3 Questions to Ask Your CMS Vendor About GDPR

The General Data Protection Regulation (GDPR) has been in place since May 2018, yet in many cases it isn’t being followed. There have already been some high-profile penalties handed out, with some companies being fined more than $226 million (around £172 million).

Data breaches aren’t rare - around 90,000 cases of personal information has been accidentally or unlawfully disclosed since GDPR came into effect - so it’s important you adopt the right processes to protect the business. For marketers, that means talking to your CMS vendor. Here are three of the most important questions you’ll need to answer in order to make sure you’re GDPR-compliant.

1. How easily and quickly can data be deleted?

Under GDPR, every individual has the right to request their personal data be erased. This is sometimes known as the ‘right to be forgotten’, and after the company receives a request, you’ll have a month to comply with it. The only reasons to keep personal data are if you need it to exercise your freedom of expression, have a legal obligation to keep it or if it’s in the public interest for you to have it.

You therefore need to know what the process is for processing such a request. You need to be sure your CMS can delete everything within a month, and it’ll help to understand how easy it is to do so. You might prefer to know how to do so yourself, so you have control over everything; either way you’ll need to talk to your CMS provider.

2. Who has access to personal data?

No matter how well you protect your data, you can still end up being partly responsible if a third-party suffers a breach. This is a significant problem, with almost half of companies experiencing a data breach due to a third-party vendor, yet despite this around 40% have no formalized third-party policy in place.

If a company collects data, it has a responsibility to keep it safe, which means you need to know which companies have access to it. While you can put together a list of vendors you work with fairly easily, you’ll need to do the same for your CMS provider.

3. What data breach security do you have in place?

If the data you collect is leaked by your CMS vendor, you’ll ultimately be responsible so you should make yourself aware of what security they’re employing. Over half of data breaches were caused by hacking, so asking about their encryption tools and firewall will be a good place to start.

You should also look at what procedures they have in place for detecting and containing breaches. According to IBM, it takes companies an average of 206 days to identify that a data breach has occurred, then another 108 days to fully contain it. You’ll want to know how your CMS vendor plans to deal with cybercrime if they end up falling victim to it.