The European Union’s General Data Protection Regulation (GDPR)
Following the European Commission’s plans for data protection reform to make Europe 'fit for the digital age', the General Data Protection Regulation (GDPR) framework was created and the legislation is now coming into force.
GDPR is the European Union’s (EU) legislation designed to give individuals more control over their personal data – data that relates to an identified or identifiable person or, to put it another way, data which by itself or when combined with other data enables a person to be identified.
GDPR provides a set of rules on how organizations in and outside the EU and European Economic Area (EEA) should use personal data for marketing or selling goods or services, providing assurances that information is being securely protected, processed and stored. It intends to strengthen and unify data privacy for all people within the EU/EEA, and when EU/EEA organizations are processing personal data of people anywhere in the world.
While the prospect of GDPR compliance feels daunting, it actually presents a real opportunity to build trust with customers and prospects, putting them at the forefront of your data strategy and enabling you to thrive in the new digital era.
In the age of understanding, it is good to understand these four key concepts of GDPR and what personal data and processing this data actually means:
- Personal Data - Any information relating to an identified or identifiable natural person.
- Processing - Any operation or set of operations performed on personal data or on sets of personal data.
- Data Controller - Natural or legal person that determines the purpose and means of the processing of personal data.
- Data Processor - Natural or legal person, that processes personal data on behalf of the controller.
To tackle the GDPR challenge and ensure you have the right components in place to comply, Article 5 of GDPR clearly outlines six principles relating to all personal data and what you should be doing with it. The Data Controller is responsible for, and should be able to demonstrate compliance with these principles and must have the means to respond to requests from people about their data. However, the Data Controller may be able to rely upon provisions of GDPR to restrict the extent of the response they provide to such requests.
- Processing lawfully, fairly and in a transparent manner in relation to the data subject.
- Collecting for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
- Ensuring it is adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed (‘data minimisation’).
- Ensuring accuracy and, where necessary, kept up to date.
- Permitting identification of data subjects for no longer than is necessary for the purposes for which the personal details processed.
- Processing in a manner that ensures appropriate security of the personal data.
Successfully navigating your way through GDPR and your Content Supply Chain, will be achieved by understanding what personal data you are processing, having in place the right processes and ensuring transparency with your customers. In terms of your content journey, SDL is on hand to guide you in the right direction and support you putting the right measures in place to be GDPR compliant.
GDPR legally obliges Data Controllers to implement “data protection by design and by default”, which means making management of personal data privacy a fundamental consideration throughout a data processing lifecycle in all projects — from capture to destruction.
To satisfy privacy by design when developing our software we have designed anonymity into the processes and systems that capture data, adhering to the principles of secure software development. The standards we have achieved means that today, our software is already used by some of the most privacy-conscious organizations in the world — including intelligence agencies, banks and government organizations — as an integral part of their processes to protect data privacy.
When using SDL software, your organization is the Data Controller for any personal data processed through our software (on premises or cloud). If you use our Software as a Service (SaaS) offering, SDL will be the Data Processor in respect of the storage or transmission of the personal data. To achieve privacy by design we ensure that the SaaS deployment takes place in secure environments to achieve appropriate security.
At SDL, we are committed to helping customers comply with GDPR, by providing the functionality you need and guiding you through the process across your content supply chain - from creation, translation and delivery. We provide guidance on how to utilize the functionality in our software in responsible ways that will help you comply with GDPR.
By clicking on the boxes below you will gain an insight into how our Software can support you.
So first of all think about the privacy issues for the people who use our software.
In line with privacy-by-design, our Translation Software minimizes the data held on users and gives them control over what is held, for example by letting them choose a user name that doesn't identify them without reference to information held elsewhere (essentially a pseudonym).
The more complex issues surround how any personal data in materials to be translated is treated.
Where there is personal data, the most straightforward and reliable way to apply privacy by design is as follows:
- Pseudonymize content during file preparation: In other words, have a project manager (or equivalent role) replace the personal data in the source content file with pseudonymous strings before passing the file to a translator, service provider, or any other user.
- Delete the key once the pseudonymization is reversed: Once the translated content has been finalized and approved with the pseudonyms in place, the project manager reverses the process so that the final deliverable includes the personal data as required. The project manager can then safely delete the pseudonymization key.
Lastly, remember the Data Controller - the person that exposes our software or translators to the content, is responsible for the data within that content and GDPR compliance. This is beyond the means of our software or Data Processors to govern, but we can help you become GDPR compliant with a few simple practices.
There is no way to automatically identify personal data for pseudonymization with 100% accuracy — without any human oversight. But there is certainly help available. We have developed an app — which is available for free from the SDL AppStore — through which you can:
- Carry out sophisticated searches on source content using regular expressions (regex) that may indicate the presence of personal data.
- Replace specific identifiers with random tokens.
- Later reverse the pseudonymization by applying the app to the target file.
To use this app, you may first need to export and convert your files to XLIFF format (depending on the software you're using to prepare the files for translation). To protect personal data processed through SDL software — not to mention your intellectual property and other sensitive information — you want multiple layers of security and security controls.
To assess if your translation supply chain is GDPR compliant, please take SDL’s assessment, devised to assist organizations by identifying technologies and steps that can be implemented to simplify GDPR compliance efforts in the context of the translation and localization process.
SDL's software-as-a-service machine translation (MT) products, do not permanently store customer content submitted to them for translation. Content resides on these services for only as long as required to provide the translation.
If you purchase SDL MT with language pair adaptation that is trained with your translated content, make sure there is no personal data in the training content. You may need to pseudonymize the training data to ensure that it doesn't contain personal data.
Any customer of SDL Tridion Sites or SDL Tridion Docs, both part of the SDL Tridion DX suite, should review their implementation for GDPR compliance and ensure best practices for privacy, security, and encryption. In terms of documentation and content, your website should include your current privacy statements, as well as inform visitors when personal data is being collected, securing explicit permission when required. Also, consider engagement where your visitors can:
- Consent to personal data processing by explicit opt in or registration processes.
- Manage preferences through a self-service Preference Center.
- Provide the ability to unsubscribe, withdraw, consent, or otherwise object to data processing.
Adding disclaimers will help set the tone and expectations across the website for visitors and, if you are looking to build a new site leveraging new technologies that impact the privacy of people or are monitoring real-life activity related to personal data, ensure that a Data Protection Impact Assessment is completed to help you put the right privacy measures in place. Additionally, be transparent on security, codes of conduct and certifications and also minimize risks with security backups and privacy training for key stakeholders.
Specifically to SDL Tridion sites, you can still use any of the features as long as you deal with personal data. However, those features related to visitor context, experience optimization or rationalization should be handled with more care. These include the:
- Ambient Data Framework
- Context Cartridge
- Audience Manager
- CRM Accelerators and Connectors
- User generated content
- Contextual Templating
- Content Delivery APIs
- Experience Optimization
To understand more on you how you can use these features in a GDPR compliant way, watch our webinar or contact your local Tridion Support Contact. You can also read more about GDPR and SDL Tridion DX, in our community blog series here.
Securing InfrastructureSDL offers appropriate security to provide confidentially, integrity and security of data. We put the most stringent security process in place to ensure your data is safe.
For on-premises deployments of SDL software your infrastructure is your responsibility. Your IT department should ensure that servers and computers hosting SDL software are appropriately secured relative to the risk (as assessed by the data controller).
For SDL-hosted (cloud-based) software and services, SDL is a data processor and committed to the highest standards of infrastructure security. While all SDL managed products have been deployed on a cloud service provider service who maintain compliant infrastructure and services to ISO27001, ISO9001, ISO27018 etc.; all SDL sites are managed in line with the ISO 27002 code of best practice, some are ISO 27001-certified, and we are actively extending the ISO 27001 certification.
We offer a high degree of flexibility to meet customer security requirements. Feel free to talk to us about this. Beyond the baseline security controls that we agree with you, we also offer optional advanced security capabilities through a managed security offering.
If there's a breach
For our cloud-based software, if you want us to actively detect and notify you of breaches that require notification under GDPR, talk to us about our security incident management process, designed in line with the ISO 27035 standard.
Secure software development
Security is never an afterthought in our development process. We involve security engineers and architects from the start, and follow a plan — covering the infrastructure, application and database layers — that includes specific risk assessments, security control development, and security testing to ensure that appropriate and reliable security is baked into the software.
SDL’s Cloud Operations works closely with our development teams and architects to deploy solutions with data privacy and data security in mind – we work to Privacy by Design. For SDL-hosted (cloud-based) software and services, SDL is a data processor and committed to the highest standards of infrastructure security. While all SDL managed products have been deployed on a cloud service provider service who maintain compliant infrastructure and services to ISO27001, ISO9001, ISO27018 etc.; all SDL sites are managed in line with the ISO 27002 code of best practice, some are ISO 27001-certified, and we are actively extending the ISO 27001 certification.
However, when working a cloud environment you should understand your role to ensure data privacy by design:
- Establish ISO Certification: Put controls at each stage of the process in the content lifecycle.
- Establish Configuration Management: For each server we oversee, understand the customers/data related to that server for full transparency.
- Have a Comprehensive Security Toolset/Roadmap:
- Least privilege access
- Authentication policies
- Ensure Intrusion detection/Prevention (AWS only).
- Ensure Encryption in transit and at rest (not available for all products).
- Have ISO certification:
- Protects data
- Audit trails
- Outlines processes for response in the event of any security event
- All cloud should staff take mandatory training on data privacy/protection.
- Ensure our data centers/providers carry all relevant certificates and offer all requisite security features.
- Application Backup Data is retained for 28 days (in backups) then deleted:
- Have a Delete procedure in place
- Active data can be deleted.
As an enabler of digital experiences and an advocate in creating great customer journeys, SDL has embedded data privacy and GDPR into the core of what we do, making sure we:
- Treat personal data fairly and lawfully
- Store data securely
- Report any data breaches
- Keep information only for as long as it is needed
- Keep records of who accesses data
- Provide data when it is requested