Agency CEO, Paul, explores GDPR and the opportunity for brands and marketers as well as how those using Sitecore can tackle the regulation in Versions 8-9.

1. @SagittariusMktg
Tackling the GDPR challenge
with Sitecore versions 8 & 9.
Wifi:TOGorTOG5
Password:TOGether

2. @SagittariusMktg
PaulStephen
paul@sagittarius.agency
@paulrstephen
about me.

3. high performance guaranteed.
digital marketing that
drives traffic and
creates raving fans
ecommerce websites
and apps that convert
more sales

4. @SagittariusMktg

5. @SagittariusMktg
The Data Governance Forum.

6. @SagittariusMktg
endorsement.
Southern Marketing Business
of the Year 2013, 14, 15 & 16
2015 & 2016
Best Sports Travel & Tourism 2014
Best Tour Operator Website 2016
2014, 2016 & 2017
2017
Best Tour Operator
Website 2017
Best Tour Operator Website
2014, 2016 & 2017

7. @SagittariusMktg
sitecore clients.

8. @SagittariusMktg
The information provided and the opinions expressed in this
presentation represent the views of the presenter(s). They do not
constitute legal advice and cannot be construed as offering
comprehensive guidance to the Data ProtectionAct 1998, Privacy &
Electronic Communications (EC Directive) Regulations 2003, the
General Data Protection Regulation or any other statutory measures
referred to in the course of the presentation or subsequent q&a.
before I start… a disclaimer

9. @SagittariusMktg
“we’ve lost
control of our
personal data”
“we’ve lost
control of our
personal data”

10. @SagittariusMktg
EuropeanCourtofHumanRights,Strasbourg

11. @SagittariusMktg
General Data Protection Regulation
GDPR: what is it?
The EU General Data Protection Regulation (GDPR)
replaces the Data Protection Directive 95/46/EC and
was designed to harmonize data privacy laws across
Europe, to protect and empower all EU citizens data
privacy and to reshape the way organizations across
the region approach data privacy.

12. @SagittariusMktg
Data ProtectionAct 1984
Data Protection Directive 1996
Data ProtectionAct 1998
ePrivacy Directive 2002
ePrivacy Directive 2012
General Data Protection Regulation (GDPR)
Enacted: 27thApril 2016
In force: 25th May 2016
Compliance: 25th May 2018
GDPR: what is it?

13. @SagittariusMktg
GDPR makes it clear that the data subject owns
any data which describes or identifies them
They have the right to determine how it is used,
check it and withdraw it
Anyone who handles this data is held accountable
and must be able to demonstrate how they protect
it and what they do with it
why is it different?

14. @SagittariusMktg
GDPR roles.
Processor
processes the data
on behalf of the
controller
Controller
determines the
purpose of
processing the PII
Individual
the person whose
data you gather

15. @SagittariusMktg
Awareness
You should make sure that decision makers and key
people in your organisation are aware that the law is
changing to the GDPR. They need to appreciate the
impact this is likely to have.
1
Information you hold
You should document what personal data you hold,
where it came from and who you share it with. You
may need to organise an information audit.
2
Individuals’ rights
You should check your procedures to ensure they
cover all the rights individuals have, including how
you would delete personal data or provide data
electronically and in a commonly used format.
4
Communicating privacy information
You should review your current privacy notices and
put a plan in place for making any necessary
changes in time for GDPR implementation.
3
12 steps to take now
Preparing for the General Data Protection
Regulation (GDPR)
Lawful basis for processing personal data
You should identify the lawful basis for your
processing activity in the GDPR, document it and
update your privacy notice to explain it.
6
Subject access requests
You should update your procedures and plan how you
will handle requests within the new timescales and
provide any additional information.
5
Consent
You should review how you seek, record and manage
consent and whether you need to make any changes.
Refresh existing consents now if they don’t meet the
GDPR standard.
7
Data breaches
You should make sure you have the right procedures
in place to detect, report and investigate a personal
data breach.
9
Children
You should start thinking now about whether you
need to put systems in place to verify individuals’
ages and to obtain parental or guardian consent for
any data processing activity.
8
Data Protection by Design and Data
Protection Impact Assessments
You should familiarise yourself now with the ICO’s
code of practice on Privacy Impact Assessments as
well as the latest guidance from the Article 29
Working Party, and work out how and when to
implement them in your organisation.
10
Data Protection Officers
You should designate someone to take responsibility
for data protection compliance and assess where this
role will sit within your organisation’s structure and
governance arrangements. You should consider
whether you are required to formally designate a
Data Protection Officer.
11
International
If your organisation operates in more than one EU
member state (ie you carry out cross-border
processing), you should determine your lead data
protection supervisory authority. Article 29 Working
Party guidelines will help you do this.
12

16. @SagittariusMktg
legitimate interest
consent
how much, how long
profiling
data sharing with third parties
erasure
key issues for marketing.

17. @SagittariusMktg
six grounds of lawfullness
consent for specific purposes
controller’s legitimate interests
contractual necessity
controller bound by legal obligation
protect vital interests
public interest, official duty
what is legitimate interest?

18. @SagittariusMktg
one of the six grounds
freely given, specific, informed and explicit
privacy notices and consent.

19. @SagittariusMktg
If consent is given in the context of a written declaration which also
concerns other matters, the request for consent shall be presented;
in a manner which is clearly distinguishable from the other matters,
in an intelligible and easily accessible form,
using clear and plain language.
consent.

20. @SagittariusMktg
When assessing whether consent is freely given, utmost
account shall be taken of whether, inter alia, the performance
of a contract … is conditional on consent to the processing
of personal data that is not necessary for the performance of
that contract.
consent.

21. @SagittariusMktg
(Recital 171)
Processing already under way on the date of application of this Regulation
should be brought into conformity with this Regulation within the period of
two years after which this Regulation enters into force i.e. 25th May 2018.
Where processing is based on consent pursuant to Directive 95/46/EC, it is
not necessary for the data subject to give his or her consent again if the
manner in which the consent has been given is in line with the conditions
of this Regulation.
do we have to re-consent?

22. @SagittariusMktg
unbundled
consent
who is doing it right?

23. @SagittariusMktg
unbundled
consent.

24. @SagittariusMktg
granular
consent.

25. @SagittariusMktg
named
consent.

26. @SagittariusMktg
privacy
notices.
who is doing it right?

27. @SagittariusMktg
what information is being collected?
who is collecting it?
how is it collected?
why is it being collected?
how will it be used?
who will it be shared with?
how to withdraw
what will be the effect of this on the individuals concerned?
is the intended use likely to cause individuals to object or complain?
be transparent & honest.

28. @SagittariusMktg

29. @SagittariusMktg
layering.

30. @SagittariusMktg
just in time.

31. @SagittariusMktg
reduce the
friction.

32. @SagittariusMktg
sample newsletter sign up
for example…

33. @SagittariusMktg
“the right to be forgotten”
easy to withdraw: Tell people they have the right to withdraw their
consent at any time, and how to do this. It must be as easy to
withdraw as it was to give consent. This means you will need to
have simple and effective withdrawal mechanisms in place.
if a controller has no reason to process data then the ‘data subject’
is entitled to have the data deleted
the right to erasure.

34. @SagittariusMktg
the data subject’s personal identity
where is that data?
even the back ups
including third-parties
if you process personal information online, for example on social
networks, forums or websites, you must endeavour to comply
what do you mean delete?

35. @SagittariusMktg
When does the right apply?
Individuals have the right not to be subject to a decision when:
it is based on automated processing; and
it produces a legal effect or a similarly significant effect on the individual
You must ensure that individuals are able to:
obtain human intervention;
express their point of view; and
obtain an explanation of the decision and challenge it
automated profiling.

36. @SagittariusMktg
The GDPR defines profiling as any form of automated processing
intended to evaluate certain personal aspects of an individual, in
particular to analyse or predict their:
automated profiling.
performance at work;
economic situation;
health;
personal preferences;
reliability;
behaviour;
location; or
movements

37. @SagittariusMktg
the
opportunity.
embrace it!

38. @SagittariusMktg
get data ‘in order’
build the business case
improve data security
digital transformation
improve client understanding/empathy
improve customer experience (give/get exchange)
build trust
beat the competitors
a fantastic opportunity to:

39. @SagittariusMktg
freelygiven
onlytheinterested
valued
better customer data.

40. @SagittariusMktg
single
customer view.
social
media
online
physical
store
customer
mobile
big data
CRM
single
source of truth.

41. @SagittariusMktg
GDPR is coming. GDPR
BrandsAudiences Partners

42. @SagittariusMktg
GDPR is coming.
Serious Complex Uncertain
?
GDPR

43. @SagittariusMktg
in privacy and protection we trust.
BrandsAudiences Partners
€ £ $ € £ $

44. @SagittariusMktg
in privacy and protection we trust.
BrandsAudiences Partners
? ?

45. @SagittariusMktg
in privacy and protection we trust.
BrandsAudiences Partners
✔ ✔
€ £ $ € £ $

46. @SagittariusMktg
inprivacyandprotectionwemustcomply.
CMO
CPO
CEO
CSO
COO
CIO
CTO
Audit
Compliance

47. @SagittariusMktg
inprivacyandprotectionwemustcomply.
CMO
CPO
CEO
CSO
COO
CIO
CTO
Global
Regional
Local
Media
Partners
Analysts
Vendors
Agencies
Advertisers

48. @SagittariusMktg
inprivacyandprotectionwemustinvest.
ERP
CRM
…
Data &
Technology
Marketing
Clouds Storage &
Processing
Clouds
xDM
Assess
Plan
Enhance
Comply

49. @SagittariusMktg
RISK
in privacy by design we aspire.
COSTS

50. @SagittariusMktg
data security.

51. @SagittariusMktg
data security.

52. @SagittariusMktg
Apersonal data breach means a breach of security leading to the
destruction, loss, alteration, unauthorised disclosure of, or access
to, personal data - this means that a breach is more than just losing
personal data
when, how and to whom?
breaches occur - no 100% secure systems
within 72 hours
who will supervise/enforce?
robust breach detection, investigation and internal reporting procedures
data protection by default – e.g. encryption
data breach notification.

53. @SagittariusMktg
data security.the true cost?

54. infrastructure
software
network access
policies
insurance
attitude
better security.

55. @SagittariusMktg
Willtheprojectinvolvethecollectionofnewinformationaboutindividuals?
Willtheprojectcompelindividualstoprovideinformationaboutthemselves?
Willinformationaboutindividualsbedisclosedtoorganisationsorpeoplewhohavenot
previouslyhadroutineaccesstotheinformation?
Areyouusinginformationaboutindividualsforapurposeitisnotcurrentlyusedfor,orina
wayitisnotcurrentlyused?
Doestheprojectinvolveyouusingnewtechnologywhichmightbeperceivedasbeing
privacyintrusive?Forexample,theuseofbiometricsorfacialrecognition.
Willtheprojectresultinyoumakingdecisionsortakingactionagainstindividualsinways
whichcanhaveasignificantimpactonthem?
Istheinformationaboutindividualsofakindparticularlylikelytoraiseprivacyconcerns
orexpectations?Forexample,healthrecords,criminalrecordsorotherinformationthat
peoplewouldconsidertobeparticularlyprivate.
Willtheprojectrequireyoutocontactindividualsinwayswhichtheymayfindintrusive?
privacy impact assessments.

56. @SagittariusMktg
cloud Hosting -AWS/Azure/Google
personnel Files
phone call recording
reviews
data portability
other considerations.

57. @SagittariusMktg
needs technical, marketing, business strategy & legal expertise
all your suppliers need to be compliant
employee training
policies on websites
user experience and forms need to be updated
get legal advice
no shortcuts.

58. @SagittariusMktg
assemble your team
pick your Data Protection Officer
tools?
your next steps.

59. @SagittariusMktg
Tackling the GDPR challenge
with Sitecore versions 8 & 9.

60. @SagittariusMktg
whatdatadoyouhave?
whatPIIisprocessedinyourapplications?
isthereadditionalsensitivedata?
whydoyoustorethisdata?
whoelsehasaccesstothisdataorprocessingit?
doyoushareitwiththirdparties?
#1: data analysis

61. @SagittariusMktg
reviseyourdataretentionpolicies
PIIshouldnotberetainedlongerthannecessary
onlyretaindatayouneedtoandhavelegitimatereasontodoso
coulddatabeanonomised?
whatisyouruniqueidentifier?
#2: minimise data retention

62. @SagittariusMktg
youneedtokeeparecordofwhatyoudid
couldbeassimpleasaspreadsheet
noteveryindividualtransaction
#3: register ‘transactions’

63. @SagittariusMktg
upgradeandupdateyourprivacypolicies
privacybydesign
privacybydefault
databreach(response)protocol
#4: upgrade security policies

64. @SagittariusMktg
upgradeandupdateyourdatacapture
anaffirmativeaction
unbundleconsent
#5: consent

65. @SagittariusMktg
the‘righttorectification’
apreferencesform/area
howwillthisupdateothersystems?
howdoyouconfirmidentityoftheuser?
#6: user preferences

66. @SagittariusMktg
betransparent
inprivacystatements
howdoesauserchoose?
#7: automated processing

67. privacy notices
consent
profile and contact preferences
data request
security
the ‘easy’bits.

68. @SagittariusMktg
currently neither Sitecore 8.x or 9.x has
any standalone user tools to facilitate:
the right to erasure (to be forgotten)
the right to data portability
the big issue.

69. @SagittariusMktg
introducing…

70. @SagittariusMktg
it is a user anonymiser and extraction tool
it is accessed via a new button in Sitecore Launchpad
it enables you to search both xDB and List Manager
it enables you to anonymise a user’s data
it enables you to extract what PII data you are storing
what is it?

71. @SagittariusMktg
search for a user.

72. @SagittariusMktg
user overview.

73. @SagittariusMktg
it searches the core database, the mongoDB and list manager
it anonomyses a user’s personal information
in mongoDB and core we update the contact information and any populated
custom fields will be blanked out
the user is NOT deleted so all transaction references and analytics remain
the list manager uses the built in Sitecore unsubscribe method,
removing that email address from each list it appears in.
the export button will serialise all the data which is available via
the Sitecore calls to a json file
how does it work?

74. @SagittariusMktg
this tool is built primarily for any version of Sitecore 8.x
with Sitecore 9.x the methods are still supported
Sitecore 9 has additional new methods to achieve the same result
Sitecore 8 & 9?

75. @SagittariusMktg
still no cms interface
new methods via xConnect
expects your CRM to be the ‘controller’of customer data
all data is encrypted at rest and in motion
new ‘Personally Identifiable Information’configuration options
how will Sitecore 9 help more?

76. @SagittariusMktg
indexing PII sensitive data.

77. @SagittariusMktg
by default indexing of PII
sensitive data is disabled, and it
can be enabled by changing a
setting…
decorating attributes.

78. on-boarding
upgrade to 8+
install our GDPR User Data module – 2 days
custom configuration of extract tool – 1-3 days
QA, Test and deploy
what does it cost?

79. questions?
Paul Stephen
paul@sagittarius.agency
@paulrstephen