GDPR is less than a year away and getting closer by the minute. The biggest shake-up in consumer data protection in recent years promises strict enforcement globally, fines of up to 4% of annual global turnover or €20 Million (whichever is greater) for offenders, and zero tolerance. Tomorrow is already too late to be thinking about your GDPR compliance strategy.
So, if you make your goods or services available to EU data subjects, or are using any form of visitor customer behavior analysis, you can expect a less-than-polite knock on the door after May 25, 2018, when GDPR comes into effect. The very first thing to realize is, that you as data controllers are ultimately responsible for your business’ compliance with GDPR, that means for implementing appropriate technical and organizational measures to demonstrate all processing activities are compliant with the requirements of GDPR.
You need your CMS to provide a toolset that can make it easier and cheaper to:
- fulfill the rights of data subjects as defined by GDPR
- help you to demonstrate compliance with the data protection principles when requested by law enforcement authorities
With the shocking plethora of personal data distribution going on currently, it is time that data subjects can say a firm “no”, and take back control of how and where their personal information is shared. This is where GDPR comes into play, like a protective elder sibling, it dictates that firms wanting access to personal data have to be accountable for where they get it from, whom they share it with, and how they handle it by using data flow mapping.
To recap and elaborate further, GDPR insists that companies must be able to show within thirty days of being requested:
- The method used for collecting data
- Who is responsible for the data
- Where the collected data is stored
- Who has access to the data and if it is shared further
And this is the tip of the iceberg. GDPR heralds a golden age for GDPR-savvy lawyers because the regulations go even deeper, and you need to be sure that they can get you on the right footing before the dreaded deadline strikes.
What Do I Need to Do?
The golden phrase here is “data mapping”. You can think of it as a sophisticated integrated public transport monitoring system where the passengers are the data, and the tunnels and stations are the ways the data is stored and shared. So, imagine running the New York subway when you don’t have a clear idea of who is using it, where they are going, and whether the trains are all trying to use the same platform.
Having a clear visual record is a significant step in the right direction to doing a comprehensive GDPR audit, which is essential for determining that you are compliant. By showing the flow of data around your business, you can prove that you are obtaining, using, and storing data legally, and data subjects’ requests for erasure, portability, etc., can be fulfilled effectively.
How Does Kentico Go with the Data Flow?
We believe in practise what you preach. So, to get a thorough understanding of what compliance involves, we tasked our GDPR lawyers with performing a data flow audit on our fictional Dancing Goat website, and to make sure that we used our findings to test the GDPR compliance functionality in Kentico 11.
The audit showed us the type of data we are collecting came mostly through forms and analytics. Using this, we were able to discover who is responsible for that data, where it is stored, and how and if we were licensed to use it, meaning through expressed consent, legitimate business use, contract, etc. Using the documentation we have for Kentico 11, making the data flow map helped us save a lot of time. And when there are lawyers involved, time means money! I could not begin to imagine how long this process would have taken us if we had to do everything without these resources.
GDPR—It’s Far From Easy
This could be seen as the understatement of the decade, but the experience gained from the audit has given us valuable insight that our developers were able to apply to Kentico 11 in the name of simplifying the process. An example of making data flow less complicated is preventing the spread of submitted data across your entire website when it was only intended to be used for downloading a brochure. It means allowing data subjects to take control of the data they submit so they can be confident that you are acting responsibly and following the letter of the law.
With Kentico 11’s goal of making GDPR compliance less of a nightmare for you, we have prepared our documentation to help you get the lowdown on how to use the new features to access and control the data you need more easily. And working alongside your lawyers, with Kentico 11, you can perform the data flow mapping digital agencies need to do to help them and their end clients be GDPR compliant.
But Do I Really Need to Worry About GDPR?
Yes, you do. All records of activities around data processing must be created and stored, as stated by Article 30 of GDPR. But it also works to your advantage. Having a more streamlined approach to processes means you can review the ones you have in place and amend them or get rid of them altogether. It is a much better way to have a clearer view of your users’ data and how it is used.
But taking a more practical approach to online forms and only collecting the information you actually need, you might find that visitors will be more inclined to complete them—and that means a better conversion rate. And by simplifying the data flow, you could find that obtaining extra consents from your visitors is no longer necessary. That has to be of some value, right? And by using the GDPR-compliance functionality in Kentico 11, you’re going to be flying in no time.
DISCLAIMER: All data and information provided in this blog post are for informational purposes only. Kentico makes no representations as to the accuracy, completeness, currentness, suitability, or validity of any information contained herein. We recommend consulting with a lawyer for any legal advice pertaining to GDPR compliance.