10 Considerations for GDPR - Part 2

Part 2 of how Episerver is going through transformational changes to not just enable all of our Digital Experience Cloud customers to be best situated to get to GDPR compliance, but also be a leader in the Digital Marketing, Commerce, Personalization, and Campaign field on all things GDPR.

In the last post I've covered five key considerations:

  1. Understand your organization's governance, then drive organization wide support
  2. Understand your data and processing
  3. Data privacy and protection are part of day-to-day operations
  4. Keep informed, learning and share with others
  5. Prepare for information security risks and events

We'll continue to discuss the remaining key considerations for GDPR compliance.

6. Vendors, third parties, and others you should be talking to


GDPR obligations are not just relegated internally.  Companies should ensure that data protection and privacy requirements are reflected in all contracts with third parties and that due diligence is always carried out. Be prepared to ensure the company has a policy or procedure in place to address non-compliance with regards to data protection and privacy. Regular reviews and updates of third party contracts should be carried out to ensure they reflect compliance with current privacy laws.  Its proportional of course, for example demands on your payment provider should be different from your facilities management vendor.


Episerver ensure that all applicable vendors sign an agreement that ensures data protection and privacy regulatory compliance, through such mechanisms as a data processing agreement.

___________________________________________

7. Understand what notice and consent is, and make sure you get it


Companies must ensure that current communications and interactions with individuals ensure that at all points where data is collected, individuals are provided with appropriate notice and information as to the use of their information, including whether tracking and/or automated processing is used.  In most cases under GDPR consent is required, so companies must also assess how that is obtained and evidenced. You should check that individuals can easily opt in and out, subscribe or unsubscribe to any emails or notifications, and ensure such mechanisms actually works.  This is one of the biggest thing data regulatory authorities will be looking for and paying attention to.


Episerver ensure that its own interactions follow strict policies on consent and opt-in/out procedures, and continuously reviews the effectiveness.  Further, Episerver will publish best-practices in the future for customers/partners, to help their own compliance on such.

 

8. Understand what an individual’s rights are, and adhere to them


Under GDPR, individuals (known as data subjects) have many rights which they are permitted to execute at any time during their relationship with your company. To prepare for this, you should understand what requests you could receive at your organisation and ensure there is a mechanism in place for dealing with such requests. They must be aware of their rights, easily request information from the company, and be able to request tasks such as “the right to be forgotten”. FAQs, site instructions and dedicated communications (e.g. email) are useful to ensure individuals have the correct contact and how they can quickly assist with requests. Usually companies found in breach of data protection and privacy regulations are based on rights and protecting the rights of individuals – thus data subjects should always be forefront in any company decision making on communications and data subject interaction.

As you can see through our Privacy Policy, Episerver has clear instructions and methods for complying with data subject requests, as well as a clear model of gaining consent, and removing information if need be.

 

9. What happens when things go wrong? Plan on it


A management and operational plan, including a task force to be enacted, when a breach occurs is key.  Having policies and procedures such as a notification system in place which works effectively, will benefit the company by ensuring that they stick to the time frames of reporting and resolution.  Having a clear record of the steps taken by your company will also assist regulators and government authorities in helping you resolve the issue. Companies should keep a log of all breaches (or suspected breaches) and the investigation taken in each instance. Data privacy authorities will require this, and companies will benefit from these processes when conducting investigations into the cause of the breach, preventing a reoccurrence and provide an assessment of how the breach and recovery plan worked in practice.


Episerver’s SIRT (Security Incident Response Team) has been trained and is ready to handle possible incidents that may occur.  Further Episerver has put together policies and procedures company-wide, to assist the SIRT with the highest priority when assistance is requested.

 

10. An On-going commitment means on-going assessments


Above the penalties (which are significant) and guidelines that GDPR requires, at the heart of the regulation is corporate accountability.  This is not a “one-and-done” exercise.  GDPR compliances requires continuously review and update, and inheriting the pillars as corporate culture on an ongoing basis.  Sadly, companies are never going to be “fully GDPR compliant” – it is an ongoing, living and adapting process which expects companies to constantly review, update and monitor the way data is handled.

Continuous testing and self-assessment of data protection and privacy policies are key to ensuring that the procedures will actually work, everything from a data subject access request procedure to an incident management plan.  Keeping these up to date not just maintains your GDPR compliance, but ultimately gives the individuals that your company interacts with a better, more secure experience.

 

Conclusion


As a final thought, GDPR compliance is a requirement which extends beyond assigning a privacy or compliance team, it requires the involvement and co-operation of the organisation to take compliance with the GDPR from theory to practice.

Even those who have started with pushing through one of the first major tasks, data mapping, are starting to realise: it's one thing to have a core privacy team on top of GDPR, but a mammoth task operationalising the GDPR throughout an entire organisation. We at Episerver are here to help, show how Digital Experience Cloud is a key enabler of your GDPR journey, and are looking forward to going down the path together.  Remember:

  • IDENTIFY where your company currently is, data flows and what policies are already in place
  • REVIEW those existing policies, notices, processing grounds
  • ASSESS against GDPR compliance
  • UPDATE policies, plans, procedures, training, awareness to meet that compliance
  • TEST those policies through on-going audits and self assessments