My previous posts introduced GDPR concepts and the SDL Tridion DX features or capabilities impacted by GDPR. In this post, I'd like to share some organizational recommendations that go beyond any specific technology. This is by no means a comprehensive guide but it can highlight important privacy practices to consider such as:
Before looking at these practices, let's put "GDPR compliance" into context as a familiar process that follows a series of steps.
Having seen several regulatory or nonfunctional requirements in customer implementations or past projects, I’ve found most follow some-to-most of the following steps.
I’ve seen this rough process apply to things like health privacy regulation (e.g. HIPAA), accessibility (e.g. Section 508 Compliance), SEO, Web analytics, and agile practices. As with any practice, be wary of myths while avoiding a myopic focus.
For GDPR compliance, start your review and implementation of any necessary changes to comply with GDPR by realizing that any modern website already complies with many practices that promote privacy and transparency. You might already have roles, processes, and procedures to support existing regulations and policies such as COPA (The Child Online Protection Act) or HIPAA (Health Insurance Portability and Accountability Act) in the United States or the previous Privacy Regulation that covered European member states.
Mapped to steps I outlined above, your “path to GDPR compliance” may involve the following.
Now that we’ve explored some steps for addressing a requirement like “privacy regulation,” let’s look at privacy by design.
Privacy by design is a concept that suggests keeping privacy in mind from the start of your projects, implementations, products, or services.
This includes practices such as:
Read the GDPR text and revisit your current internal privacy policies. You'll want the departments or groups such as support, development, product management, content owners, and especially contact managers to understand the impact of GDPR and the importance of data subject privacy.
Be sure anyone who works with customers understands that users from the EU have certain rights to their data (for global companies this might as well be all users). You should limit who has access to Data Subject details to those who need the information. You can use authorization in Tridion Sites as well as field-level control to fine-tune Audience Manager contact details, for example.
Be sure you have policies and procedures in place on how to move, share, anonymize, and/or pseudo-anonymize data between you and other companies. When sharing a database with customer data for troubleshooting, you should “scrub” or anonymize personal data. In other cases, you may want to pseudo-anonymize data that leaves data intact, but difficult-to-impossible to identify as a specific user.
As mentioned in the first post, we are literally "in this together" and SDL itself has been training its staff and revisiting privacy practices and procedures.
To ensure transparency and accountability for your data subjects, you might update Terms & Conditions and Privacy Statements, but do not rely on them for "blanket" disclaimers or permission to use private data. It's important to offer your customers explicit opt-in options.
Be sure to always obtain explicit permission before processing personal data. For example, you'll want to place opt-in text and checkboxes as close as possible to where you solicit permission for users. Avoid assuming agreement and do not present preselected opt-in checkboxes.
Use plain language when explaining possible choices to users. Also, make it easy for users to find what they already agreed to at a later time.
Consider using dates, identifiers, or other ways to track explicit opt-in choices by your users. For example, you will want to be able to confirm that a given user agreed to the company newsletter on a given date.
Be sure to also consider personal data stored or processed by other systems or companies. As an example, our own editorial team for SDL.com uses SDL Tridion Sites to manage the placement of contact forms on its pages along with CRM and Marketing Automation systems to record details for visitors. To improve this experience, we are adjusting the same systems to store more granular opt-in preferences.
The GDPR text is mostly agnostic to how or where you store such opt-in preferences, so find an approach that works for your existing systems.
Seeing the steps to compliance as a familiar process can put practices such as privacy by design, education, transparency, and accountability in context, which you can address at a high-level across your organization. Your technical implementers, however, may be interested in recommendations specific to SDL Tridion DX features such as Audience Manager, the Ambient Data Framework, or User Generated Content. I will revisit these features in my next post.
These blog posts are meant to help SDL customers familiarize themselves with the concepts and high-level requirements of the General Data Privacy Regulation (GDPR). Following these recommendations can help organizations follow good privacy practices. But this should not be treated as legal advice or a comprehensive and exhaustive checklist for “GDPR compliance.”
All organizations are encouraged to read the GDPR from legal, business, and IT perspectives, to confirm how to best comply with the regulation to ultimately protect and safeguard the privacy of the people that interact with them.
Find my others posts in my introduction to the SDL Tridion DX GDPR Blog Post series.