Data privacy has dominated the attention of our industry for a few years, ever since the General Data Protection Regulation (GDPR) was approved by the European Union in 2016. Even with all this attention, a recent survey by the International Association of Privacy Professionals (IAPP) suggests that less than fifty percent of affected organizations are GDPR compliant.
In addition to the opening statement, there are many companies that have been slow to address data privacy issues because they do not fall under the scope of GDPR – perhaps they do not do business in European markets. However, the California Consumer Privacy Act (CCPA), set to take effect next year, has renewed the attention on data privacy, affecting many U.S. companies that may have escaped the scope of GDPR. Even if a company does not fall under the scope of GDPR or CCPA, the writing is on the wall. Whether by future legislation, litigation, or the ability to do business with other companies, everyone will face consequences of data privacy regulations.
Fortunately, Kentico was quick to address these new regulations by creating the Data Protection application that shipped in Kentico 11, including features for tracking user consents, fulfilling personal data requests, and managing erasure requests. However, even with Kentico’s powerful features, compliance does not come out of the box. The simplest scenario imaginable -- an organization’s use of personal data that stays within the walls of Kentico -- will still require some custom development, the creation of formal policies and procedures, and employee training. In fact, the biggest impacts to data privacy go far beyond the scope of a specific platform, creating deep organizational and integration challenges.
Organizational Challenges
As Kentico developers, many of us have been focused on how data privacy regulations affect particular projects, so we are very aware of provisions like the right to data portability, or the right to erasure. However, the operational impact to an organization is much broader, requiring new leadership, policies, governance, training, and data management at all levels of the organization. So even though many of the data privacy requirements are not impactful at a project level, it is important for Kentico professionals to familiarize themselves with the broad scope of regulations. This is because they are not only responsible for designing a secure and compliant system, they are often in a position to start an organization’s conversation about data privacy.
Here are some example scenarios, outside of implementing consent, data collection, or data erasure, in which a Kentico professional needs to be prepared to address broader data privacy topics:
Manually Importing Contact Data
Imagine that you are helping a marketing team implement Kentico’s email marketing features. They have customer and contact data in separate siloed systems, including their e-commerce and CRM platforms. To accelerate the schedule, they plan to regularly manually import the data. In a former life, you may have been glad to simplify the scope. However, this is a great opportunity to bring up data mapping and data governance topics, with questions like:
- Do we need to update the data mapping and documentation to account for transitioning this data?
- Have these users consented to the use of their data, and do we have a record of their agreements?
- Is this personal data being stored on local workstations before being imported into Kentico?
- Are the procedures in place to audit and delete all copies of this data, if requested?
Third-party Managed Membership Program
Here is a more complex scenario: The business includes a membership program in which customers earn points to achieve different membership tiers. A third-party agency provides membership data analysis. The business plans to manually import different groups of segmented membership data to support marketing emails. Again, here are some example questions to help the business address data privacy:
- Did we originally collect this data, and can we trace the data flow?
- Do we have the ability to audit or delete all copies of the personal data, including the copies provided to the third-party agency?
- Can we avoid emailing copies of personal data by integrating directly to the third-party’s system?
After reviewing these scenarios, it is clear that proper privacy compliance requires significant organizational changes. A company must be able to account for all the private data it collects, where it goes, and the procedures used to keep it safe. Additionally, it must be able to collect or delete the data upon request. This necessitates rigorous data governance practices, and turns common habits, such as emailing spreadsheets or using them on a local desktop into probable no-nos under the GDPR.
When addressing the need for compliance and data governance, it’s important that productive analysis and marketing efforts are not simply shut down in the name of privacy and governance. Many marketing teams have felt like they were in IT prison before and will resist going back to strict limitations. Instead, Kentico professionals should present opportunities to empower marketing teams with the right technology, so that they can perform their business goals in a compliant manner. For example, in Kentico this might mean adding additional CRM integrations so that marketers can analyze and segment contacts in dynamic contact groups instead of using offline spreadsheets.
Integration Challenges
In addition to organizational challenges, new privacy regulations bring integration challenges to the forefront of many Kentico implementations, whether by adding complexity to existing third-party integrations or by adding new systems for managing privacy requests.
Integration with Third-party Services
Kentico sites are often integrated with other platforms, like e-commerce and CRM systems, common scenarios which become more complicated due to privacy regulations. In one previous project, I integrated Kentico with a Learning Management System (LMS). Whenever a user wanted to take a course, the solution would ensure the user was added to the LMS platform. In addition to the private data fed to the LMS, it collected personal activity data, including course progress and exam scores. Privacy regulations introduced new requirements to this common scenario, including data collection and erasure requirements.
Regarding data collection, we had to ensure that the LMS provided an adequate API for collecting all the personal data, a scenario that was not otherwise required, and was not considered during platform selection. Regarding data erasure, there was a problem. The LMS platform provided an API for soft deleting a user, but not actually erasing the user from the system. Solving this challenge required asking the provider to update their platform to support new regulations. Fortunately, they rose to the challenge.
Managing a Multitude of Silos
Most organizations will have personal data spread across multiple systems. This means that at minimum, they will need to document all the systems and procedures needed to collect or erase someone’s data. However, in a large enterprise, the volume of systems often makes a documented, manual process untenable, and, thus, privacy regulations introduce the need for a system to manage data privacy. This was exactly the case on one of my Kentico projects for a Fortune 100 company. They had numerous services and membership programs and probably had hundreds of systems that managed personal data.
To address new privacy regulations, this company had to implement a sophisticated system for managing, collecting, and erasing personal data across a multitude of silos. This in turn caused an unexpected integration challenge for the Kentico solution. Instead of requiring personal data to be collected or deleted through the Data Protection application, the customer required integration with their enterprise-wide solution, which was an asynchronous messaging system built on Azure Event Grid and Cosmos. Integrating with this system required the creation of a custom agent to read deletion and collection commands from the feed. When a command was received, the agent would query Kentico and other integrated systems to collect or erase the specified personal data. Because of the company size, the agent had to process hundreds of thousands of privacy commands per month, even though the Kentico site contained data for only a small fraction of the users. In this case, privacy regulations introduced an unexpected integration and performance challenge. As more and more organizations implement enterprise-wide compliance programs, the ability for Kentico to integrate with a central solution, at least a case management solution, will become a common requirement.
The breadth and complexity of privacy regulations will continue to provide a steady supply of challenges like the ones I’ve experienced so far. Some companies will have established compliance departments that drive their solutions, while others may be falling behind, and need technical assistance to start the discussion. In either case, as Kentico professionals, we are in a unique position to help organizations address a wide range of privacy requirements. When we understand the organizational and integration challenges these companies face, it enables us to ensure successful Kentico implementations.