Keeping guard of personal data

Data privacy was the subject of many blogs last year as businesses geared up for the introduction of the General Data Protection Regulation (GDPR) on 25 May 2018.

It was a change which applied to all businesses with data flows and not only covered digitally kept data but to any records kept on paper too. The biggest change which the GDPR brought is was around consent. Previously, implied consent was enough. Under the GDPR, consent must be freely given, specific, informed and unambiguous – with a positive opt-in option offered. 

Accountability was also addressed, with businesses now expected to be able to show how they have complied with the new regulations; knowing where data has come from, where it is kept and who it is shared with. 

A year on from the introduction of the GDPR, figures from the IAPP (International Association of Privacy Professionals) - - suggest that fewer than 50 per cent of survey respondents report they are ‘fully compliant’ with the GDPR and nearly one in five admit that full GDPR is ‘truly impossible’. 

Users of Sitecore though have found themselves in a more positive position, as it has been working across the organisation to ensure compliance with the GDPR and other privacy laws. Sitecore stated at the time that it understands that ‘our customers will want to know how they can configure Sitecore products and services in a way that will help them with their own compliance efforts’.

Rich Foehr, Chief Legal Officer at Sitecore said: “Sitecore is committed to the privacy-first philosophy of the GDPR and to emulate that in our processes and products. With that in mind, we have taken a number of steps to ensure that our ongoing compliance and our Privacy Team are implementing an ongoing data protection plan that covers all areas of our business.”

Organisations whose data is spread across multiple siloed systems and databases were confronted with a significant challenge to ensure that they can comply with the new GDPR requirements. Sitecore Experience Cloud is not only secure by default, but developed with a privacy-by-design approach. Its digital experience and commerce platforms can be configured to collect, connect and store customer data at the individual level, which means that you have an easier process for managing it, as it’s all in one place. 

Sitecore XP 9 incorporates a number of privacy-by-design and privacy-by-default principles and new features. These include support for anonymising data and the ability to annotate data and treat data as sensitive. Sitecore XP 9 is built on a privacy-by-default foundation that helps you protect Personal Identifiable Information (PII) out-of-the-box, and XP 9 provides facilities for you to identify and secure PII that may be introduced via installing extensions. 

Sitecore supports the use of strong security measures to protect personal data throughout the product lifecycle. This includes encryption of data at rest (data storage) and in motion (data transport). 

Among the various measures brought in by the GDPR is the ‘right to erasure’ and Sitecore provides the Sitecore xConnect feature ‘Execute Right To Be Forgotten’, a feature which irreversibly anonymises the individual’s data so that the data is no longer identifiable.

While many people have felt confused and constricted by the new regulations, Sitecore products are designed to help you strike the right balance between privacy, security controls and usability. The organisation hasn’t stopped worrying about data privacy with the introduction of the GDPR; with ongoing releases, Sitecore is committed to providing additional privacy controls and features out-of-the-box that can assist you with GDPR compliance using Sitecore products.

As a Sitecore partner, Lake Solutions is in a unique position to help our clients to address a variety of privacy requirements. Please do get in touch with any questions regarding the GDPR or other privacy issues. 

Article Details

Ian Jepp
10 July 2019