access to the Contact’s profile and Mailing response history.

Be sure to stop processing such restricted contacts which may include stopping emails to the contact and other activities related to their data such as personalization.

See Deactivating and deleting a Contact.

 

Right to be Forgotten

Customer data includes information beyond the scope of your content management system. However, Audience Manager can support a data subject's (your customer's) Right to be Forgotten by deleting the contact in Audience Manager.

You should have a process to let customers update and/or remove data related to them (“right to be forgotten”).

You can then choose to delete or remove most of the details from the contact. Retaining the record with the update that the right to be forgotten was exercised can serve as proof of the request.

UGC Integration

In order to allow users to control their display name or possibly modify or delete their comments, you will want to integrate with a system such as Audience Manager. The UGC API supports the modification or removal of comments, but this should be specific to the implementation.

 Children

In your Audience Manager implementation, consider adding fields to capture and store parental consent if soliciting information from Data Subjects under the age of 16 (or 13 depending on the member states that apply).

 

 

Data Sharing Policies and Procedures

In general, the majority of your website content is not related to personally identifiable information (PII) or has already been approved for public sharing (if published on your website).

However, you likely have personal data stored within the Audience Manager database. In this case, you may want to limit what data you share with third-parties.

You should have processes to anonymize personal data before sharing and/or secure permission from data subjects before sharing their data, regardless of the system. This can include anonymizing personal data that cannot be reconstructed to identify specific individuals.

When interacting with SDL Support or any other company, it is important you share only the data and systems needed to replicate and troubleshoot system problems.

Limited or Minimized Internal Access

Customers should minimize personal data use and visibility.

SDL Privacy officer Andrew Fisher notes: "Any attempt to minimize data collection and use is good security and organization as it reduces the risk."

Use Content Manager and Audience Manager authorization, field settings, and the column designer to limit and choose the visibility of contact details to select users in your organization. 

See Configuring Contact Detail fields. See Configuring Contact list columns, which can let you store additional data related to your contact for things like preference management. The Column Designer can limit the initial view of contact columns in contact lists.

Audience Manager Settings allow the ability to restrict visibility of contact fields from search and filtering or in the UI.

The Display options give administrators the ability to show fields everywhere, hide them in search and filtering, or hide them in the UI so that individual contacts do not show those specific fields.

By setting this example Telephone field to “Hide in the user interface,” it will not appear in the contact’s profile details.

Encryption

Protect data with either database encryption or two-way field encryption such that if leaked, the database is near impossible to decipher. Specifically, it is not required to notify if the Data Controller has implemented appropriate technical and organisational protection measures, and that those measures were applied to the Personal Data affected by the breach, in particular, those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption.

  • For “data at rest,” you can encrypt the Content Manager’s database system, including the Audience Manager database, at the filesystem level.
  • For “data in transit,” be sure to use HTTPs for communication between server and client and between the Content Delivery microservices and the Discovery service.
  • Read more about Audience Manager security best practices.

Though Audience Manager additionally offers one-way field-level encryption in the case you may want to store passwords for your contact records, as a good practice we recommend using an identity provider to authenticate contacts rather than storing passwords in your systems.

SDL Privacy officer Andrew Fisher adds:

GDPR requires “appropriate security” and provides encryption as an example of an issue which ought to be considered.  Encryption is seen as a good security feature as it provides protection both when bad guys get into an IT environment ( external hackers and rogue staff) but also if the databases gets out of the secure environment.

For additional technical discussion on GDPR, see GDPR - A Practical Guide for Developers, which, like this post, doesn't guarantee compliance, but can give you context and practical examples.

This blog post series introduced GDPR in the context of content management and specific features and add-ons for the SDL Tridion DX suite, which includes SDL Tridion Sites and SDL Tridion Docs (formerly SDL Web and SDL Knowledge Center, respectively). We connected privacy terminology to online scenarios and revised the SDL Tridion DX features most likely impacted by the regulation. Ultimately GDPR compliance will be the responsibility of any organization that supports users in Europe.


 

These blog posts are meant to help SDL customers familiarize themselves with the concepts and high-level requirements of the General Data Privacy Regulation (GDPR). Following these recommendations can help organizations follow good privacy practices. But this should not be treated as legal advice or a comprehensive and exhaustive checklist for “GDPR compliance.” 

All organizations are encouraged to read the GDPR from legal, business, and IT perspectives, to confirm how to best comply with the regulation to ultimately protect and safeguard the privacy of the people that interact with them.

Find my others posts in my introduction to the SDL Tridion DX GDPR Blog Post series.