Achieve Data Privacy Compliance with Sitecore (GDPR, CCPA, CDPR)

It started in April 2016 with EU's General Data Privacy Regulation (GDPR), then came China's Cybersecurity Law (CSL) in Nov 2016, also known as China Internet Security Law, then add China's Data Protection Regulation (CDPR) to that and now California's Consumer Production Law (CCPA) went into effect in January 2020.

security


With ever increasing data privacy regulations across the globe going into effect, we are seeing an increase in demand for compliance from large and small, private and public enterprises alike. Although achieving full data privacy compliance for each of the regulations may be a tall order, there is a silver lining here. All of the data privacy regulations seem to have evolved from GDPR and hence you see a lot of similarities across them The means that there is a common denominator to achieving some level of compliance across all the regulations and that is what I will attempt to cover in this post.

If you deployed a leading Digital Experience Platform (DXP) like Sitecore to deliver omni-channel experiences, you may also be collecting incredible amount of personal data in order to deliver contextual experiences for each of your visitor personas. Hence, data privacy compliance becomes increasingly important. The good thing with Sitecore is that the platform is data privacy compliance "ready" and continues to improve it's data privacy compliance features.

Here is a glossary of data privacy terms from Sitecore to get your started on your patch to achieving compliance:

Data Subject

  • Customer
  • Contact
  • User

Personal Data

  • Cookies
  • IP Address
  • Contact interaction history
  • Contact facets
  • Contact identifiers
  • User profile data
  • Customer profile
  • Customer order history

Processing

  • Tracking
  • Collection
  • Contact processing
  • Interaction aggregation
  • Personalization
  • Automation processing
  • Email marketing

Here are 5 steps to achieving compliance:

  1. Familiarize yourself with the flow of personal data throughout the platform, and how each role handles personal data.
  2. Perform an audit of all customization that augment the contact, user, or customer entity. E.g. custom contact facets, custom membership profile properties, forms data.
  3. Consider whether you need to request consent to store and process personal data and plan to persist consent choices ,for example as a contact facet.
  4. Limit the exposure of personal data throughout the platform - for example, you can choose not to write personal data to logs.
  5. Review synchronization of data between your Sitecore implementation and third party applications, and ensure that this is included in the privacy policy.
Here is how Sitecore helps rectify compliance for individual's data rights:

Subject’s Rights
Rectification
Right to be forgotten
Right of access by data subject
Right to data portability
Right to rectification
Right to restriction of processing
 - Use xConnect Client API to access and update Contact’s data.
 - Security API to edit user’s profile data.
 - Commerce API for customer data.

Consent and right to object
Right to be informed
Opt-in/out
 - EXM supports double opt-in, unsubscribing.
 - Sitecore Forms
 - Implement UI for allow users to update consent choices & revoke consent

Storing Consent
 - ConsentInformation facet for storing opt-in
 - ConsentRevoked, DoNotMarket facets
Right to opt-out of processing & automated decision making
 - Personalization
 - Automation plans
 - Segmentation via List Manager
 - Content Testing
 - Sitecore Cortex Processing Engine


Here are some examples of achieving compliance through custom Sitecore development:
E.g. of Right To be Forgotten rectification

  • Ensure personal data in custom contact facets is marked [PIISensitive].
  • xConnect Client API to erase data marked [PIISensitive] by calling the ExecuteRightToBeForgotten().
  • ClearSupressionListWhenExecutingRightToBeForgotten handler automatically clears the contact’s past and current email addresses from the suppression list.
  • ExcuteRightToBeForgotten() (does not delete the entire contact record).
  • Store values for ConsentInformation, ConsentRevoked, DoNotMarket facets.
  • Use Security API and Commerce APIs for erasing personal data.
  • EXM supports double opt-in, unsubscribing

Here are examples of achieving compliance via custom UI:

  • Form for requesting deletion of personal data for Customer, Contact, User
  • Form to access, update & export Customer, Contact, User data
  • Ability to access form submission data
  • Ability to allow to update consent choices & revoke consent (opt-in/out)
  • Ability to allow opt-in/out of processing
  • Ability to export Contact data

Here is the full Sitecore's developer documentation for GDPR compliance.


You might also be interested a post I wrote a while back on GDPR, CDPR, CSL


Comments

  1. ellisaJuly 14, 2021 at 3:44 AM

    GDPR training is important so that they do not make one silly mistake that snowballs into a hefty fine not only this but you also must have a cookie consent banner on your website.

    ReplyDelete

Post a Comment

Popular posts from this blog

Is Rendered Item Valid XHtml Document Could not find schema information warnings during publish item Sitecore 7.2

Image
Note: Since we now live in the HTML5 world, the simple resolution to any XHtml validation errors is to remove the XHtml validation rules on  System->Settings->Validation Rules->Global Rules item. Sitecore should update it's validation rules to be relevant to HTML5. This make the rest of this post obsolete :). I created a simple approval workflow in Sitecore 7.5 and tried to approve an item for publishing and found a bunch of validation errors in the Validation Results. Most of them were related to the "Is Rendered Item Valid XHtml Document" section which looked like this: The problems were related to violations of the W3C HTML5 recommendation An important note here is: The element containing the character encoding declaration must be serialized completely within the first 1024 bytes of the document. Adding the following xmlns attribute to the Html tag fixed most of the errors: <html lang="en" xmlns="http://www.w3.org/1999/
Read more

Sitecore Tabbed Select Rendering dialog

Image
If you aren't already doing this, you should be! Found an interesting module (unable to find it on Sitecore Marketplace) to show renderings grouped into tabs while using the Select Rendering dialog from page editor. The idea is to go from this: To: The approach is promising with a few updates: Tried implementing it by inheriting from SelectRenderingForm and it did not work. No rendering items were being listed. Had to decompile Sitecore.Client.dll and copy the code from Sitecore.Shell.Applications.Dialogs.SelectRendering.SelectRenderingForm Had to comment the following line in OnLoad  this.Renderings.InnerHtml = this.RenderPreviews((IEnumerable<Item>)renderingOptions.Items); Found a few issues with the styles, could have be an updated style sheet for Sitecore 7.5, but had to add the following attributes to the tabstrip Background="white" Padding="0px" style="position:absolute; width:100%;top:0px" Here is a detailed description of my implementati
Read more

RESOLVED: Solr Exceptions - Document contains at least one immense term in field

If you implemented Solr with Sitecore using Solr 5.x, you may run into the following error when indexing extremely large content in string fields: org.apache.solr.common.SolrException: Exception writing document id <xxxuniqueid> to the index; possible analysis error. Caused by: java.lang.IllegalArgumentException: Document contains at least one immense term in field="<xxxfieldname>" (whose UTF8 encoding is longer than the max length 32766), all of which were skipped. Please correct the analyzer to not produce such terms. The prefix of the first immense term is: '[10, 9, 9, 10, 32, 32, 32, 32, 32, 32, 82, 84, 82, 83, 32, 70, 97, 99, 105, 108, 105, 116, 121, 32, 10, 32, 32, 32, 32, 84]...', original message: bytes can be at most 32766 in length; got <intgreaterthan32766> Caused by: org.apache.lucene.util.BytesRefHash$MaxBytesLengthExceededException: bytes can be at most 32766 in length; got <intgreaterthan32766> This is due to the fa
Read more