What is GDPR?
The General Data Protection Regulation, a new European Union law, takes effect May 25, 2018. It aims to protect personal rights of EU individuals (Data Subjects) by regulating the use of their personal information. Companies and organizations must take measures to ensure any personal data from EU residents is protected, only used for its intended purpose, and available upon request by the individual the data is collected from.
This regulation will impact businesses worldwide, as policing and enforcement is based on the location of the persons the data is collected from and not the location of the company collecting the data.
Does GDPR affect me?
The law affects any website, application, or system that collects and uses identifiable information about an individual of the EU. Do you have Google Analytics on your website? (If you don’t, you should!) Does your website have forms? If you answered yes to either question, this new regulation affects you. If a person from the EU visits your website and fills out a form or your analytics collects information on them, you now have data in your system that falls under GDPR even though you and your business operate outside of the European Union.
What do I need to do?
Much of the GDPR compliance responsibility lies with the data controller and processor – ultimately, our clients. They determine what information their websites gather and how that information is processed.
Responsibility for maintaining GDPR compliance varies with the nature of the business, the target markets, and the data collection methods you implement on your website. Many GDPR requirements pertain to how you collect, store, and use personal data. The first step toward compliance is identifying what personal data you collect from your users.
Is Titan CMS collecting data that we should be aware of?
Yes. The following Titan CMS features collect data that may be considered personally identifiable information under GDPR:
- Forms Editor Block
- Commenting and Rating Module
- Site Auditing
- User Registration Module
What areas in Titan have the potential to collect and store data subject to GDPR law?
- Titan CMS Audit Logging
- Titan CMS Forms Editor Block Results
- Titan CMS Data Sites
- User Demographics
- Google Analytics Support
If you use any of these features in your Titan CMS instance, you must comply with the new GDPR regulation.
Can we manage how this data is collected?
Absolutely. Here are our recommendations:
- Collecting personal information through forms? Include a checkbox that requires users to consent to the collection and storage of personal data before clicking submit.
- Disable Site Audit Logging (or use “Minimal”) and purge data based on published retention policy.
How can I classify and manage data in Titan CMS?
One of the goals of GDPR is to reduce the amount of unnecessary data being collected and make organizations more cognizant of the types of data they are collecting. The concern being that the more data that is collected, the more likely organizations will be to fail to protect sensitive information.
Titan CMS has many powerful tools to help you organize and manage data, whether it is through the use of expiration dates, hierarchical relationships, Titan CMS’s robust classification system, or tasks to purge and archive old data.
For example, one way to track personal information within Titan CMS is to define a “Compliance” classification with a “GDPR” tag. Any pages or data items that collect personal information, as well as files that store the information, will be tagged with the “GDPR” tag, making it easier to track the content relevant to the new policies.
Ultimately, the effort to classify data falls to the individual organization collecting and using the data.
Does Titan CMS support GDPR active consent requirements?
GDPR requires users to give active consent before organizations can process their personal data. EU Citizens have the right to restrict or object to the processing of their data, and it must be as easy to remove that consent as it is to give it. Titan CMS owners can comply with these regulations by implementing active consent solutions using standard Titan CMS features such as the Forms Editor blocks and Raw HTML block.
However, implementing consent modules for data and cookies that effectively meet GDPR requirements requires a deeper look at each instance of Titan CMS and a thorough understanding of the regulations. Learn more about how Northwoods can assist with identifying this data.
Can users request to have their personal data erased or changed through Titan CMS?
Even after an EU user consents to collection and processing of personal information, that user retains the right to be forgotten, meaning the user can request erasure of personal data from your system. They also have the right to request the data be changed.
Titan CMS allows users to submit this request through the forms editor block. However, anonymous user personal data is tied only to the user’s session and IP address. A user requesting erasure or changes from a shared IP address would cause removal of all sessions tied to that IP address. This will likely remove more than just the one user’s information.
For authenticated users, transferring form submissions and site audit log records would be much more effective. Northwoods is working to include improved support for meeting this GDPR requirement in future Titan CMS versions.
Remember that while a user can request their personal data be erased or changed, they must prove that they are who they say they are to ensure that the data belongs to them. Unfortunately, the burden of obtaining proof lies on the organization controlling the information, not the user.
Can users request access to or transfer of their personal data via Titan CMS?
The GDPR gives users the right to request and receive their personal data in a user-friendly format. Titan CMS allows you to easily export data submitted through forms or data site editor information into an open XML-based flat file. Site Audit log data can be exported directly from the SQL database.
Google Analytics data would require tracking client IDs to be able to export this data to a user requesting it via the Titan CMS forms editor block.
Is Titan CMS secure?
All Titan CMS workstation access is over a secure connection in Northwoods managed hosting environments. To enforce this policy, Northwoods includes SSL certifications for all customer domains in the hosting agreement. Once the policy enforcement is complete, 100% of the data going into and out of Northwoods managed hosting environments will be encrypted. All dedicated and managed hosting environments provide appropriate virus protection and intrusion detection measures.
Additionally, Northwoods runs vulnerability scans against each Titan CMS release, testing for SQL injection, cross-site scripting, click jacking, and numerous other application level vulnerabilities. Clients may also take part in optional vulnerability scanning, which will identify potential vulnerabilities introduced through the introduction of 3rd party plug-ins or custom modifications to the instance.
What is Northwoods doing for you?
Putting our oxygen mask on first, of course. Before diving in, we needed to understand the compliance requirements and take steps to ensure our organization is prepared. As a Microsoft partner, Northwoods has developed a plan based on Microsoft’s GDPR Compliance Assessment to help gauge our progress toward meeting and exceeding compliance requirements. We can then use this plan to help our clients.
Titan CMS has always limited the personal or sensitive data that is collected. It is specific features, such as Data Editors, Web Forms, Commenting and Rating, Registration, and 3rd Party Plug-ins that can increase risk of collecting information falling under GDPR.
For this reason, Northwoods has developed a GDPR Compliance offering to help ensure our clients’ Titan CMS hosted sites meet GDPR requirements. Learn more about this offering, and contact your Northwoods representative to learn more.
Originally Published: Thu, March 08, 2018