The General Data Protection Regulation (GDPR) is privacy regulation that takes into effect on May 25, 2018, and describes how to handle Personal Data (PD) and Personally Identifiable Information (PII) of natural persons (residents and citizens) of the European Union (EU).
The GDPR’s global reach applies to any organization that interacts with natural persons1 of the EU, regardless of where the organization or its services (e.g. website hosting location) reside or the type of business.
It has similar provisions as, but will completely replace, the Directive 95/46/EC (Data Protection Directive) and requires organizations to have proper security as well as processes and a legal basis or framework to support their use of PD and PII.
This post describes privacy terminology related to the GDPR from the context of managing web or structured content.
The following privacy-related terms and abbreviations can help you better understand and communicate about the GDPR with your teams and implementation partners.
The business or organization which, alone or jointly with others, determines the purposes and means of the processing of personal data.
The Data Controller has specific obligations under GDPR covering the collection and processing of personal data and must ensure any Data Processor and their Sub-Data Processors operate to the standards of the GDPR.
When dealing with prospects, customers, or anonymous visitors for either web content management or structured content, your company will likely act as a Data Controller regardless of the technical solutions you use to process their personal data. Depending on your systems, you may work with other organizations that process this personal data on your behalf which would then be Data Processors.
A business or organization which processes personal data on behalf of the Data Controller.
Under GDPR the Data Processor must only process the personal data as instructed by the Data Controller and operate to the same standards as required of Data Controllers under the GDPR.
As mentioned above, Data Processors include the third-party parties you work with to store and process the personal data of your prospects and/or customers. For example, if you use SDL Tridion Sites Cloud with Audience Manager, SDL is acting as a Data Processor on your behalf. Many organizations might use an external CRM (e.g. Salesforce1), which would also act as a Data Processor of the Personal Data under your control.
A business or organization which processes personal data on behalf of the Data Processor.
Sub-Data Processors must act as Data Processors, only processing the personal data as instructed by the Data Controller/Processor and operating to the same standards as required of Data Controllers under the GDPR.
Third-party Data Processors may work with the systems of other organizations to process personal data, which must also comply with GDPR. For example, SDL Tridion DX Cloud uses Amazon Web Services’ (AWS) Elastic Computing services. If you act as a Data Controller using SDL as a Data Processor with features such as Audience Manager, Amazon’s Elastic Computing would act as a data sub-processor and must comply with GDPR as well.2
A natural person in the European Union.
This would be any person from the European Union that interacts with your company. In the context of web content management and structured data, your Data Subjects would typically be your prospective buyers, customers, or general website visitors. Partners and your employees may also qualify as Data Subjects.
Though GDPR applies to natural persons in the EU, companies with a global footprint may want to offer the same experience and approach to privacy to all of their users.
Personal Data (PD) is information relating to a person, or from which a person can be identified. GDPR does not explicitly offer a comprehensive list of what it considers as PD, but see some familiar examples below.
This example list of personal data includes some, but not all, of the data that could be used to identify a natural person.
Personal data varies based on your implementation details and use cases. The important point is to avoid treating these examples as an exhaustive list. Keep in mind that technology that processes personal data continues to evolve.
For example, a few decades ago, the ability to find someone by name was limited to local or regional paper-based directories (e.g. white pages). Today it is much easier to identify someone by name online. Artificial intelligence algorithms, biometrics, and future technologies will likely continue to make it easier to identify people with even limited amounts of personal data.
Some data is considered more sensitive by GDPR and has stricter procedures. This data is explicitly listed in GDPR.
Special Data may not apply to typical online use cases, but be sure to review your products, services, and implementations especially if you’re likely to use such data.
For example, social networking scenarios might solicit special data for display in profiles or fitness companies might work with health-related data. GDPR allows such processing provided you have a lawful basis or reason to do so, which could be through consent from the Data Subject or legal reasons (e.g. data that’s part of a contract or needed for a lawsuit), for example.
The United States calls the following data Sensitive Information:
Though technically not part of the GDPR, it may make sense for your organization to treat personal data that belong to either Sensitive Data or Special Data categories as the same for a consistent approach at privacy that complies with laws in the US and in the EU member states.
Each Member State will appoint a local Data Protection Authority as the Supervisory Authority to monitor the application of GDPR, deal with standards, etc. This organization will provide education and guidance, handle complaints, and investigate breaches.
For example, the United Kingdom’s Supervisory Authority is the Information Commissioner’s Office (ICO).
These terms and abbreviations are used in the next section which clarifies Data Subject Rights.
The GDPR requires that you have the ability to respond to these data subject rights and obligations.
Table: Data Subject Rights influence the majority of your GDPR functional requirements.
Lawfulness of Processing
Right to Withdraw Consent
Right to Object
Right of Access
Right to Rectification
Right to Erasure(Right to be Forgotten)
Right to Restriction of Processing
Right to Notification all recipients of Personal Data informed of Rectification etc.
Right to Data Portability
Notification of Data Breach
These rights allow data subjects the ability to request the Private Data (PD) you have about them as well the ability to withdraw consent at will, object to incorrect information, fix missing information, or erase the PD you have on their behalf.
GDPR also requires you to inform data subjects of a data breach unless you’ve made your data incomprehensible to unauthorized users (e.g. via encryption).
In the next post, I will share product-specific features and capabilities that may be impacted by GDPR.
Update (2018-02-23): The original post was missing the table for the Data Subject Rights and Obligations, which has now been added along with an explanation, intro to the next post, and minor typos.
(1) The GDPR specifically refers to natural persons to explicitly refer to data subjects as individual human beings rather than legal persons, which may imply an organization.
(2) For more information about how AWS enables GDPR compliance, see https://aws.amazon.com/compliance/gdpr-center/.
These blog posts are meant to help SDL customers familiarize themselves with the concepts and high-level requirements of the General Data Privacy Regulation (GDPR). Following these recommendations can help organizations follow good privacy practices. But this should not be treated as legal advice or a comprehensive and exhaustive checklist for “GDPR compliance.”
All organizations are encouraged to read the GDPR from legal, business, and IT perspectives, to confirm how to best comply with the regulation to ultimately protect and safeguard the privacy of the people that interact with them.
Find my others posts in my introduction to the SDL Tridion DX GDPR Blog Post series.