The EU’s General Data Protection Regulation has been in effect since May of this year. Leading up to its enforcement date, there was a lot of uncertainty as to how it would be implemented on websites. Our primary CMS vendor, Kentico, itself an EU company, had released a major software update providing tools to implement GDPR compliance. While these tools provide a framework for implementing various components of the law, such as consent, right to access, right to be forgotten and data portability, Kentico and other vendors have been careful not to prescribe any particular implementation of these tools. Instead, customers are advised to seek guidance from legal counsel, and then use these tools to implement those recommendations.
Like Kentico, the team at Wakefly has been careful not to pretend we’re lawyers. It reminds me of when the EU cookie law went into effect back in 2003. At first, vendors were skittish to make specific recommendations. But after most of the major sites and large companies were available as an example, the cookie notification became a commonplace feature on web sites that was taken for granted. Though we’re not quite there yet, I imagine GDPR, at least from a public marketing website impact perspective, will follow suit. As with cookie notifications, much of the legally relevant part of a GDPR website implementation is in the language used and internal processes followed. Already, we have some examples we’re using for scoping out GDPR requests, and I thought it would be helpful to review them here.
At the simplest level, we’ve seen a number of clients react to the GDPR by quite belatedly implementing a cookie notification on their website. Kentico has long provided a framework for cookie permission based on several predefined levels. Another client using Sitecore implemented CIVIC’s Cookie Control library, which provides management of non-server cookies. While I question whether cookie permission alone is a GDPR security blanket, there does seem to be a cohort of companies that feel this is a reasonable and adequate response.
A middle tier of clients has gone a step further and added consent checkboxes to all their lead forms. GDPR consents are database records associating an individual’s consent to store their information for a defined set of purposes. Unlike the older cookie law, these consents must be persisted for later retrieval along with a date and time stamp. Kentico provides the framework for creating and storing consents with its forms, and most of the major WordPress form plugins have added similar functionality. If consent is one side of the coin, the other side is revoking consent and data portability. For these more complex requirements, this middle tier of clients has simply added a form on their sites where customers can make such requests. The law does not require companies to revoke or provide data in an automated way, so this method makes sense for companies that anticipate getting few enough of these requests that they can respond to them manually within the 30 days allowed by the law.
And finally, a much smaller set of clients – one to be exact – has had us go to the extent of automating data portability and removal upon request. This is where the application of GDPR becomes highly situational and broad generalizations don’t apply. While “remove all my data” sounds simple enough, there are reasons companies may have legal standing – even a requirement – to keep certain information, whether a customer wants it removed or not. For example, a company needs to maintain order information for tax purposes. And providing data to a customer requesting it assumes the identity of the requestor has been confirmed somehow. Nevertheless, Kentico’s GDPR tools did provide useful guidance and a coding framework to build these features. Unlike consents, these features require fairly deep custom development using the interfaces Kentico provides.
As initial implementations become old hat and these laws start seeing their first court cases, I expect we’ll see new and different implementation patterns emerge. And if you’ve been sitting pretty with a US-only customer base, watch out. California just passed its own version of GDPR. We’ll keep you posted!