How we're approaching GDPR

Not a day goes by without some mention of the GDPR and the looming compliance deadline on 25th May 2018. Like any agency worth their salt, we've been busy putting plans in place to ensure we stay within these new regulations and working closely with our clients to help make sure that they do too. 

We've taken our lead on the GDPR from The Information Commissioner's Office (ICO), who are an independent authority set up to protect the information rights and data privacy for individuals. If you're yet to dive into the world of the GDPR, then their ’12 steps to take now’ guidance is a useful starting point.

Umbraco and the GDPR

As an Umbraco Development Partner, we started to explore how the GDPR would impact our clients in relation to the use of their CMS and found that the most relevant change to the current legislation is the 'Accountability' principle.

In simple terms, this means that our clients will have to document how they have data security under control and the decisions they make about data processing activities.

Umbraco is already ahead of the game with regards to GDPR compliance, as the CMS has the administrative features needed to take a measured approach to who has access to personal data and resources, as well as providing a clear audit trail of changes and who made those changes.

We're working with our clients to audit their implementation of these features and make changes to ensure compliance on a case by case basis.

Top tips for accountability

  • Define a clear policy around user roles and permissions, with regular reviews of who has which access rights, with particular focus on any sensitive data stored in the back office
  • Ensure that there is detailed logging of user actions in the back office, to provide an audit trail of which user has done what. For instance ‘User X has given User Y permission to section Z’
  • With regards to Forms used on websites, ensure that an audit trail is implemented in the back office or CRM integration, providing a method of registering that a person has given consent to any given action, along with an audit trail for consent by a person/action
  • Define a clear process for exporting and deleting a users saved data, with a documented audit trail of these actions

Where to find out more

Guidance around the GDPR is evolving all the time, so to keep yourself informed we recommend that you check out The ICO, as they are responsible for monitoring and enforcing GDPR compliance. The team at Econsultancy also have some great content for marketers covering GDPR best practice, tips and case studies.