If you’ve been tracking the hubbub around the EU’s General Data Protection Regulation, which went into effect May 25, you know that these new privacy regulations are both far-reaching and complex. They may also apply to your organization—whether or not it is based in the EU—if you collect or store data from users who live in any of the EU countries. Though much-needed and overdue, GDPR compliance can be both tough to understand and to put in place. Many U.S. and Canadian companies are grappling with the regulation.
That’s the bad news.
The good news is that the latest version of ExpressionEngine—4.3.0—offers some new functionality to make compliance an easier process to put in place and manage. Anything that makes GDPR compliance easier is aces in our book!
There are four GDPR compliance requirements with serious technical components:
- Your site visitors must be able to give clear consent to the collection and storage of their personal data. This is fairly straightforward to build into a site registration process, for example, but cookies were designed to live unobtrusively in the background. EE’s new Consent Manager, Consent Module, and Consent Variables make it much easier for your website developer to set up cookies, explain the purpose of those cookies to the user, and to solicit and record consent and non-consent. You can use these tools to manage content around EE’s native cookies (none of which collect personally identifiable information), add-on cookies, and custom cookies you create yourself.
- GDPR rules mean that users of your site may request a record of all user data you have on them. Since most sites share user data with third-party services like Google Analytics or AddThis (and many others), this is no small task. Within EE, however, things are a bit easier. It’s always been possible to obtain the user data stored in member profiles fairly easily, but in EE 4.3.0 you’ll also be able to access consent and non-consent responses in permanent Consent Logs.
- GDPR dictates that any user may request that you purge all their user data from your site and records. Naturally, you can (and always could) delete member accounts in ExpressionEngine. In 4.3.0, however, you may choose to anonymize a member profile, effectively “forgetting” all the personal identifying information it contains, but retaining non-personally identifiable user data as well as any content created by that user, and the account itself.
- Finally, GDPR compliance requires prompt response when a user data breach occurs. With the Mass Notification Export tool you can export member IDs, screen names, usernames, and email addresses into a single CSV file you can use to send out your breach notifications.
(While EE’s tools are great, and will ease some of the process of GDPR compliance, they are not a comprehensive compliance solution. Be sure to read up on GDPR to fully understand how it may affect you. Here’s one of the better write-ups we’ve read recently: How To Survive GDPR: The Essential Guide To The Web’s New Privacy Regulations.)
Of course, we are always here to help you with your own specific GDPR questions. Drop us a line!