The EU, GDPR and Umbraco CMS
Tuesday, July 26, 2016
With data breaches happening on an almost weekly basis, the EU Parliament seems to have taken the lead by approving the General Data Protection Regulation which goes into effect May 25, 2018. And the fines for non-compliance are serious - sure to get every corporations attention. So, it only makes sense that Umbraco CMS, version 7.9 and Forms 7.0, address new GDPR-friendly enhancements.
The basis of the GDPR is to protect the EU citizens by strengthening data privacy laws. They started by simplifying the language and making it as easy to opt-out as it is to opt-in. Following is a sample of a few more new restrictions that stand out:
- Breach notification is now mandatory within 72 hours of discovery.
- Data subject has the right to know if their data is being used, where it's being used and for what purpose.
- It now provides the right to be forgotten. This entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties halting processing of the data.
The GDPR now involves companies located throughout the EU as well as any company anywhere that collects data within the EU. Penalties have a range of 2% to 4% of revenue. (It's best to have your corporate council weigh in on the specificity of this.)
Personal data collection identifies in many forms. For example: a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address. The Umbraco 7.9 upgrade has various GDPR-friendly features that make it easier for you to keep track of the data you collect and who’s got access
Following is a co-opted list of things for you to think about:
- You need to speak to your development and hosting providers to see how they are dealing with this. Unfortunately, this is going to cost you consultation time and of course, money.
- Many of todays websites will need modification to ensure they comply and are protected so it’s highly possible an Audit will need to be performed with some gap analysis as to what is good, what is bad and then a roadmap to implement changes.
- Passwords and user accounts will need to be strengthened in order to protect access to critical systems.
- Restrictions to admin areas via the use of firewalls will need to be improved.
- Websites should be running SSL Certificates to protect data in transit.
- You may need to upgrade your CMS.
- Processes will need to be developed and maintained.
- All your staff will need training and buy in with regards to the new policies.
- You will need to run regular audits to ensure you are compliant and document thes.e
- You should create a data map showing all the points of data flow through your business, including third party suppliers. After all, you cannot ensure you are compliant unless you know where your data is can you?
- New opt-in forms will need to be developed and implemented, this will involve technical development work as well to include/exclude specific cookies and tracking beacons.
This blog entry is not meant to be the definitive article of compliance. It’s best if you seek council. Layer One Media, an Umbraco Certified Partner, is prepared to help you with a Compliance Audit to identify gaps with the understanding that the Umbraco CMS version 7.9 and Forms 7.0 already helps with some of these.
For a roadmap leading to higher GDPR compliance call (414) 224-0368 or contact us.
Learn more about our Umbraco partnership and how Layer One Media helps clients meet their CMS goals.