6 steps to manage GDPR for digital experiences
From privacy policies to content management, here’s everything you need to know about GDPR and digital experiences.
Written by Morten Eriksen on
GDPR. It’s an ominous term. But what does this behemoth of rules, regulations, and privacy policy from the European Union really mean for your business and digital experience?
In this blog post, we’re explaining it all. From privacy policies and digital projects to content management, here’s everything you need to know about GDPR and digital experiences.
What is GDPR?
More data is available now than ever before. In order to help protect customers from having their personal data being used improperly, the EU put new sanctions and regulations in place from 25 May 2018.
Known as GDPR, or “General Data Protection Regulation,” this new regulation is aimed at reducing the severity and frequency of security breaches, and curbing the mishandling of personal data online.
The GDPR regulation is made up of lots of articles, but it’s main objective is to give people power over their data, including:
- The right to be forgotten
- The right of access
- The right to object
- The right to restrict processing
- The right to rectification
- The right to data portability
- The right to consent in an understandable manner
- The right to purpose limitation and data minimization
So, how should you manage all of these GDPR articles for your digital experiences? There are a few steps you can take to ensure your digital experience is GDPR-compliant:
1. Appoint a data controller
Ensure your data is processed correctly with the help of a dedicated data controller, i.e. an individual or legal professional who controls and is responsible for the keeping and use of personal information in your systems. The data controller will also be the contact person if someone would like to delete or get insight into the data a company has connected to that person.
When building your next GDPR compliant site, why not use Next.js? Supercharge your site with Next.js and headless CMS »
2. Draw up a privacy policy
A privacy policy needs to cover your website, app, and any other marketing tool you’re using (like Google Analytics and HubSpot).
Pro tip: Use a service like iubenda to simplify the process of making sure your apps and sites are compliant.
3. Ensure your digital experience is secure
Using HTTPS is a good start, but to make sure your digital experience is really secure, test it using the OWASP framework or similar. And don’t forget about your CMS. Not only should you ensure the CMS hosting is GDPR compliant, but it’s important to have a system in place to actively manage privacy.
You’ll need to think about your data processor terms too. As part of GDPR, you have to ensure your data processor terms are in place and readily available, with additional reporting on data processing activities.
4. Stay on top of content and data management
Your organization needs to be in complete control of where it stores data. That’s because under GDPR regulation, customers have the right to view, update, export, download, and delete any of the data they’ve shared with you. To make this possible, you’ll need the infrastructure required to allow customers access to their data, as well as a system that keeps data controllers in the loop.
Read more: What is a customer data platform?
5. Manage consent
Invest in a central CRM like HubSpot or Salesforce.com to ensure you can manage your contacts and their consent across all your applications.
6. Cookie tracking
When cookies can identify an individual person via their device, it is considered personal data. The majority of cookies are used in that way and will be a subject to GDPR.
To be compliant one can use soft opt-in consent. According to Cookie Law this means giving an opportunity to act before the cookies start tracking actions. If there is a fair notice, continuing to browse can in most circumstances be valid consent via affirmative action.
Want to go even further?
Focus on all of the above, and your digital experience should be GDPR compliant. But there’s always room to go further. For extra security, consider:
- Ensuring compliance with Privacy Shield
- Deploying IP anonymization
- Implementing a limited cookie expiration time
GDPR boils down to one thing: control. These regulations gives customers control over the type of data they share, where it’s stored, and for how long. And importantly, it gives them the right to be forgotten.
As long as your digital experience infrastructure allows for all of this, you and your digital experience are well on your way to being GDPR compliant.
First published 19 September 2018, updated 5 August 2022.
