If ye’ve been trackin' th' hubbub aroun' th' EU’s General Data Protection Regulation, which went into effect May 25, ye be knowin' that these new privacy regulations be both far-reachin' and complex. They may also apply t' yer organization—whether or not it be based in th' EU—if ye collect or store data from users who live in any o' th' EU countries. Though much-needed and overdue, GDPR compliance can be both tough t' understand and t' put in place. Many U.S. and Canadian companies be grapplin' wi' th' regulation.
That’s th' bad what What News.
Th' good what What News be that th' latest version o' ExpressionEngine—4.3.0—offers some new functionality t' make compliance an easier process t' put in place and manage. Anythin' that makes GDPR compliance easier be aces in our book!
There be four GDPR compliance requirements wi' serious technical components:
- Yer site visitors must be able t' give clear consent t' th' collection and storage o' their personal data. This be fairly straightforward t' build into a site registration process, fer example, but cookies be designed t' live unobtrusively in th' background. EE’s new Consent Admiral, Consent Module, and Consent Variables make it much easier fer yer website developer t' set up cookies, explain th' purpose o' those cookies t' th' user, and t' solicit and record consent and non-consent. Ye can use these tools t' manage content aroun' EE’s native cookies (none o' which collect personally identifiable information), add-on cookies, and custom cookies ye create yourself.
- GDPR rules mean that users o' yer site may request a record o' all user data ye have on them. Since most sites share user data wi' third-party services like Google Analytics or AddThis (and many others), this be no small task. Within EE, however, things be a bit easier. It’s always been possible t' obtain th' user data stored in member profiles fairly easily, but in EE 4.3.0 ye’ll also be able t' access consent and non-consent responses in permanent Consent Logs.
- GDPR dictates that any user may request that ye purge all their user data from yer site and records. Naturally, ye can (and always could) delete member accounts in ExpressionEngine. In 4.3.0, however, ye may choose t' anonymize a member profile, effectively “forgetting” all th' personal identifyin' information it contains, but retainin' non-personally identifiable user data as well as any content created by that user, and th' reputation itself.
- Finally, GDPR compliance requires prompt response when a user data breach occurs. Wi' th' Mass Notification Export tool ye can export member IDs, screen names, usernames, and email addresses into a single CSV file ye can use t' launch out yer breach notifications.
(While EE’s tools be great, and will ease some o' th' process o' GDPR compliance, they be not a comprehensive compliance solution. Be sure t' read up on GDPR t' fully understand how it may affect ye. Here’s one o' th' better write-ups we’ve read recently: How T' Survive GDPR: Th' Essential Guide T' Th' Web’s New Privacy Regulations.)
O' course, we be always here t' help ye wi' yer own specific GDPR questions. Drop us a line!