GDPR Preparation: 7 Questions To Ask Your CMS Vendor

With General Data Protection Regulation (GDPR) rolling out in just a few short months, you need to make sure every relevant aspect of your business is GDPR compliant. And yes, if your CMS holds any of your customer data, you need to know how compliant your CMS vendor plans to be by May 25, 2018.

Your CMS vendor should make it easier for you to achieve GDPR compliance. Of course, the brunt of this responsibility will fall squarely on your shoulders, but making sure your CMS vendor is up to par will make it that much easier to satisfy the GDPR requirements.

Below we’ve listed seven questions you should ask your CMS vendor to see if they’re ready for GDPR — and more importantly, if they’re ready to help you get ready for GDPR!

But first, let’s recap.

What is General Data Protection Regulation (GDPR)?

In case you’ve forgotten GDPR is the latest digital privacy regulation that effectively brought the EU’s old-school data protection framework into the 21st century. But, far from just impacting the EU, it has a far-reaching effect on any person or business who collects data from EU citizens.

The overall goal is to help citizens gain more control over their data, while making data collection and use a more transparent process overall. There are numerous rules built into this new legislation that are causing businesses to upgrade their security practices and protocols worldwide.

Questions to ask your Content Management System (CMS) vendor about GDPR

If you’re collecting, using or storing any data relating to EU citizens, you need to ask your CMS vendor the following questions:

1. Do you train your staff regularly on data protection? 

All it takes is a single link in the chain to break for your data to become compromised. From support staff to marketing, to development, and even the CEO. You need to be aware of your CMS vendors educational practices for ensuring their team understands the implications of the latest GDPR regulations and what changes this might bring about in their day-to-day workflow.

It’s not enough to have a single team member concerned about GDPR, at the very least their team needs to be aware of the proposed changes.

2. What features are you working on to help us become GDPR compliant?

One component of GDPR is privacy by design. The concept seems sort of vague, but essentially it refers to the need to have business systems designed with proper security and privacy measures in mind.

Most CMS vendors will probably be rolling out new features to comply with this point, so ask if they have any new features they’re developing out to bolster their security and data collection practices.

3. Can you process customer data deletion requests from us? If so, how quickly?

Those whose data you’ve collected can request their data to be forgotten aka deleted, once the original use of the data has ended. This can be due to withdrawing consent, the original purpose of the collection has been fulfilled, or the data has even been used in an unlawful manner.

As soon as the request occurs, there needs to be a process in place for removing the data as quick as possible.

A GDPR-ready CMS should be able to help you sort through the personal data, to see if any of it can be retained per the regulation, plus there should be a built-in method for removing data and notifying the appropriate parties.

4. Do any third-parties have access to our customer's data?

Third party access to data is all too common. If you’re the person collecting the data, then it’s your job to keep your data safe. The umbrella of this extends out to third parties who might be using the same data. So, if a third party ends up abusing customer data you’ve let them access, then you could be on the hook.

It’s your responsibility to ensure that your CMS provider has strict data protection policies in place. Plus, you need to be aware of any other parties who might have access to the data you’re collecting through your CMS provider.

5. What data breach protection and protocols do you have? Can you detect data breaches?

The last thing you want is to find out about a data breach from your users and valuable customers. This is a surefire way to lose trust. Are there proper security protocols in place that will detect data breaches when they occur?

Or, at least very least are there detection methods available so you can determine how the breach occurred, and avoid similar breaches in the future?

Data security needs to be a priority for you, so it’ll need to be a priority for your CMS as well.

6. Is there a built-in way to manage user consent in ways that make GDPR compliance easy?

Consent to data collection is a large part of GDPR. Your CMS should be able to help you record a history of given consent so you can maintain accurate records. Consent can be given in various ways, such as email, a contact form on the website, a check-box on your landing page, and more.

Your consent records should specify the time and date when consent was given as well as the exact means they delivered consent. This data should be able to be readily exported and accessed when needed.

7. How easy is it to export data? Is all data ready for portability requests?

Per GDPR regulations, user data needs to have the ability to be exported and transferred to any other existing data controller.

The CMS you choose needs to be equipped to handle both exporting customer data that’s been collected, but also importing the same kind of data. Easy data addition and migration should be a core feature of your CMS.

Time to get real about GDPR compliance

If you’re working with third-party software vendors, you need to start looking outward as well as inward when it comes to GDPR compliance.

What other questions should brands be asking their CMS vendors? Share your suggestions in the comments below.