There is a lot of information around business impact and considerations of GDPR for the wider business. Whilst GDPR for an organisation should be taken from a wider context than just the website, it’s still nice to have a summary on what to look out for from a website perspective. After all, your website/intranet/extranet is a key digital interface where a data exchange with individuals occurs. What follows are some key things to look out for and some ideas on good practices to follow:
Consider data protection on new projects
A good practice that is worth implementing when starting a new project, regardless of approach, is to have a dedicated initiative to look at data protection as part of the project. For Agile projects, this can be summed up through user stories and for more waterfall approaches, as part of a project specification.
Encryption of data in transit and at rest
Most websites now collect personal data through various types of forms e.g. a Contact Us form or Newsletter subscription. With most WCMS (Web Content Management Systems) this data can be passed on to an external system such as a CRM, via Email to someone’s inbox as well as being stored in a database provided by the CMS.
Once the regulation is in place we need to ensure sufficient care has been taken to protect this data. Simple measures like using https for all data collection forms will ensure that the data is encrypted in transit. If the data is stored in a central repository, e.g. XDB for Sitecore or a MSSQL database for Kentico, we need to make sure there is adequate protection.
Both Sitecore and Kentico provide facilities at various levels to encrypt data. With Sitecore when using Mongo DB with Mlabs, data can be encrypted at a database level either with Google or AWS cloud offerings, further any data held in a SQL database can be protected by further configuration of the core database. Note that consideration needs to be given to the wider scenario e.g. backups of the database.
Tools like Google Analytics don’t really collect personal data and have disclaimers in place for when this is done. However, solutions like Sitecore and Kentico tend to provide more advanced options where you can personalise the website and profile visitor.
By implementing website personalisation or profiling, you are in-effect mapping anonymous tracking data to individuals. As soon as a contact completes a form or opens and email, you are pairing their personal data with their website behaviour data.
Prove consent, particularly with email marketing
Most websites these days try to follow double opt-in for email related activities. This is a simple idea that once a user provides their details, they are then verified. Sitecore with EXM 3.4 and older versions of ECM have provided this mechanism and the same is true for Kentico. The reality in the real world is that this functionality may not have been configured for several reasons, now is a good time to get this in order.
Further external email tools may also be used for several reasons. External email marketing tools like DotMailer, Campaign Monitor and MailChimp will all provide a double opt-in mechanism.
It’s important to validate that existing data collection uses some form of verification. Even if automated double opt-in is not available you could utilise other mechanisms, for example, a pre-canned personal email asking the user if they accept a newsletter subscription. Clearly this may be a good cost effective approach if you have a small number of enquiries.
Consider how you will remove data or obfuscate it
Users will have a right to get their data removed from an organisation. It’s likely that this data will be in various areas within an organisation’s digital ecosystem. It makes sense to note where the data is being stored, particularly if you have a fragmented web presence with multiple web properties – it’s not uncommon to see an organisation with several email marketing platforms and a number of content managed websites all linked with other tools.
When conducting an audit of where personal data is held, it’s important to also document how this data can be removed or obfuscated. One thing to remember is that the law is about making sure you consider how this can be done and with your best endeavours. Keeping a user guide that’s regularly updated and reviewed would help with this.
Providing a self-service functionality through a preference service may also be an effective means to do this. Both Kentico and Sitecore have the ability to provide an account preferences area where users can manage their subscriptions and settings, but this would likely need further development. Another option would be to use Digital Marketing Platforms (DMP’s) that could be utilised to provide such a facility, particularly if the data is fragmented across many digital properties. CRM (Customer Relationship Management) vendors are also providing a range of solutions as back office processes are usually heavily intertwined with the CRM.
Clearly GDPR will have marketers worried as there are big implications for websites, content and email marketing. Whilst this may be the case, there is an opportunity to better centralise customer data and provide a better experience to users. A big part of being effective in meeting GDPR requirements will be to break organisation silos and get a better understanding of your customers’ footprint across the organisation.