SEASON 2, EPISODE 5 OUT NOW! CHECK IT OUT HERE.
Discussing Stupid
April 25, 2018

Preparing your website for GDPR (or just because privacy matters) | David Komarek, Kentico

Preparing your website for GDPR (or just because privacy matters) | David Komarek, Kentico
The player is loading ...
Discussing Stupid

Join Virgil Carroll as he hashes over what has been one of the most over-talked about changes in global digital marketing in a very long time - the implementation of GDPR. The European Union’s General Data Protection Regulation rewrites the book on digital personal privacy and creates a new mandate for how organizations need to respect and protect individual’s data. While this topic has been talked about in a million different ways, today’s podcast offers a different angle. We focus on how difficult GDPR is to implement as part of your digital strategy while exposing some of the myths and overreactions around these new regulations. You might not think you should care about regulations from the European Union, but GDPR compliance is a huge step in the direction of showing your customers that their privacy really matters to you!

To help gain a better perspective on GDPR, Virgil is joined by David Komárek, the Content Management Product Owner at Kentico Software. David led the charge at his organization to make Kentico CMS software to be one of the first fully GDPR-compliant Content Management Software solutions on the market. During the discussion, David will share the complex journey Kentico had to take and what they learned about their own data practices as well as those of their customers. David recommends "First, try to learn as much as you can about GDPR . . . use somebody who is informed in GDPR and who can educate your internal staff . . . then look at the data and what you're doing with it". Virgil and David also discuss how to understand what is important to do in managing your customer’s privacy and give some good real-world advice on how to start your compliance journey.

Resources discussed:

Transcript

Speaker 1 (00:00):
Note, this podcast does not discuss nor doors the idea of discussing stupid ideas because we all know there are no stupid ideas.

Speaker 2 (00:13):
Hello and welcome to discussing stupid, the podcast where we will tackle everything digitally stupid from stupid users and the crazy things they do, just stupid practices and the people who use them for the stupid things we all do and maybe even come up with a few ideas on how to do things better and now that I got your attention, let's start discussing stupid.

Virgil Carroll (00:37):
Hello everybody and welcome to this broadcast to the podcast. I'm Virgil Carroll, your host and principal human solutions architect at High Monkey. Today's episode is a very exciting topic. Well maybe not an exciting topic, but a very necessary topic and we're going to talk about the GDPR. If you're not familiar with the GDPR, GDPR is the general data protection regulation, it is getting ready to get implemented here. This coming may by the European Union is going to really redefine how people's privacy are protected in a digital world, so what can be considered a necessary thing, but also something that is going to be very paramount here even for us based companies in other countries outside the European Union, whether you feel it hit some marker kind of greatly overreaches in the world of web. It's a very important thing and it's important that you know what to do. So today, joining me, I have David Komarek. David is a product owner at Kentico software, a cms based out of Bruno Czech Republic and David and I are going to be talking about how GDPR really affects public websites around the world.

Virgil Carroll (01:44):
Well, welcome David. Really appreciate you joining us. Can we first start by you telling us a little bit about yourself and kind of what you do at Kentico

David Komarek (01:52):
First Thanks for having me here. So what I'm doing and Kentico, I'm a product owner responsible for content management and online marketing. So my main responsibilities are basically to understand the market and our customers find out what their need or their issues are, what they are facing, and then somehow transform it into product features.

Virgil Carroll (02:13):
Great. Great. So let's just go ahead and get right into it. As you and I have talked about before, you know, one of the big things with the GDPR obviously is what we do in our public websites and all the different things in there and to me it's just crazy because when you actually read through the regulations, which unfortunately as part of my job, I actually had to do almost needed to take red bull and everything else to try and keep myself awake during it. But overall reading through those, one of the things that I kinda came upon us. Wow. Uh, as a matter of fact, I just provided a report to a client about their website and the first question I got back was, are you kidding? And they thought maybe that I was over-exaggerating what it really takes to be with compliant with GDPR. So when you can't go, decided to start down this path of actually building into their version 11 GDPR compliance, what were some of the things you saw there from your clients in the digital marketing space that you knew you were going to have to deal with up front to really be successful in meeting all the different nuances of the GDPR?

David Komarek (03:22):
Yeah. Well let me start with maybe a little bit more a general approach because it's all about, you know, the actual approach, how you're, you know, what the principles you're looking at, how you're working with everything. So what we saw is that many marketers actually focused on gathering as much data as possible. So all the names, email addresses and company details and all the tracking of user actions, you know, just in case sometimes without even having a real or verified purpose for such data, they had no reports, for example, or maybe they just didn't use them. We therefore decided to map all the data flows in Kentico, you know, so that marketing teams to actually understand what data is being captured and they can somehow limit the scope to comply with GDPR in regards to the data minimization principle. So that was probably the first thing that we saw. Second, we also so many marketing teams re-purpose and gather data such as email addresses from registrations for example, and they basically took them and also use them for various campaigns and newsletters without a legal basis on this is not okay. Right. And maybe a first thing that I remember, have you noticed that some marketing teams had actually no idea that a single data subject may actually be a representative several times within a system such as being a customer in the online store or at the same time the recipient of a newsletter. So this led to get our, the repurposing of getting email addresses. I mentioned to the fact that certain customers simply couldn't have their data, let's say properly forgotten even when there were no more reasons actually to keep them.

Virgil Carroll (05:11):
Yeah. You know, one of the things that I see a lot in the world of digital marketing is, and and one of the interesting things is to me is how broad scoped the GDPR tries to be, especially from the avenue of of consents and the right to be forgotten. The right to access that is it doesn't just stop with your website. It's what you do with that data once it's on your website. So if somebody fills out a form and they have a contact form and they fill it out, they're doing it for the purpose of contact me. You know, I'd like to be contacted, but organizations take that data and they use it to market. They use it to track, they use it for all these other things. Well, it even goes beyond that because you could maybe do all that inside of your website itself, but then on top of that, now what happens if that contact form emailed a person to their email box and that person's information is now in somebody else's email box and that person forwards it onto another individual that now goes to that individual. So now it's in their email box, well maybe most both of those email boxes plus the website also have backups of data that are going through and it's just amazing how much it compounds is what you are. But I was talking to you about the recent study I did and one of the things I found was exactly what you said as well, which was most organizations I don't think realize that they actually have multiple data points for the single contact because maybe they filled out multiple forms or like you said, subscribed to a newsletter and also reached a contact. Maybe you know, did something to gain access if it was an ecommerce site to subscribe, to be able to purchase something. So that's one of the big things. I really found that canticos kind of solution for the consent piece and doing that. Can you talk a little bit about why you guys decided to do kind of that level of integration? Especially from the consent side, because for me, when you start talking about organizations outside the European Union and where they're probably most liable, the consent piece is probably one of the bigger spots that there could be issues

David Komarek (07:25):
Right Well, when we learned how much for the GDPR pulls on our partners and clients actually when trying to comply, we decided to address, you know, at least those areas that are somehow directly related to Kentico's core functional with it as a cms, including all the online marketing features. Of course, Kentico as a company including our Kentico websites, faces GDPR as well, so it just made sense to share what we learned with our partners and clients through the feature set.

Virgil Carroll (07:58):
Oh yeah. One of the interesting things I find from that, and I'd like to talk a little bit more of that because I, I think that's important from that side, is when you started to go down this path of looking at GDPR compliance, did you guys just read the regulations and do it yourself or how did you kind of get to that point where you understood what you needed to do inside Kentico to make it compliant?

David Komarek (08:23):
Right. Well, this was quite a challenging task to do actually because we started at this at the same point of vendor or everybody else. That means basically zero knowledge about the actual GDPR. Uh, so we decided to actually cooperate with several consulting and legal companies here as well as in some other countries in order to get as much information. And so we basically had to go through the system, you know, introduce the system and then look what are the main issues in a websites and ecommerce stores and the intranets and so on actually have to deal with if they are built on our system and then look for where we can help, what we can address.

Virgil Carroll (09:07):
And where were some of those areas that you found the most challenging to tackle from that side?

David Komarek (09:13):
Right, Well, the most complex part was probably dealing with personal data and concerns in regards to online marketing features such as contact tracking forms, personalization in email marketing, et cetera. For many such activities, consent from data subjects may be on public websites. And we focused on implementing support for, you know, the most common scenarios. So the, these may actually include something like gathering consents on homepages in order to track visitors behavior which can then be used for personalization. Also, you know, obtaining consents when submitting forms or subscribing to newsletters. We also looked into how to make use of such constants when performing, let's say segmentation or personalization. And the most important part here, we made sure that it's somehow possible to behave according to the visitors wishes in case consent is revoked because this is something that GDPR strictly, you know, says now when compliant with GDPR, it will be definitely be challenging. But when it comes to websites build on Kentico, I hope that, you know, like once all the company processes that are related to GDPR will be somehow established and also the staff is trained to GDPR. It shouldn't be that hard. I hope to actually build it later on.

Virgil Carroll (10:38):
Yeah, I mean you, you bring up such a good point. I wish I, I probably shouldn't pick on it considering it's a government entity, but you know, when you talk about the amount of effort it takes to comply with something like all the provisions of the GDPR, I mean, you know, I would almost argue myself will a single organization inside the EU government itself be compliant to track data. I always look at it like, you know, I've been doing this for a long time and we can't even get a client to be, have good governance around a single product that they own. And they basically GDPR as, by the way, you need to have good governance around everything. You need to understand your entire data flow in its entirety. I don't disagree. This is a great practice. I also see it is, is a very unrealistic. I think it's going to be very interesting when the GDPR actually goes into effect in May as to what happens from there because the question really to me is two fold. Number one is what's going to happen to the 80 percent of companies that will not be fully compliant? I mean I think if you send an email to another person with somebody named technically you could out of compliance in the second part is what can the EU really do about it and I, I don't say that flippantly. I say that as are they going to do 587,000 different organizations in the first two months of this? What's going to happen from that and the and I have a feeling they want to go after some big fishes upfront. They probably feel like have violated these type of policies for a very long time and then. But it's going to be interesting how this is going to come down to smaller organizations. And so when you were doing your research into the GDPR, I'm kind of curious. I'm assuming you know, you guys probably spend some time talking with customers throughout the European Union, but also some of your customers in other countries. What did you guys learn from them or what did you see somebody who's not a Google or an Apple or Amazon or something like that, somebody on a smaller scale. Where did you really see, well, here's their potential liability in compliance compared to some of the big organizations.

David Komarek (13:01):
I believe that most companies will adopt some changes sooner or later, you know, even if they are outside the EU, because larger companies usually target at least some European countries. Their services, most websites, even smaller companies actually track EU visitor's behavior. So a GDPR effectively applies to them as well. Also, you know, another reason I see that most companies will have wanted to adopt something is that GDPR is not the only regulation meant to adverse data production. There are new, or let's say updated data protection regulations are emerging all around the world, like Brazil, uh, Switzerland, Bermuda, or even the Cayman Islands have something now. So therefore waiting and hoping that it will not affect their business may not pay off in the long term. Of course you had a good question. What is EU gonna do about it? We had such questions as well because we do have partners and clients in mainly the United States, Canada, UK, Australia and so on. They are concerned that maybe they will not need to do anything. Usually there's always something that's in there, you know, maybe maybe you just take care of the hosting, but you have access to the personal data may be you are just a data processor. You will still need to have some agreement updates at least.

Virgil Carroll (14:29):
So what do you really think the consequences of companies, you know, in other countries violating GDPR from a EU perspective, what do you, what do you really think, I mean kind of look past the, the big guys, but some of the smaller companies, what do you think some of their consequences could be from when GDPR comes in action?

David Komarek (14:49):
Firstly, there will definitely be some things that the European Union can do to even smaller companies even outside the borders of European Union. And the thing is, they will probably use a local authorities to enforce some of the laws and based on that how the corporation works, there may be some penalties or something like that. We have also talked to a lawyer, you know, who told us some example stories, you know, like for example, even the CTO of a company who doesn't want to comply to GDPR even though it's should cannot be punished for some reason, you know, how, for example, the country is not the corporate thing and maybe a European Union, then it may actually happen that, for example, a ceo of such a country can actually travel to EU for a vacation and he couldn't get actually arrested at the borders. I mean, I don't really think that this is gonna happen on a daily basis. The thing is, uh, I believe that most companies will add up some changes sooner or later anyways. I mean, the larger companies, they always, you know, target some European countries with their services and goods and to smaller ones, at least, you know, track EU visitors on their websites. Also, the reason why I think everyone will actually want to comply to some extent is that GDPR is not the only regulation meant to address data protection. There are new or updated data protection regulations emerging all around the world, not only in the EU or us, but also countries like Brazil, Switzerland, a villa, a Bermuda, even Cayman Islands. So therefore waiting just and hoping you know, that it will not effect your business. May simply not payoff.

Virgil Carroll (16:33):
Yeah. And I think, you know, overall, and I actually just had a conversation yesterday about this with, with a customer and I said, you know, a lot of these are just good practices. I mean even if you're not going to have a lot of ramifications from the European Union, they're probably just good things to do. And, and you know, the US is obviously compared to a lot of those countries when it comes to data privacy is, is well behind the curve of a lot of other nations. But at the same time, I think we're catching up and I think, you know, there's gonna be things that happen here over the next few years that probably go more in a line. But one of the ones that I find very interesting and, and we've kind of had some good conversations about this in the past, is this whole concept of privacy by design where, you know, it's almost like a Duh, you know, that's great. Everybody should have it. But you know, when you read into the actual regulations themselves, it's basically can the EU really come in and audit a foreign company and sit there and hire somebody to audit them and look at they meet their data privacy acts and I think there's going to be some interesting things. And you know, most of my customers, I've kind of said, well we know what we know, but we're not going to really know until actually start to enforce it. And we see what happens. Because I mean there's really the crux of it is until they actually start to enforce it and they start going after organizations that are outside that EUs sphere of influence or really even inside the sphere of EUs influence, we don't really know how that's all gonna Pan out. Right.

David Komarek (18:08):
You know, just to add to this, the thing is actually, you know, if you don't even try, you know, then maybe they will find a way how to get upon issue, how to, how to get some money for breaching some of those privacy designs and so on. If you tried your best or at least try to some extent, you know, then the court more, most likely or not even the court, maybe it will be a local authority, right. They will basically say no weekends, see that you really try to stick to those principles. That's okay. Maybe you know, next time just try to do it a little bit of better, you know, or in a different way. And it's okay, you know, no fines, nothing later.

Virgil Carroll (18:49):
Right? Yeah. And so when you guys kind of started going through and really putting together what you thought Kentico should do around this process, can you kind of point out two or three items that you really saw that you thought, you know, you saw a lot of your customers just compared to the GDPR or just data practices in the first place. It had bad practices and that you needed to kind of tackle more first than, than other pieces?

David Komarek (19:16):
Yeah, I believe as we talked about it previously, you know, mostly it's about just gathering so much data. That's the biggest issue. So we fault, you know, like maybe let's tell our partners, you know, let's tell our customers, you know, what the data Kentico is working and so on, what data they may actually expect to get from customers, what kind of tracking data there is on the website and so on to understand it better and just get a such date that are really necessary for their business to grow. Also the second thing was, you know, maybe most of the businesses that we sold are doing unintentionally but basically not having the legal basis for anything they did. So re-purposing stuff and so on.

Virgil Carroll (19:59):
Yeah, in definitely one of the pieces that really kind of takes that to another level is not only the stuff that you collect but that stuff that, you know, other organizations collect on your behalf. I mean if you have a website inside something like Kentico or something like that, you're probably considered the data controller that you control the data in that. But if you have google analytics running on top of it and if you have some type of external marketing system or anything else like that kind of plugged into there or if you're pushing information from the website into a crm or something like that, you're really kind of opening yourself up to even more. You have to make sure that you do that. I think one of the most typical things that I probably see out there is those organizations that use those really large third party emailing marketing systems and you know, maybe have a website and you know, you have the subscribe to our newsletter type of piece and then they're doing it well from that side. When you actually look at GDPR, not only do you have to make sure that if somebody asked to be forgotten that you can actually work with that company to forget it, but then on top of it also have what if that company has a breach of their security and all the other components of it. So I'm kinda curious, you know, Kentico has a lot of functionality internally, but Kentico also recognizes that it has a large third party ecosystem around it. Have you guys had discussions with some of your third party vendors that have functionality that layers on top of Kentico and kind of provided some guidance or at least had some discussions with them about things they would need to do?

David Komarek (21:34):
Right. Well, you know, so we do have some, as we call it, technology partnership. Then we look at such integration center, we try that, our technology partners stick to the same standards and the same, you know, fully sees asking, put us internally for its module. So for example, you know, if we do have some ecommerce integration, we try to work with the company. We have two representatives to actually somehow, you know, say, okay, so the roadmap should be similar to ours, you know, so if uh, if it comes through, you know, consents, visitor tracking, you know, fulfilling the right to be forgotten and so on. We try to enforce the same level of standards as we do internally.

Virgil Carroll (22:15):
Yeah. And that's to me is going to be a huge piece too because a lot of organizations I work with, they don't just use a tool. They have, you know, 10, 15 tools that they use to pass data back and forth. I mean heck, even us, we, we have a lot of tools that we use to kind of manage different aspects. And you know, when you start looking at those tools and you start looking at that entire thing, when you start talking about, you know, kind of applying GDPR to your entire web presence and everything involved in there, this could be relatively massive. So David, before we go, I kind of have one other question for you. Since you guys have really deep dived into this where I'm sure every company is well down the path of actually figuring out how to comply with GDPR. Let's just pretend for a second that there are organizations out there that even this close to it actually coming into effect have not actually even started looking at things since you guys have went down this journey and I'm sure you've had discussions with others that have. Where would you really recommend that they start this process of really looking at what they need to do to be compliant?

David Komarek (23:22):
Right. Well, from what I recall, you know, the actual star was quite tough because the first thing is you have to basically, you know, somehow we'll learn and understand the principles so that you can then work on it internally. My recommendation would be to get a consultant or a firm that's going to actually give you all the education are related to GDPR and educate your internal staff, you know, so the managers of individual departments so they can actually teach the rest of the company and the second step right after that would be made basically start working on the we can call it the data flow, how, how, and what the data you're collecting, why are for what purpose and so on. Who's able to actually read it, you know, print it out and so on. So that would be my recommendation first. Try to learn as much and to use somebody who's good at that it who can teach you well, just don't try to do it all on their own and then look at the data and what you're doing with it.

Virgil Carroll (24:23):
And that's such a great point because I was going to say that using somebody who's good at it and really knows their stuff. And, and I hate to say it, I think that's going to be one of the harder things to find right now because, you know, today I get, you know, probably on average four to five emails a day about the GDPR from different organizations. And, and I think unfortunately there's a lot of organizations that are taking advantage of this and, and basically kind of using scare tactics like you know, the EU are going to shut down their website or, or you know, you know, Bill and a half million dollars, you know, the first day that it's open. But at the same time the one thing I look at is they're all interpreting things very, very differently and kind of making their own conclusions and then trying to sell you a service basically to help that have them do it. So I think one of the things that people really need to do there is they need to find that trusted partner or find that organization. And obviously some of them at least part of it is going to have to have some legal background to it. But finding those that really understand this stuff and can kind of help them out.

David Komarek (25:25):
I mean basically if I could conclude, you know, there are two, let's say slogans or mottos that I've heard and I think both of them actually apply to GDPR and the compliance, the first one is, you know, don't be evil and the second one is try to be the good neighbor, you know, so if you try to stick with this and try to, you know, do your website and design your website and all our business from the perspective of privacy and personal data and sticking to these two slogans. I think it should be okay. That's a really good point in there. So.

Virgil Carroll (25:59):
Well thank you David. Really a lot for joining me on this show. I think we had a great conversation and some really good insight there. So if people wanted to learn more about Kentico and your offerings around GDPR, is there a way that they could find out more?

David Komarek (26:14):
Definitely. There's a whole bunch of sources on GDPR and Kentico. We decided to have our own blocks or on Kentico.com/blog. We also try to put as much materials related to GDPR and especially GDPR related to websites and content management and so on, so that's one of the sources and the other sources that I would recommend are definitely the electronic version of the GDPR itself very identify that a lot of interesting facts.

Virgil Carroll (26:42):
Great, and of course you can go to Kentico.com to find out a lot of that information, so thank you David. We appreciate it, especially coming all the way from the Czech Republic to have a discussion with us and have a great rest of your day.

David Komarek (26:42):
Thanks for having me here.

Virgil Carroll (26:59):
Welcome back to the segment that I like to call the stupid buzz, the stupid buzzes where I take a buzzword that technology has kind of taken and basically our industry has made it meaningless and there's probably no bigger word that's been made meaningless in the word governance. In that sense. We were talking about GDPR. I thought I'd talk a little bit about governance, which I thought would kind of fit into this. Governance means a lot of things to a lot of people, but overall the word governance came from the Latin verb, kubernetes or more originally from the Greek word Poobah Nay, I don't know if I pronounced that right, which means to steer. It basically means to take something somewhere, but the reality is is that most people don't really understand what governance is and tend to think of it either from the it side where it's technical controls and that people need to put limitations on how we use the software and how we manage our systems or we kind of look at it from the business side and we look at it for, you know, the rules and regulations about how people develop content in that kind of stuff.

Virgil Carroll (27:57):
But overall, when I look at governance and what I really think it means years and years ago, when I first actually started speaking in 2008, I gave a talk called facilitating the government out of governance. And where I really focus is it governance can be a necessary evil, but it's something that should be really two things. One, it should actually help people in doing their job, otherwise it shouldn't be all about limitations, but it should really be about actually doing something good for them. And number two is it should actually be something that is attainable. Otherwise, if you're going to have some type of management structure in place around your content editing, maybe your marketing processes and that, it should actually be something you can measure and actually control not something that you need to just put on paper. So the joke years ago used to be the governance plans, you know, you got paid by the pound. Otherwise how thick the document is. Today we really kind of look at governance is one of those things that should be something that is maintainable and manageable by people and that. And so when you kind of look at it overall and you ask yourself, do you need governance in that? Well the reality is that it really does depend on what you're trying to do and whether you can actually enforce it. And so a lot of times what happens is we built governance plans basically Kinda to shirk responsibility, which actually instead of taking responsibility for something and we want to do it. So if you're going to have governance, don't just be a person that gives it lip service and create some document, it's not going to be used at all. But actually, yeah, something of meaning with it.

Virgil Carroll (29:35):
Thank you for joining me on the podcast today. If you enjoyed yourself and thought that we had some good information, feel free to subscribe to us through Itunes, stitcher, and soundcloud and many other services, or you can visit us on the web at discussingstupid.com where you can find our show notes and also learn more about the different other sessions and episodes that we're doing right now. If you'd like to send a comment, you can send a comment to our email at me@discussingstupid.com or you can follow us on twitter at @discussstupid. And so I hope you continue to listen into our future podcasts. So until next time we do, you can just start discussing stupid on your own.