Maintaining the privacy and security of our customers’ data has always been a top priority for Pixel & Tonic, the creators of Craft CMS and Craft Commerce. With the deadline for the EU General Data Protection Regulation (GDPR) quickly approaching, we are taking a closer look at our practices and how we can help our customers be compliant.
What is GDPR and how does it affect you?
GDPR is the EU’s new data privacy law that goes into effect May 25, 2018. It is the most comprehensive data privacy regulation in the world and will impact almost every company in Europe and those who have customers in Europe.
GDPR focuses specifically on how businesses collect and handle their customers’ personal data, and ensures that everyone in the EU has the right to access, correct, delete, and restrict the reprocessing of their data at any time. It also sets forth stringent guidelines around “consent” and how those who interact with a business’s website are allowed to collect and use personal data.
What constitutes personal data?
According to GDPR.org, personal data is “any information related to a natural person or ‘Data Subject,’ that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.”
What is Pixel & Tonic doing to be ready for GDPR?
We understand that, as a software vendor with many customers in the EU, it is essential that we are ready for GDPR. Here is what we are doing:
- We’re updating our terms and conditions to be intelligible and easily accessible without confusing legalese.
- We’re working to establish and document new processes to address data handling in a compliant manner (PIAs).
- We're researching what we can do to make the Craft ecosystem more GDPR friendly.
What do I need to do to make sure my client’s Craft website is GDPR compliant?
Since GDPR compliance is rooted in how each business collects and stores personal data, we cannot ensure or guarantee that every Craft website is compliant merely because it uses Craft. Since there is no technical update or solution we can release that will guarantee compliance for existing sites, we urge every client to do their own review. Here is where to start:
- Look at your hosting environment, backup solutions, database encryption, and everywhere that customer data is stored. Are you able to access, revise, export, and erase customer data from all these places?
- Update your privacy policies and disclosure statements to ensure that they are easily accessible and understandable.
- Ensure that everywhere you’re collecting customer data there is a clear understanding of consent.
- Consider appointing a Data Protection Officer.
- Start creating a Privacy Impact Assessment that documents the steps you are taking to protect your customer data.
Are there any Craft-specific features that make it easier to achieve compliance?
- All cookies that Craft sets by default are “GDPR-ready.”
- Craft user accounts are also “ready” in that you can delete user accounts and rename them to match an organization’s specific GDPR policies.
As everyone becomes more familiar with GDPR compliance, we will continue to update Craft with features that GDPR best practices into account take into account. If you and your clients have GDPR feature requests related to Craft, please let us know. We’d love to hear the specific challenges they encounter and figure out what we can do to help.
Regardless of what CMS you’re using, GDPR compliance is unique to every business. While we are all learning GDPR best practices together, rest assured that we are doing everything we can to prepare for compliance as a CMS vendor. We will continue to release information as to how Craft CMS is addressing GDPR regulations and, as always, we are happy to address any questions or concerns related to our handling of customer data.
Here are some helpful resources: