Is Your CMS GDPR Ready?
By Karol Jarkovsky | Aug 21, 2017
CHANNEL: Digital Experience
First things first: GDPR compliance is your responsibility, not any tool's. But your CMS can support your efforts to remain on the right side of the regulation. Here's how.
Businesses have less than a year to get their privacy strategy in order before the EU’s new General Data Protection Regulation (GDPR) takes effect.
The GDPR will have a profound impact on how organizations conduct business online. Content management solutions, as an integral part of the digital technology stack, play an essential role in delivering contextually relevant experiences, in part because they track, store and process visitor personal and behavioral data.
It is therefore crucial to understand the critical capabilities CMS must possess in order to comply with the GDPR legislation – now and in the future.
What Is Considered Personal Data?
The GDPR defines personal data as any information relating to an identified or identifiable person. In short, any data that can help directly or indirectly identify a person.
Names, identification numbers, email addresses, location data, IP/MAC addresses or other network identifiers and one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person are all examples of personal data that can directly identify a person.
Online orders, behavioral data and so on helps indirectly identify a person.
GDPR Affects Your Business Too
Before we start talking about specific CMS capabilities let’s make one thing clear: The GDPR is not just ‘a European thing' and it most likely impacts your business too.
Why? Because the GDPR applies to any business with an establishment in the EU. And even if you do not have an establishment in the EU, as long as you are offering goods or services, paid or free of charge, to EU residents, then you fall under the GDPR.
Even if you do not intend to provide EU residents with goods or services – but you are monitoring their behavioral data–then you need to comply with the GDPR.
For example, say you are US-based business running an online retail store. Your commerce website is hosted by a third-party cloud provider in their East Coast data center. You only ship within the US, your product descriptions are in English and the US dollar is the only currency accepted.
Now, let’s say an EU resident searches online for a product you offer and clicks through to your store. Because you clearly do not have an intent to conduct business in EU as you do not ship outside the US, all your product info is in English and you only allow purchases in local currency, the GDPR does not apply to you even though EU resident entered the store.
However, as soon as you display prices in Euros or show the product description for example in German and/or Dutch or show an option to ship to Germany or another EU country, or even display testimonials/reviews from EU resident, you are communicating intent to do business in the EU and GDPR applies to your business.
And if you do not show intent to do business, but you decide to monitor behavioral data of visitors entering the store for profiling, personalization and other marketing purposes, you again need to become GDPR compliant.
Be aware that fines for non-compliance may stand at maximum of either 4 percent of annual revenue, or up to €20 million, whichever is larger.
GDPR Is Your Responsibility, Not Your CMS System
You are ultimately responsible for your business’ compliance with GDPR. While the CMS you chose can make it easier for you to comply, it can’t do it all.
Because according to GDPR, whoever determines the purposes and means of personal data processing is considered the “data controller.” And by collecting behavioral data in order to deliver personalized experiences, you become the controller.
The controller is ultimately responsible for implementing appropriate technical and organizational measures to demonstrate all processing activities are compliant with the requirements of the GDPR.
What GDPR-ready CMSs can provide are the tools that make it easier to fulfill the rights of data subjects as defined by the GDPR as well as help you to demonstrate compliance with the data protection principles when requested by law enforcement authorities.
4 Ways a CMS Can Support Your GDPR Efforts
1: Managing consents
According to the GDPR, any personal data processing requires a lawful basis for doing so, for example when a subject gives you consent to process their data.
But it’s not quite that straightforward.
GDPR imposes strict conditions for obtaining consent: A data subject has the right to withdraw consent at any time. Each processing activity requires a separate valid consent, meaning you must present genuine and granular choice to data subjects instead of bundled/single consent.
A GDPR-ready CMS should support this activity, providing capabilities so you can produce multiple consents specific to processing purposes and bind them to features and modules of the CMS. The CMS system should then automatically recognize whether the current data subject provided consent for the particular purpose and, if not, it should display the most recent version of the consent.
Because the consent mechanism needs to be genuine and voluntary, it should require a double opt-in model. It's the controller’s responsibility to validate an identity of a data subject to avoid cases where one person gave consent to the processing of personal data of another person. For this reason, the CMS should offer a double opt-in validation model, which sends a confirmation link to data subject via an email.
Only after a data subject confirms consent via confirmation link can consider the consent to be valid.
2. Records of given consents and processing activities
As mentioned earlier, consents provide a lawful basis for the processing of personal data. This requirement opens up significant potential for debate as to whether a data subject provided consent for personal data processing, placing the onus on the controller to keep a record of all consents obtained from data subjects.
In fact, the ability to demonstrate clear consent from a subject for specific purposes is another requirement under GDPR legislation. You therefore want a CMS that stores a history of all consents.
A history of consents should ideally contain data subject identifier, time stamp, the subject of the consent, how was the consent given (e.g. via email, online form, registration form, etc.), whether the consent was withdrawn, and if so, when.
Reporting capabilities in your CMS also play a crucial role in order to comply with a customer’s rights to information related to the fair processing of personal data.
The CMS system should be able to compile and export reports on data processing activities at the request of data protection authorities. Reports should contain information such as the purposes of the processing, categories of data subjects, personal data processed, categories of third parties that data may be shared with, applicable data retention periods, and so on.
3. Data portability
Under GDPR, a controller must on request provide data subjects with an export of all their personal data in machine readable format so that data can be transferred from one data controller to another.
This could be a significant opportunity for some businesses to attract customers from their competitors, especially in cases where a competitor owns a long history of personal data places them at what could be viewed as an unfair advantage.
For example, if a new social network wanted to attract Facebook users, Facebook would be required to provide that new social network provider with all personal data collected about a specific customer upon that customer’s request, provided the original data processing was done under contract or based on the user’s request.
Your CMS therefore requires the capability to export personal data pertaining to the specific data subject but also import data subjects being transferred from another controller.
4. Handling 'right to be forgotten'
Data subjects can request a controller delete their personal data if the continued processing of those data is not justified.That is mostly when:
personal data is no longer needed for the original purpose
the data subject has withdrawn consent
the data has been processed unlawfully or
a few other unique situations
Regardless what the base for such request is, as long as it’s justified according to GDPR requirements, all personal data collected on that data subject must be removed.
You should also notify any other controllers and third parties with whom you have exchanged the personal data to remove all personal data about the data subject they have.
However, instances arise where not all of the data can be erased. For example, when retention is necessary to comply with other legal obligations, based on controller’s country legislation and other reasons.
Consider a scenario where an online medical service provider processes personal data of patients as required by the controller's country legislation primarily in order to prevent spreading diseases, but additionally for marketing purposes. When a data subject exercises his or her right to be forgotten, the medical service should delete any data used for marketing purposes but keep a specified scope of personal data to fulfill their obligation to prevent the spreading of diseases.
A CMS should help you configure what personal data you are required to keep processing due to your country's legislation and retain that data even after the right to be forgotten is exercised. The CMS should also make it easy for you to remove any personal data and notify other controllers about the request.
Finally, the controller must take every reasonable step to ensure all personal data is accurate and, where necessary, kept up to date and are erased or rectified without delay when the purposes of the processing are fulfilled.
A GDPR-ready CMS should, therefore, allow setting a retention policy for personal data to comply with this specific requirement of GDPR. Keep in mind you may be asked to demonstrate any notifications made to other controllers, so the CMS should keep a log of notifications issued for this purpose.
Act Now, Sleep Later
There’s a lot more to consider when it comes to GDPR, so take it seriously.
Put the effort in to ensure your company avoids the punitive downside of the regulation. Research all of the requirements and have an open and honest discussion with your current or future CMS provider.
Put the appropriate business changes in place now or expect some sleepless nights ahead when the GDPR comes into effect.
About the Author
Karol Jarkovsky, Vice President of Product for Kentico Software, recognizes the opportunity that businesses have to digitally transform themselves in order to survive and thrive in today’s highly competitive environment. He has committed himself to helping develop the disruptive technologies that make such transformation possible.