01 May 2018
As the image above suggests, GDPR is all about protecting privacy. Having a GDPR compliant CMS does not solve all of a company's GDPR issues but as it is an important source of data collection and storage for your business, the same rules and penalties apply.
GDPR implications for all website CMS's
To achieve GDPR compliance, you have to go down one of two paths. One path dictates that you don't store any data that can be used to identify an individual.
Assuming that you have elected to travel down the other path, GDPR requires that you fulfil these criteria;
- Information which can identify an individual must be stored separately from any other data pertaining to that individual.
- In the event of a data breach, it should not be possible to identify data on an individual basis, through encryption or other anonymisation of data.
- Individuals have the right to ask to be 'forgotten', through deletion or permanent anonymisation of their records.
- Businesses (specifically Data Controllers) have obligations to ensure that they are able to identify data breaches and report them or otherwise take the required action
How does iCentric Core 2 achieve GDPR compliance?
Whether a person is a CMS back-end user, an e-commerce customer, a newsletter subscriber or has made any type of form submission, their identifiable data, such as name, email and phone number, are stored separately, within AWS Cognito user pools.
The CMS stores an ID for that user, which connects their form submissions or e-commerce purchases to their details held in Cognito.
Cognito itself has a high degree of compliance, being PCI and PHI compliant, meaning it can be used to store access to financial and protected health records.
So, if your CMS database is somehow breached, there would be no way to identify any of the records held and this covers points one and two, of the GDPR requirements listed earlier.
If a person wants to exercise their right to be forgotten, you can now delete the user from the Cognito user pool, thus permanently and irretrievably anonymising all of their other records, without having to delete them. This checks point three from our list.
How does the data controller know that there has been a breach?
While there is no prescriptive answer to this, it is worth considering that the most likely source of a breach will not be from a remote hacker, but from within your own organisation, by someone who has access to the data.
iCentric Core 2 allows permissions to be assigned to controls that allow data downloading and logs all downloads with date and user stamps in an audit log. While this doesn't completely eliminate the risk it does at least limit the opportunities and deter potential breaches, while making any culprits easy to identify.
The missing link...
GDPR is not just about storing your data, but also about how you use it. With iCentric's built in email campaigning solution, your customers and subscribers can opt in or out of email communications.
Bespoke requirements can be added to enable subscribers and their communication preferences taken via the website, to be posted to CRM or other back-office systems which handle customers and communication channels outside of the website.
Contact our team to find out more about how iCentric Core 2 can help your business meet GDPR compliance