6 steps to manage GDPR for digital experiences
From privacy policies to content management, here’s everything you need to know about GDPR and digital experiences.
Written by Morten Eriksen on
In this blog post, we’re explaining it all. From privacy policies and digital projects to content management, here’s everything you need to know about GDPR and digital experiences.
More data is available now than ever before. In order to help protect customers from having their personal data being used improperly, the EU put new sanctions and regulations in place from 25 May 2018.
Known as GDPR, or “General Data Protection Regulation,” this new regulation is aimed at reducing the severity and frequency of security breaches, and curbing the mishandling of personal data online.
The GDPR regulation is made up of lots of articles, but it’s main objective is to give people power over their data, including:
So, how should you manage all of these GDPR articles for your digital experiences? There are a few steps you can take to ensure your digital experience is GDPR-compliant:
Ensure your data is processed correctly with the help of a dedicated data controller, i.e. an individual or legal professional who controls and is responsible for the keeping and use of personal information in your systems. The data controller will also be the contact person if someone would like to delete or get insight into the data a company has connected to that person.
When building your next GDPR compliant site, why not use Next.js? Supercharge your site with Next.js and headless CMS »
Pro tip: Use a service like iubenda to simplify the process of making sure your apps and sites are compliant.
Using HTTPS is a good start, but to make sure your digital experience is really secure, test it using the OWASP framework or similar. And don’t forget about your CMS. Not only should you ensure the CMS hosting is GDPR compliant, but it’s important to have a system in place to actively manage privacy.
You’ll need to think about your data processor terms too. As part of GDPR, you have to ensure your data processor terms are in place and readily available, with additional reporting on data processing activities.
Your organization needs to be in complete control of where it stores data. That’s because under GDPR regulation, customers have the right to view, update, export, download, and delete any of the data they’ve shared with you. To make this possible, you’ll need the infrastructure required to allow customers access to their data, as well as a system that keeps data controllers in the loop.
Read more: What is a customer data platform?
When cookies can identify an individual person via their device, it is considered personal data. The majority of cookies are used in that way and will be a subject to GDPR.
To be compliant one can use soft opt-in consent. According to Cookie Law this means giving an opportunity to act before the cookies start tracking actions. If there is a fair notice, continuing to browse can in most circumstances be valid consent via affirmative action.
Focus on all of the above, and your digital experience should be GDPR compliant. But there’s always room to go further. For extra security, consider:
GDPR boils down to one thing: control. These regulations gives customers control over the type of data they share, where it’s stored, and for how long. And importantly, it gives them the right to be forgotten.
As long as your digital experience infrastructure allows for all of this, you and your digital experience are well on your way to being GDPR compliant.
First published 19 September 2018, updated 5 August 2022.
Morten is the CEO and co-founder of Enonic. He has extensive experience as an entrepreneur focusing on areas like business development, product management, sales, and marketing. He started a digital agency in 1995 and built his first CMS in 1997, then founded Enonic in 2000 where his mission is to accelerate digital projects using innovative technology.
Get some more insights 🤓