Sitecore, GDPR, China's Cyber Security Law (CSL) & Data Protection Regulation (CDPR)

China has had strong data protection regulation for a while and it only seems to be getting tighter in 2019.  Increasingly, clients running Sitecore as their digital CXM platform require multi-regional deployments, and deploying solutions in the APAC region usually tends to pose a challenge.

A couple of years ago, it may have been easy enough to simply carve out some infrastructure local to China and direct all local language variant traffic to the instance. But this is no longer sufficient.

China seems to have taken a lot of articles from GDPR and continues to add to them and make privacy law even from stringent.

Sitecore has quite a few provisions OOTB for handling some of the GDPR articles and the other can be handled via either solution design, custom implementation or system architecture.

Here is are some of the ToDos related to CSL, CDPR as they relate to GDPR.

Compliance via solution design & custom implementation

CSL & GDPR: Implement consent and opt-in/opt-out preferences 

CSL & GDPR: Implement mechanism for accessing & editing and extracting PII data for right to rectification and right to data portability

CSL: Just in-time notification for opt-in for extended data processing activities

CSL: Opt-out of personalization and personalized advertisements

CSL: Clearly identify personalized experience design

CSL: Global privacy policies tailored and translated

CSL: Implement mechanism to withdraw consent

CSL: Testing 3rd party API security 

Compliance via system architecture & maintenance

CSL CDPR & GDPR: Sitecore provides OOTB mechanism for
  • Right of access
  • Right to erasure
  • Right to data portability
CSL, CDPR: Avoid cross-border data transfer violation with locally hosted data storage and processing and aggregation systems.

For Sitecore 9.1, I think it this means the following roles should be local to China (besides regional scaling of roles)

  • xConnect roles
  • xDB Collection DB
  • Reporting DBs
  • Forms DB
  • Web DB
  • Security DB
  • Shared and Private Session Storage
  • Cortex Processing DB
  • Universal Tracking DB
  • Cortex roles
  • xDB Index

CSL, CDPR: Supplementary or alternative system components and hosting for CRM, personal data, CDN, DAM, web analytics local to China

CSL, CDPR: Security assessment compliance and multi-level protection system based on the company’s information system grade

Also, highly recommend reading Sitecore's white paper on GDPR.


  1. This information is meaningful and magnificent which you have shared here about the GDPR. I am impressed by the details that you have shared in this post and It reveals how nicely you understand this subject. I would like to thanks for sharing this article here. Online Data Protection Officer

  2. Thank you for sharing this news. Cyber security measures must be taken by individuals, and companies to protect their data, devices, networks, systems etc. from potential security threats and cyber attacks. Glad to come across this, great blog. Cyber crime investigator India


Post a Comment

Popular posts from this blog

Is Rendered Item Valid XHtml Document Could not find schema information warnings during publish item Sitecore 7.2

RESOLVED: Solr Exceptions - Document contains at least one immense term in field

Sitecore Tabbed Select Rendering dialog