Below are areas in which we tried our best to help you comply with GDPR. You will still need to consult your scenario with a legal advisor, but the following Kentico 11 EMS enhancements will make your life easier when facing GDPR compliance.
Mapped Data Flow
Yes, there are many things that you need to be aware of when fighting for your GDPR compliance. CMS-wise, you might be going through an auditing process, making sure you understand your data flow, and getting to know who has access to your data and when. Once you are familiar with that, you can progress with your GDPR compliancy further. As we don’t expect you to study Kentico 11 EMS source code to find out where data is stored, we have done this step for you, and you can find the data flow mapping in our Kentico 11 documentation.
We tried our best to cover all the default data in Kentico 11, but you must be careful to include your custom data flow mapping as well (e.g., third-party integrations). And, of course, do not forget to meet your lawyer, because you want to be sure you have covered everything, right?
Here we go. How could we even think about being GDPR compliant if we didn’t sort out our consents? The texts of the consents need to be stored in the simplest way, so they can be easily created and managed. That’s where Kentico 11 EMS’s built-in support for consent management comes in handy. You can manage the text of consents on the Consents tab in the Data protection app. As always, it is covered by our Kentico 11 documentation.
Website Activity Tracking
Oh, yes. One of the reasons why the whole GDPR compliance thing is destined to cause huge waves in the digital marketing ocean. Most of our website activities are tracked these days. Whether you scrolled down to the bottom of the page, clicked the banner or not, once you enter your details into an online form, all previous activities are connected to your profile, and can be used for better content personalization.
But what if you don’t like it? What if you don’t want the content to be personalized according to your past behavior? What if you don’t want your data to be shared with third parties? That’s when GDPR kicks in. Unless you give a consent for your activities to be tracked on a website, they should not be tracked at all, simple as that.
That’s why we adjusted Kentico 11 EMS to not create contacts, or track their activities, unless the visitor has agreed to it (through the Cookie law and tracking consent web part). All you need to do is configure the system cookies as needed, and then define the text of the tracking consent so it can be displayed via the web part, and saved among the consent agreements if the contact agrees to it. You can check our previous blog post for a quick dive into it.
Web Analytics Tracking
Besides contact activity tracking, you might also be using Kentico 11’s built-in Web Analytics tracking. The Web Analytics tracks the statistics of your website like the average time on a page, traffic sources, landing pages, exit pages, browser types, and many more. As part of the quest for GDPR compliancy, you might need to keep the Web Analytics disabled if a visitor didn’t agree to the tracking consent.
That’s why we introduced a way for developers to create an event handler that checks the current visitor’s consent agreement status and keeps the Web Analytics tracking disabled, if needed. The whole approach is described in detail in our Kentico 11 documentation.
Gathering website visitors’ personal data through online forms is a common practice. However, as GDPR points out, it is important that visitors are aware of what is going to happen with their submitted data. For example, if they are going to receive a newsletter, or their email address will be used for potential email campaigns in the future.
Therefore, we have created Consent agreement form control in Kentico 11 EMS, which can be added to any online form on your website to display a short version of a consent and save the consent agreement for the contact. This way, it is easier and more straightforward to deal with consents in Kentico 11 EMS.
Well, I am sure you have already been using the double opt-in for newsletter sign ups to avoid spamming people, right? But if not, GDPR will pretty much force you to do so. You want to be sure that your website visitors gave you consent before sending them newsletter emails. In some cases, double opt-in signups might be enough, but in others, you might also need to let them agree with the consent directly on the subscription form (always check it with your legal advisor). In such a case, you would use the Consent agreement form control once again to display the text of a consent and save it appropriately for the contact.
This brings us to user registrations. Whenever your users (or customers) register on the website, you may need their consent agreement as well. This always depends on your scenario, but in most cases, you will need to inform them about what you are going to do with their personal data and let them agree to it. Once again, you would use the Consent agreement form control to make your life easier in that manner.
This is a very important part of your GDPR compliance, and also the one that cannot be done from out of the box, as all business requirements are different, and one size doesn’t fit all. That’s why you need to consult your GDPR compliance needs with your legal advisor, to get clear on your revoking process, and delete appropriate data if needed.
However, to make it as easy for you as possible, we have created a sample of the revoking web part that can be created in Kentico 11 EMS, and adjusted to revoke the consents according to your exact needs!
What would your lead-nurturing life be without marketing automation? It would be a very different story. Nevertheless, there is a GDPR catch. You need to ensure that consent agreements (including their possible revoking) are reflected in the marketing automation process every time. In other words, you should always check if a contact still agrees with the content, and only then send them an email.
How would you do it in Kentico 11 EMS then? Easily. You would use the macro rule Contact has agreed with consent in the Condition step inside of the marketing automation process to check if the contact still agrees with the given consent, and only then continue further in the process.
Well, as soon as your website visitors agree with a tracking consent (informing them about your website-tracking and content-personalization scope), you can start personalizing their browsing experience. Of course, make sure you consult this matter with your legal advisor to be sure you didn’t miss anything. From that moment, you can use the macro rule Contact has agreed with consent (once again) in your personalization variants of the web parts (or widgets) to ensure only those who agreed with the consent will enjoy the personalized browsing experience.
Right to Access
After May 25, 2018, everyone in the EU will have the right to ask you to provide them with all the data you have gathered about them so far. You will have 30 days to fulfill their right. It may sound like enough time, but imagine you received 210 requests per month. That would be about seven requests per day you would need to take care of. You would need to collect all data that you have about the particular visitor (contact), and save it into an easily readable format.
No worries though! You can bet on the Data Protection app in Kentico 11 EMS, and leverage its capability to pull all the saved data based on the email address. Once the identity and data collectors are implemented by your developers (after consulting it with your legal advisor), you can visit the Right to access tab, and quickly retrieve the relevant data.
For a quick look at how the implementation might look in Kentico 11 EMS, feel free to check out this article.
Right to Data Portability
Besides the right to access, EU citizens will also be able to ask you to provide them with data in a machine-readable format. This means, that the data you have collected about them needs to be provided in some commonly used format for data transference. By default, Kentico 11 EMS will generate data in the XML format for you. You just need to open the Data protection app, select the Data portability tab, and search for the data using an email address. In case you need to change the output format, your developers can adjust it for you to meet your unique GDPR compliance needs.
Right to Be Forgotten
Whether your visitors changed their mind, got upset, or just want to restart their digital experience, GDPR grants them with the right to be forgotten. This basically means that you have to delete all the data you have collected about them if they ask you to do so.
However, it is important to check this requirement with your legal advisor, as there might be cases in which you may need to keep some of the data for legal reasons. Nevertheless, once you are clear about the data that should stay in the system and the data that should be deleted, your developers can implement this custom requirement for you, so you can then visit the Data protection app, switch to the Right to be forgotten tab, and quickly delete the contact’s data.
Yes, GDPR compliance is a science. But with the data protection enhancements in Kentico 11 EMS, the process can become easier and much more streamlined.
How is your GDPR preparation going? Are you ready for it yet? Let us know in comments!
DISCLAIMER: All data and information provided in this blog post are for informational purposes only. Kentico makes no representations as to the accuracy, completeness, currentness, suitability, or validity of any information contained herein. We recommend consulting with a lawyer for any legal advice pertaining to GDPR compliance.