The General Data Protection Regulation (GDPR) has been in effect since May 25, 2018 and has moved businesses all over the world to think more about data protection. It strengthens the protection of EU residents’ right to privacy by regulating how organizations process their personal data.
Liferay believes that the spirit of GDPR is a good and necessary step toward instilling greater transparency and accountability in businesses. The new regulations are an opportunity for companies everywhere to demonstrate their commitment to putting customers’ interests ahead of their own.
Is Liferay DXP GDPR compliant?
Asking whether a software platform is GDPR compliant is a lot like asking whether a building is compliant with city code before you’ve started creating the blueprints. The answer depends on what you build and how you build it, not the tools themselves.
Though no software product can offer a checklist of features to make your company completely GDPR compliant, the tools in Liferay Digital Experience Platform can greatly accelerate your company’s journey toward compliance. Features such as data export, data erasure and user permissions combined with Liferay DXP’s flexible architecture enable you to adapt business-critical software to the evolving needs of your data protection strategy.
Because of Liferay’s open source roots, flexibility and interoperability are key tenants of how Liferay engineers technology. Liferay DXP is designed to empower your company to
assemble the technology stack of your choice, facilitated by market-leading capabilities for integration, extensibility and scalability. Companies should be free to choose the foundational technologies and adjacent solutions that best address their customers’ interests, without any fear of vendor lock-in.
Liferay also participates in and has certified its compliance with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework. Liferay is committed to subjecting all personal data received from European Union (EU) member countries and Switzerland, in reliance on the Privacy Shield Framework, to the Framework’s applicable Principles.
Data Protection Features in Liferay DXP
Right to Be Forgotten
The right to be forgotten (technically known as the “right to erasure”) requires organizations to delete an individual’s personal data upon his or her request. Personal data is considered erased when the data can no longer be reasonably linked to an identifiable individual. In Liferay DXP, administrators can review content that potentially contains personal information and edit, anonymize or delete as needed through a simple interface.
The right to data portability requires organizations to provide a machine-readable export of a user's personal data upon request. This right intends to prevent vendor lock-in by requiring organizations to export a user's personal data in a machine-readable format upon request. With Liferay DXP, administrators can export a user’s personal data per application before going through the erasure process.
More Liferay DXP Features to Achieve GDPR Compliance
Roles and Permissions
Granular roles and permissions ensure that no one accesses data they shouldn’t. Read about Liferay DXP’s Application Security Features for a comprehensive overview.
Search, Tags and Categories
The taxonomy, asset framework and search tools in Liferay DXP are invaluable for finding where personal data resides on your instance. Use integrated Elasticsearch to look in searchable fields as well as within digital assets to uncover hidden data.
Liferay’s robust development features allow you to maintain full control over your users’ data and gives you the option to pursue the right strategy for your company, whether that’s anonymization, building extra encryption or anything else.
Data is the lifeblood that powers modern businesses. The more people use a product, the more data they contribute, which drives smarter products, which draws more users, which ultimately creates even more data. This concept is known as data network effects: the more user data companies have, the greater their ability to offer smart, valuable products that trounce the competition.
As such, businesses now face a powerful incentive to maximize data collection. In an ideal world, this effect would be a win-win scenario for both companies and individuals. However, recent events show that the relentless pursuit of data without regard for users’ right to privacy can result in great damage to users’ well-being. Data protection and privacy regulations such as GDPR seek to disincentivize data collection practices that are carried out at the user’s expense.
What qualifies as personal data?
Personal data is any information that is tied to an identifiable individual. For example, if you can tie a unique identifier (such as an email address) to any information (such as an uploaded photo), that information becomes personal data. (Read Article 4.1 of the GDPR to get the full definition).
The reach of personal data is extremely broad. If your company is storing any user data, it is very likely that it qualifies as personal data and GDPR applies.
What is the goal of GDPR?
Aside from its data protection and privacy goals, GDPR specifically aims to harmonize data protection laws across Europe. In the past, there have been differing levels and different implementations of data laws in the EU. GDPR is intended to make sure that all of the EU falls under the same set of regulations.
Who does it apply to?
GDPR applies to all organizations that are providing goods and services in Europe. Even if your organization isn’t incorporated in the EU, GDPR still applies to you as long as you have an active business presence in the EU.
What is the cost of non-compliance?
Article 83 states that the fine for non-compliance is up to 4% of a company’s global revenue or €20 million, whichever is greater. In addition, Article 82 states that companies may be responsible for compensation for damages to their users.
More than that, companies that fail to comply with GDPR run the risk of losing customer trust. When there is a violation and a company is hit with fees, that information will be made public for all potential customers to see.
It’s important to remember that the goal of GDPR is not to slap companies with fines at every opportunity. Regulators are hoping to instill the right mindset of data privacy and protection; thus, the fines are designed to be proportionate for each company, while still being both effective and dissuasive.
How does my company achieve GDPR compliance?
The question your company should ask is not, “Are we compliant?” Instead, it’s more effective to ask, “How compliant are we?”
GDPR is not a black-and-white regulation. One of the most effective ways your company can get started is to adopt a risk-based approach. By evaluating the risks in your existing data policies and internal data processing methods, you can address the highest risks first and increase your overall compliance. There are three key questions that will help you evaluate risks:
What harm might come to this individual if his or her data gets into the wrong hands?
What negative impact will insecure data processing have on this individual?
How likely is it that this will occur?
The highest data risks in your company will be with sensitive data being used in unsecured systems. For example, if your company has a data breach and reveals all of your customers’ favorite ice cream flavors, the potential harm to each user is minimal. The stakes change, however, when you are revealing something like health information or religious views.
Where can I learn more about GDPR?
Here are some resources that we’ve found helpful in our own journey toward compliance