10 Considerations for GDPR - Part 1

With the implementation of the EU General Data Protection Regulation (GDPR) rapidly approaching, we at Episerver are happy to share some information on how our company is going through transformational changes to not just enable all of our Digital Experience Cloud customers to be best situated to get to GDPR compliance, but also be a leader in the Digital Marketing, Commerce, Personalization, and Campaign field on all things GDPR.

We have benefited from marrying our years of extensive experience and knowledge of cloud infrastructures and our already deep commitment to data protection, security and compliance.  Through our internal policies, practices and track record, as we march towards ISO 27001 compliance, submit ourselves for Privacy Shield certification, over a decade of complying with German Data Privacy and Protection laws and our building of our Trust Center, including our industry-leading data processing agreements and processes, Episerver takes the GDPR pillar of data protection and privacy by design as a core principle moving forward.


In the coming weeks and months, you’ll see from us white papers, presentations, and other materials discussing various points of GDPR, how Episerver is itself moving to GDPR compliance, and how our customers and partners can use the Digital Experience Cloud to quickly meet their own GDPR compliance requirements, as well as maintaining all of functionality and business requirements that drive their ability to become digital leaders.


As a taste of what is to come from Episerver, we want to share some of our thoughts of ten high-level considerations Episerver customers and partners should have already started thinking about, as they move towards GDPR.

1. Understand your organization's governance, then drive organization wide support


Get Executive Stakeholders - If your highest executive level sets privacy as a key priority, it sets the tone of privacy and compliance. Implement a privacy strategy or make a privacy mission statement. Involvement and support from executives will promote and push forward the compliance process, encouraging involvement and education of resources and assignment of tasks. Maintaining privacy and protection policies will dictate each organisation’s involvement in day to day operations.

 

We at Episerver have a Certification, Compliance, Security and Data Protection and Privacy Governance Board which the executive team and other key stakeholders participate in and holds regular meetings.

_______________________________________________

 

Get Key Individuals in Place – once you get executive sponsorship, make sure you have a team of key individuals whom will drive the day-to-day execution of your data protection and privacy policies and governance. It is optimum to have each organisation’s participation.  Another key member of a company’s governance structure is the mandated Data Protection Officer (DPO). This is a key role under the GDPR and unless it is obvious that your organisation does not need to appoint one an organisation should document the reason for its decision.

At Episerver, we have both an Information Security and Data Protection Steering Committee, taking direction from the Governance Board, and have appointed a Episerver-Group wide DPO, as well as DPOs in various subsidiaries.

 

2. Understand your data and processing

One of the first tasks a company should undertake is a data mapping exercise in order to understand how data flows through your company. This includes the following key questions:


•    What type of data is collected? Is it personal data?
•    Who is collecting or using that data?
•    Where is that data being collected, used, stored, and transmitted?
•    When is it being collected, used, stored, and transmitted?
•    How is it collected, used, stored, and transmitted?
•    Why is it being collected, used, stored, and transmitted?

If you know the answers to these questions, and map it out, you will understand the company’s involvement in the collection, storage, use and transfer of data.  This will enable your company to track the movement of data, and ensure that the data is correctly classified, have a thorough and ongoing record, and notify the relevant authority. Understanding this will also enable assessment of the legal basis for processing and ensure that the most appropriate processing ground is being used for each instance.

Some companies have invested in NIST's framework, ISO27001, ISO270018 or SOCII.  If these frameworks have been implemented, that outputted work will advance your GDPR journey considerably. At Episerver, as we have marched towards our own ISO certification, and implementing policies and practices NIST standards, we have and will continue to leverage our work there to accelerate our own GDPR journey.

 

At Episerver, as we have marched towards our own ISO certification, and implementing policies and practices NIST standards, we have and will continue to leverage our work there to accelerate our own GDPR journey.

_______________________________________________


3. Data privacy and protection are part of day-to-day operations


Under GDPR companies have new legal accountability obligation to the law.  As either data controllers or processors, companies need to demonstrate that such data control and/or processing occurs as the GDPR intends, requiring decisions and processing activities to be documented.


Data Protection and Privacy by Design - A key component of the GDPR is also data protection and privacy by design which means that data protection and privacy should be at the forefront of solutions, implementations and technologies the company is creating or implementing.  This is another reason why it is important to have specific policies in place.  Designers, architects, and developers should be assessing the data protection and privacy impact at the point of conception, creation or implementation, not on completion. Under GDPR, your company will need to document and justify why a privacy impact assessment (PIA) was OR was not carried out.


Protection, Privacy and Legal Considerations – Companies that have a clear and coherent process in place will benefit from the ability to assess, address, and react to privacy concerns early on.  Your privacy and legal organizations need a seat at the table when innovation or development decisions are taken, and with your operations group when an issue occurs, as discussed later.  


Accountability in other Departments/Organizations - Companies need to review all policies and procedures to ensure they instil privacy requirements, and where needed, updated to be compliant. This means aligning all policies including, relevant information and contracts retention policies, marketing policies, tracking/cookie/analytics policies, consent policies, employee privacy policy, advertising practices, device policies, social media policies, hosting/operations policies.


As mentioned earlier, data protection and privacy by design is a core pillar in Episerver software development and managed services.  We are reviewing and implementing new policies each week, having gap analysis done in each functional organization to ensure not just GDPR compliance, but also our drive towards being industry leaders in information security, privacy and protection.


4. Keep informed, learning and share with others


Clearly, it is not just your DPO, governance board or compliance committees that need to be informed and continuously learning. Companies benefit from creating iterative task specific training, legal and commercial updates and general privacy awareness. Companies in fact need evidence of this to show compliance with educational/training aspect of GDPR, showing that resources and employees have a competent awareness of privacy laws applicable to their duties.


One of the obligations your DPO has is “awareness raising and training of staff involved in processing operations".  Other certifications and regulations, such as Privacy Shield, include obligations to train.  Logically, you cannot teach everybody the law or all of GDPR, so condense GDPR principles for each organization, and duties as it relates to being a data controller and/or processor.


Episerver, through its DPO and Governance Board, drives on-going training, educational series and discussions around security, data protection, and privacy on an annual cadence.

_______________________________________________

Meetings are also held with each functional group within Episerver based on GDPR, ISO and other regulatory/certification requirements, specific to that group.


5. Prepare for information security risks and events


To prepare for and mitigate any information security risks/events all organizations within a company should have an information security policy which is updated regularly. You should ensure that you have clear steps and policies in place to protect personal data and prevent its loss.  Encryption, pseudonymization, data-loss prevention strategy, restrictive access polices are a must. Here is another instance where ISO certification greatly help in achieving this.  At a minimum, companies should align with a recognised security standard.


Through the ISO certification that Episerver companies have, and the ISO certifications that all Episerver companies are seeking currently, policies and procedures have been put into place and practice around these types of risk mitigation steps and policies.

Want to read more? Go to part 2 of the GDPR blog