GDPR checklist for digital experience management platforms in 2019
Originally appeared in ClickZ
We are in an age of privacy regulation and enhanced consumer awareness of privacy protection. The General Data Protection Regulation (GDPR) is approaching its first birthday and more and more jurisdictions are bringing their own regulations to the market. For example, the California Consumer Privacy Act (CCPA) comes into effect on January 1st, 2020. Marketers need to deliver trustworthy personal information experiences as part of their customer experience design, including personal data protection at all layers of the tech stack.
With the increasing number of digital channels, marketers engage their audiences on websites, email, customer portals, mobile apps, IoT devices, voice assistants and more, an already challenging task becomes even more complex. As most of these channels are managed independently, it’s crucial to develop systems that ensure compliance, end-to-end security and automated digital governance across as a foundational element of your marketing stack. An enterprise-grade digital experience platform is the natural solution to the problem as it centrally manages content and experience.
So, what should brands look for when choosing such a solution? The following six-point checklist should help brands identify a digital experience management platform that will help them achieve their marketing goals in the age of privacy and compliance.
GDPR-compliance checklist for digital experience management platforms
1. Advanced data encryption
The GDPR and CCPA require the appropriate technical measures to process data securely. In article 32, the GDPR explicitly cites encryption as a viable example. It makes sense, therefore, to choose a tech platform that encrypts all data while in transit and also offers the option to encrypt data at rest. Data storage should be wiped both before it is provisioned for use and after it is released, ideally to US DoD 5220.22-M or NIST 800-88 standards.
2. Tailored access restrictions
To minimize the risk of data leaks or breaches, organizations need the ability to restrict access to data assets, only allowing individuals the access needed to do their job. Ideally, they should look for a digital experience management platform with both inheritance and group-based access control lists (ACLs), to partition and regulate the functions that different groups can perform. This means individuals need access to both the asset and the function to undertake any action, restricting when, how and by whom data is manipulated. Platforms can also include the functionality to grant permissions based on workflows, with approval streams tailored to align with the organization’s governance policies and every data asset subject to a defined workflow.
3. Integrated consent tools
Unless they have another legal basis for their data practices, regulations such as the GDPR and CCPA may require organizations to gain explicit user consent to data collection and processing (sometimes called “selling” in the CCPA). To ensure they meet these requirements brands can look for a platform with integrated tools to automate the consent process.
To make the consent process simple and transparent, a consent management tool should combine standard request templates with customizable options to meet the unique messaging needs of each brand. Persistent consent notices should notify users of all data collection, both first and third-party, and should provide them with the ability to opt in or out of specific activities.
The consent tool should use automated technology to identify third-party vendors that have access to a site’s visitor data and ensure they are correctly listed. It should work across all environments including apps as well as web browsers and should be able to apply a user’s data preferences seamlessly across all channels. Ideally, consent notices should adapt to country-specific laws, regulations, and local languages, based on the user’s location.
4. Quick and easy integration
When selecting a digital experience management platform, marketers should look for a solution that integrates quickly and seamlessly with their existing systems and applications via defined APIs. The solution may have pre-built integrations with marketing, customer relationship management, e-commerce, social media, analytics, data management, and content localization platforms, but it should also be able to integrate with in-house systems with minimal coding.
Interoperable platforms allow new solutions to be added to the stack as and when they emerge and obsolete solutions to be removed without disrupting operations. There are some single, heavyweight all-in-one solution suites available, but these are complex to implement and require marketers to either get rid of legacy tools and applications or rewrite them so they are compatible with the underlying solution’s language.
5. Easily updated SaaS solutions
The key to any technology solution is keeping current and having the latest features at your disposal. Software as a Service (SaaS) platforms are regularly updated by the vendor, and all marketers need do to ensure they are on the latest version is to log in. Automatic product releases give marketers immediate access to new features, enhancements, and patches.
There are two benefits to SaaS from a data security point of view. The first benefit is that the solution is flexible enough to accommodate new tools and technologies in line with the continually evolving regulatory landscape. When new data laws come into play the vendor can update their system accordingly ensuring seamless compliance for the brand.
The second benefit of SaaS is that a brand has all the security patches released for known vulnerabilities because they are always using the latest version of the software. Although many vendors say their platforms are available in the cloud, these platforms are often just on-premises software migrated into a cloud vendor’s virtual server, rather than true SaaS. This means users don’t get automatic updates and patches, leaving them vulnerable to cyber threats.
6. Standards for security and compliance
When looking for a Digital Experience Management platform that will help them thrive in the era of GDPR and CCPA, marketers should look for solutions using processes that meet the highest industry standards for security and regulatory compliance. Some example certifications to look out for when choosing a platform include AICPA SOC 2 Type 2, ISAE 3402, FISMA, TRUSTe Certified Privacy, Swiss-U.S. Privacy Shield, and EU-U.S. Privacy Shield.
Choosing the right digital experience management platform
Ensuring data security and regulatory compliance in an increasingly fragmented digital landscape is a daunting task, but the right digital experience management platform can simplify the mission, centralizing control in a single hub. By choosing a flexible and interoperable SaaS system with data encryption, tailored access restrictions, and integrated consent tools, marketers can ensure they are compliant with the GDPR and any other regulations that may be on their way.