GDPR Impact for SDL Tridion DX Features

This post explains SDL’s content product features whose main use cases relate specifically to data subjects or your users. Keep in mind, however, that GDPR involves the processes surrounding your customers’ personal data. As such, compliance will involve people, processes, and technology across your organization.

If you have or use the following features in SDL Tridion Sites or SDL Tridion Docs*, you should review your implementation for GDPR compliance and ensure you’re following the best practices for privacy and security.

  • Unified Delivery Platform Features
    • Ambient Data Framework and the Context Cartridge
    • User Generated Content
  • SDL Tridion Sites-Specific Features
    • Audience Manager
    • CRM Accelerator and Connectors
    • Experience Optimization

*Releases for SDL Tridion Sites, SDL Tridion Docs, the shared Unified Delivery Platform, and Connectors are planned for 2018. Note that documentation links may refer to the latest product names, but specifically reference older product names such as SDL Web and SDL Knowledge Center.

Unified Delivery Platform Features

The Unified Delivery Platform (UDP) is a shared capability between SDL Tridion Sites and SDL Tridion Docs that allows you to publish from either content management system into a centralized system that delivers content.

UDP includes the Ambient Data Framework as an optional personalization framework, as well as support for the User Generated Content features in SDL Tridion Sites and SDL Tridion Docs.

Ambient Data Framework

The Ambient Data Framework (ADF) allows you to gather and transform Web site data, such as information about your visitor’s current session. It uses a mix of out-of-the-box and custom Cartridges which plug into the framework to expose various claims about a given request or session. Read more about the Ambient Data Framework on the SDL Documentation Center.

The Ambient Data Framework system diagram and documentation are available on the SDL Documentation Center (See ADF for SDL Web 8.5 or ADF for Knowledge Center 13).

A claim is an individual piece of data that can represent specific details during a request or session.

GDPR may apply to your use of the Ambient Data Framework (ADF) because you may be gathering and combining implicit and explicit data (claims) about a given visitor based on:

  • Internet protocol (IP) addresses
  • Physical or mailing address
  • Email
  • Name
  • Other profile information and details

This data can then be used in your application logic to adapt your visitor’s website experience to offer personalized content and offers, improve loading times, or otherwise optimize the website experience.

When used anonymously, some of this data might not be classified as Personal Data, per se. However, it becomes possible to identify individuals with enough implicit or explicit data (e.g. IP address plus browsing history plus submitted form data, etc.).

Context Cartridge

The Context Cartridge is a pluggable set of context-related claims that works with the Ambient Data Framework to programmatically understand a visitor’s device, operating system, and browser characteristics.

This includes, but is not limited to, aspects such as operating system name, screen height and width, and device type.

The Context Engine system diagram and documentation are available for SDL Web 8.5 or SDL Knowledge Center 13.

The main use case for the context cartridge is to optimize a visitor’s experience based on their device and characteristics in an approach called RESS, or responsive design with server-side components (Wroblewski, 2011). The Context Cartridge working as part of the ADF lets you adapt your website to certain device or browser characteristics such as screen width.

Under GDPR you can continue to optimize the visitor’s experience using the Context Cartridge and similar anonymous ADF claims. However, if you gather and especially store enough data points that may collectively be used to identify individuals and therefore count as personal data.

User Generated Content

User Generated Content is a module and service available to SDL Tridion Sites and SDL Tridion Docs. The feature gives website visitors the ability to rate and comment on content and topics in your website or documentation implementation.

The User Generated Content diagram is available for SDL Tridion Sites. Also, see details for UGC for SDL Tridion Docs.

As part of these comments, UGC stores the commenter’s name, email, and an optional link to an external identifier when integrating with a third-party system, which could be the Audience Manager module. Users can also leave anonymous comments.

In order to comply with GDPR, consider:

  • Explaining to users how comments will be used
  • Integrating with a system such as Audience Manager to store contact details (and disabling anonymous comments)
  • Optionally offering additional self-service capabilities to manage comments using UGC's APIs

SDL Tridion Sites-Specific Features

SDL Tridion Sites will be the new name for the next release of SDL’s Web Content Management system. It includes product add-ons such as Audience Manager, Experience Optimization, and the older Profiling & Personalization feature that lets you manage contacts, content promotions, and user profiling and page personalization, respectively.

Audience Manager

As the module intended to store and use contacts for website personalization and outbound email, Audience Manager implementations are probably the most impacted by GDPR.

The Audience Manager system diagram is available for SDL Tridion Sites.

Experience Optimization

Experience Optimization (XO) lets you create and manage targeted content for SDL Web-driven Web sites. XO relies on the ADF and its personalization engine.

The same privacy advice applies to XO as the Ambient Data Framework; however, since promotions are controlled by Content Manager users, be sure they are aware of GDPR.

Profiling & Personalization

Profiling & Personalization (P&P) is an older personalization feature that allows editors the ability to show or hide select content (Component Presentations) to select types of users or Target Groups.

This functionality has been largely replaced by Experience Optimization, but might be used in older implementations (that rely on the Content Interaction Libraries running in-process, rather than against the Content Interaction Services).

Regardless of personalization technology, we recommend similar approaches to handling GDPR requirements based on transparency and explicit consent.

Accelerators

Digital Experience Accelerator

The Digital Experience Accelerator (DXA) is a reference implementation for SDL Tridion Sites and includes modules that support product capabilities such as the Context Engine as well as the ability to define device families and create device-specific views.

As an example MVC reference in .NET or Java that includes implemented product features, a working Staging site supported by various content types, and support from an active community, it is a quick way to explore use cases for privacy and consent. For example, after installing DXA, you may choose to extend Audience Manager Contact fields, add example disclaimer or opt-in text, or even contribute DXA modules to help others with GDPR compliance.

Future versions of DXA will bring the SDL Tridion DX suite closer together and act as a reference for SDL Tridion Sites and SDL Tridion Docs.

CRM Accelerator and Connectors

The CRM Accelerator (final name to be finalized) is planned for a release in 2018 and will include DXA modules and Connectors (Providers) that allow you to integrate with an external CRM. The CRM Accelerator's form functionality may contain features to help support GDPR (e.g. explicit opt-in checkbox) and other privacy best practices in its integrations with Salesforce, Microsoft Dynamics, or other CRMs.

In my next post, I’ll describe some privacy practices you should address to comply with GDPR. This will be followed by more practical examples and suggestions we're gathering from Professional Services and Development.

 


These blog posts are meant to help SDL customers familiarize themselves with the concepts and high-level requirements of the General Data Privacy Regulation (GDPR). Following these recommendations can help organizations follow good privacy practices. But this should not be treated as legal advice or a comprehensive and exhaustive checklist for “GDPR compliance.” 

All organizations are encouraged to read the GDPR from legal, business, and IT perspectives, to confirm how to best comply with the regulation to ultimately protect and safeguard the privacy of the people that interact with them.

Find my others posts in my introduction to the SDL Tridion DX GDPR Blog Post series.