/ Sitecore

Sitecore and GDPR: Don't Panic, Unless...

Welcome. If you don't know what GDPR is, you came to the wrong place. But if you want to know more about what GDPR is then you might want to take a look at this. The fact that the legislation was introduced almost two years ago is another thing.

For better or worse, GDPR is coming at us like a train in a tunnel. If your company uses Sitecore 8 or Sitecore 9, you are most likely in need of real-world advice about technical considerations and solutions for reaching GDPR compliance nirvana. If there is such a place.

You may have heard that the solution to GDPR compliance heaven is to simply upgrade to Sitecore 9. Easy.

Not necessarily.

Then let's upgrade and be done with it

Sitecore 9 introduces xDB in SQL Server, which in itself is a good thing. But for businesses already running with Sitecore 8.X on MongoDB, it might not be that easy to go with the upgrade option.

Quite possibly, different aspects hold you back from upgrading in the short term. Your company might not have resources for getting more SQL servers, you might not want to be first-movers on a fairly new implementation on SQL, or there could be other reasons.


So instead of panicking, another approach is to see what Sitecore actually has introduced to aid the compliance of their platform.

According to this document, a number of method calls have been introduced to support the different parts of the GDPR requirements. The most important ones are:

  • GetContactAsync
  • ExecuteRightToBeForgotten

It is from a technical point of view very much possible to implement the above mentioned functionality on top of Sitecore 8. Nothing prevents us from doing that.
Regarding PII data (personal identifiable information), it is also fairly easy to make sure that it does not get scattered across indexes and log files, without destroying an eventual upgrade path.

Sitecore itself might not be writing email addresses or other PII into the log file (ehm ... EXM?), but your custom code might.

The important thing is

Sitecore 9 gives you some nice API methods out of the box, but simply upgrading does not make your website compliant per se.

You still need to implement the user interface for handling the right to be forgotten and a page that can display everything that you as a company knows about a user. Sitecore won't do that for you.

Sitecore will also not make sure that a user who wants to be forgotten actually gets erased from database backups. Imagine that in a disaster recovery scenario?

Talk to us

Nothing beats real world experience when it comes finding the right solution for GPRP compliance when using Sitecore 8 or Sitecore 9. Talk to us. We can help you get your Sitecore implementation on the path to GDPR compliance nirvana.