How upgrading to Sitecore 9 can help compliance with GDPR

If you haven’t heard of the GDPR, stop reading this, go google it, or head over to the ICO’s website right now to read up on it. Then come right back here to learn more!

If you already know what the GDPR is and you have a Sitecore website, or you’re interested in using personalisation to improve online customer experiences and thinking of investing in a Sitecore website next year, then read on…

The GDPR requires organisations to protect the personal data and privacy of all EU citizens, whether that organisation is based in the EU or abroad. It applies to any information that can directly or indirectly allow identification of a person.

Many of the legal requirements of the GDPR are already present in the UK Data Protection Act 1998, however there are a few clear differences with regard to contracts between data processors and data controllers, and data controllers having to keep records of their compliance with the legislation.

And by the way, don’t think that Brexit will remove UK organisations from adhering to the law. The UK Government has already stated that they'll be bringing in a new Data Privacy Law after Brexit, which will contain the majority, if not all, of the GDPR.

Time to sit up and pay attention - we can help!

Implications for Marketing

Numerous tales of woe and scaremongering abound in the marketing press – mainly due to the size of the potential fines involved should you fall foul of the GDPR or be involved in a data breach – but the GDPR is a good thing, and it makes common sense.

GDPR will make you a better marketer!

You'll improve the way you build up databases and manage your data, you'll improve how you collect data and know why you’re doing it, you’ll only collect the data you really need, and you'll only market to people who actually want to hear from you. That’s got to be good, right?

Whilst your top-level KPI numbers might take a battering in the short-term, we’re willing to bet that your results will improve no end over time!

Collecting customer data for direct marketing

Under the GDPR, if you wish to market direct to an individual – either by email, direct mail, phone, or text – you must gain their consent. This consent must be freely given, informed, and unambiguous. It must also be via an affirmative action.

What this means in reality is that on a website page or any touch point you collect customer data, best practice would be a positive opt-in (not a pre-ticked box), a sentence which states why you’re collecting the data and what you'll do with it, a link to your privacy policy, and granular options to allow a customer to choose the method by which they would like to hear from you – email, post, telephone, text.

B2B organisations may legitimately, under the Privacy and Electronic Communications Regulation (PECR), market to an individual within an organisation, if that individual is known to them through prior business dealings and the marketing in question is appropriate in terms of being something the company may be interested in. This may change in the future to come more in line with the GDPR and B2C marketing in terms of collecting prior consent – the EU is working on an updated PECR – but for now, it stands.

However, whether B2C or B2B, customers must always be given the option to change how they want to hear from you, and be able to opt-out from communication at any time.

Collecting customer data for other reasons

Under the GDPR, you can also collect data for reasons other than consent. For example, to fulfil or take steps to enter into a contract or for compliance with a legal obligation. There are also special reasons, such as recording for medical or health purposes. These are called legal bases for processing. Organisations must keep records of their legal bases for processing, and must not collect more personal data than is necessary for what they intend to do with it.

The ICO has been clear in their recommendation that the legal basis for direct marketing should be consent. In instances where you collect personal data for another reason, but you also want to gain that person’s consent to direct marketing, then these elements should be kept separate.

Imagine for a moment, you have an ecommerce website, which needs to collect a customer’s data to fulfil their order, but you also want to market to them in the future. This may mean that on the page where you collect personal data to send them the item they purchase, not only will you have a sentence explaining why you're collecting the customer’s data and what you will do with it (to fulfil their order), but also a sentence and options for them to opt-in to hear from you in the future. They'll need to be two separate elements on the form or page.

The GDPR means that, when collecting customer data, marketers will need to give more thought as to why they’re collecting the data, the absolute minimum amount of data they need, and where it will be stored. They'll also need to work with their IT department or agency partners to ensure that when and where the customer’s data was collected, and when and where consent to direct marketing was given, is clearly recorded and easily accessible.

The right to be forgotten

An individual has the right under the GDPR to not only request a copy of the data that an organisation holds on them, but also request that their data is deleted – “the right to be forgotten”.

In practice, this means that marketers need to enable their systems to ensure that this process is easy for either themselves or customers directly to carry out.

Personalisation and re-marketing

The use of cookies, geo-location, IP address, and device ID will be included in the GDPR – and therefore organisations must inform customers this data is being collected and visits tracked, and potentially gain their consent – especially where re-marketing, behavioural targeting, and personalisation are concerned. The use of cookies and the collection of data to be used for remarketing or personalisation purposes should be outlined in your privacy policy, as well as how you will use that information.

GDPR covers the use of cookies, location, IP address, and device ID.

This precedent and the fact that GDPR is covering the use of cookies, location, IP address, and device ID, potentially has implications on marketers to inform visitors to their website that they could be subject to personalisation and remarketing, and to gather and record their consent – which we believe would be the safest thing to do to comply with the GDPR.

Whilst the GDPR may therefore have a big impact on the amount of behavioural retargeting and on-site personalisation we see, we believe it will improve things for customers. We think that many customers will welcome this initiative, and be happy to see relevant, targeted advertising related to items they have viewed on a website, rather than a generic brand advert and a ‘spray and pray’ approach.

Sitecore 9 and how it helps with GDPR

Sitecore 9 – the latest version of Sitecore – was released in October 2017. The good news is that GDPR was thought about during the development of Sitecore 9. And what’s more, our very own Codehouse website is already built on Sitecore 9 (and hosted on Microsoft Azure PaaS), so we know quite a lot about it already!

We've outlined some of the elements of Sitecore 9 that can help you comply with the GDPR.

Data collection and storage

In Sitecore XP9, customers’ personal data is stored in the contact database – the xDB; best news of all is that data is encrypted – both in transit and at rest in the xDB.

The new Sitecore xConnect API allows the collection and exchange of customer data across channels and at scale. It enhances the potential for much deeper personalisation by enabling the xDB to interchange data with other third party data sources which your organisation may use, such as CRM or ERP systems. Sitecore data from campaigns, online and offline actions can be exchanged with a CRM so that both channels know exactly what the customer or prospect has been doing.

And, since you can concentrate marketing related data inside the xDB, this helps ensure that GDPR requirements such as complying with subject access requests (where a customer can ask for all the data you hold on them), or a request for the right to be forgotten (where a customer asks you to remove all the data you hold on them) can be met relatively easily.

The right to be forgotten

Rather than deleting a customer completely from your database, Sitecore 9 has a function that performs anonymisation of the contact whilst keeping referential integrity within the database. It deletes all personal identifiers of that particular contact from the database, but the anonymous data remains. This allows you to continue to report accurately, whilst complying with a customer’s request and adhering to the GDPR.

Easily allowing opt-outs

Sitecore 9 has a neat solution that removes a contact from all email lists using a “Do Not Market” marker, but does not remove the customer from receiving transactional or service emails.

Identifying Personally Identifiable Information

Sitecore’s xConnect collection model has attributes that allow for flagging Personally Identifiable Information (PII) contact facets. These facets are not indexed and therefore not searchable.

GDPR-compliance - we can help!

If you already have a Sitecore website and want to talk to us about upgrading to Sitecore 9, or you need help with systems integration or a new website to help comply with the GDPR, then get in touch with us today.

Disclaimer

The information provided in this article does not constitute legal advice. Codehouse can help your organisation become compliant with GDPR through our knowledge of website and digital marketing best practice as well as our deep understanding of the Sitecore platform. You are however recommended to consult a lawyer when making decisions ensuring your organisation’s marketing is fully compliant with GDPR.