I pen this blog post with mixed feelings. GDPR, poised to come to life in a short 4 months, has more than a whiff of a consultant money-maker - remember Y2K? Worse, it would trigger an avalanche of PPI-type spam calls, with dodgy companies abusing the “right to be forgotten” on behalf of greedy customers.
And yet, it can also help bring about a number of Good Things. For starters, it would make life harder for the spammers that plague the digital industry. We all get a little more control over our personal information. Finally, it’s a good opportunity for organisations to build up their security defences and improve their quality of service.
Web development and GDPR
Probably the best article on GDPR for web developers is written by Bozhidar Bozhanov, a web developer and former advisor to the Bulgarian deputy PM. In there he details user’s rights, principles and processes - and even describes the features of a GDPR-compliant system.
Useful as it is, the author neglected to name the single most important challenge for systems developers. The regulator wants us to consciously rearrange our architecture in order to implement data-protection principles, or Data Protection by Design and Default.
GDPR-compliance in 1 easy step: remove all personal data.
This bit of the regulation carries one architectural imperative for any CMS implementation. Put simply, you must not store personal data in or with your CMS. Your website can interface (securely) with a CRM or portal, whose job is to be GDPR compliant by implementing the features in the article, but it should not include or be co-located with applications which hold personal information.
Developers have been on the GDPR trail for a while now, but conversations like this one go too far. You don’t need plugins or upgrades to make Umbraco "GDPR compliant". You do need to check your implementation and remove all traces of personal information: forms should pass information to the CRM without storing any data; you should avoid custom properties for Members; and ensure your logs contain no personal information.
C is for Content, not Change
To their credit, both Umbraco and Episerver have avoided sweeping changes to the systems, and have been careful to stress that most of the changes are organisational rather than technical. Both vendors imply that theirs is a Content (not Change) Management System, and as such not best placed to solve organisational issues.
As an agency, we field a lot of questions about CMS and GDPR compliance. The concern is natural, and our response echos the vendors' advice: take out personal data from the CMS, and you will be fine. GDPR will bring all kinds of challenges - but your CMS needs not be one of them.