GDPR is Here — Is Your DXP Ready?
The EU’s General Data and Protection Regulation went into effect on May 25—it’s not too late to get up to speed now with these tips
If the words General Data Protection Regulation (GDPR) are new to you, we won’t sugarcoat it—you’re a little late to the party.
The GDPR is a comprehensive set of laws which were approved by the European Union Parliament in 2016. Focused on protecting the privacy and personal data of individuals residing in the EU, the new rules and regulations replace existing data privacy laws and offer consumers greater control over how their personal data is collected and used.
For the majority of organizations within the EU, this is probably not news. But for businesses based outside of Europe with customers that reside in any of the 28 EU member countries, GDPR compliance also affects them, and that may come as a surprise.
Gartner estimates that by the end of 2018, half of the organizations worldwide affected by GDPR will be non-compliant. Businesses that are found to be in violation of the new regulations risk steep fines and other significant penalties.
Even though the due date for compliance has already expired, it’s not too late to make some tweaks. GDPR has broad implications, but one area where concrete steps can be taken to mitigate risk is your company’s Digital Experience Platform (DXP).
By nature, a DXP combines data and content for a personalized experience, requiring both explicit or intentionally-provided data, as well as dynamic or transactional data. This means personal information that falls under GDPR regulations is often scattered throughout a DXP. While that might seem like a cause for concern, it’s actually a great place to start. Check out these simple steps to begin:
Get a handle on your data
It probably seems like a no-brainer, but the best way to begin preparing for GDPR is by understanding how and why your organization processes personal data. By performing a comprehensive audit of the data your organization collects and stores, you’ll be able to more effectively adopt new tools and processes that help support GDPR compliance.
Your DXP is likely collecting customers’ preferences, their location and other personal characteristics that are usually gathered to help provide a better digital experience. This also applies to other adjacent tools that are integrated with your platform — think analytics platforms, data and profile management tools and marketing automation services where personal data is likely being stored.
For those responsible for particular applications, it’s critical to create an inventory of all possible stores of personal data, classify and categorize that data and then identify new processes that will allow personal data to be processed within the confines of GDPR compliance.
Vet your vendors
Products claiming to be GDPR-compliant have begun flooding the market, however, the ultimate responsibility for compliance falls to the organizations using these products.
However, implementing new tools, from consent cookies to widgets that allow users to see how their data is being used, will play an important role in achieving GDPR compliance. In this new environment, the tools and technology used should be seen as just that—tools—not a stamp of approval. Instead, each new piece of technology you adopt should be heavily vetted, both to make sure it does what it promises, but also to make sure there is a solid understanding within your organization of where each process fits in the larger GDPR compliance picture.
Brands should follow a relatively intuitive process with regards to assessing potential new tools used for GDPR compliance. They should begin by fully understanding the product’s capabilities and how those capabilities fit the GDPR compliance puzzle. They should identify the gaps those capabilities leave uncovered, and finally, they should design and implement any needed functionality to cover those gaps.
Set policies and stick to them
By now, you hopefully have a good overview of the data within your DXP (and beyond) as well as a hype-free understanding of the tools you may want to implement. That’s great, but the only way to keep your organization GDPR-compliant moving forward is to set company-wide policies, educate your staff about them and continue to reinforce them.
A major challenge with GDPR compliance isn’t just at the organizational level, but at the individual employee level. Much like security protocols that can be upended by a single employee falling for a phishing attempt or a malware intrusion, a well-intentioned but ill-informed individual can also put your organization at risk by collecting or misusing the wrong type of personal data, including their own.
It’s for these reasons that employees must be well-versed in GDPR regulations as well as the policies your organization is implementing in order to remain compliant. In some organizations, these policies and their reinforcement will fall to a data protection officer. In smaller businesses, it may be the job of the security or IT director. Whoever owns the process, it must be viewed as an integral part of employee education and regular check-ups are critical.
Keep calm and GDPR on
As with other compliance regimes, becoming GDPR compliant and maintaining it moving forward will require new processes and a new approach to how your organization collects and uses customers’ personal data. Beginning with the steps above, you’ll be in good shape, but as always, every organization is unique and finding the right way to GDPR compliance will take a focused, nuanced approach. Good luck!
Do you still have questions about GDPR and the ways your organization can become compliant? Check out the links below or let us know in the comments section!
How to make your WordPress site GDPR compliant
Thanks for the article. I’ve also read: https://torquemag.io/2018/04/doc-pops-news-drop-how-to-make-your-wordpress-site-gdpr-compliant/ and https://torquemag.io/2016/10/storing-encrypted-data-wordpress-database/
GDPR requires private data to be encrypted. I’ve done that for or Gravity Forms data, however other private data is collected by WP registration, 3rd party plugins and subscriptions. While the article in Torque Mag above discusses encryption of the WP Database there are comments opposing that view.
1- What data should be encrypted?
2- What is the best way to encrypt data that doesn’t belong to the Gravity Forms data set?