How does Liferay DXP support GDPR Compliance?
Though no software product can offer a checklist of features to make your company completely GDPR compliant, the tools in Liferay Digital Experience Platform can greatly accelerate your company’s journey toward compliance. Features such as data export, data erasure and user permissions combined with Liferay DXP’s flexible architecture enable you to adapt business-critical software to the evolving needs of your data protection strategy.
Because of Liferay’s open source roots, flexibility and interoperability are key tenants of how Liferay engineers technology. Liferay DXP is designed to empower your company to
assemble the technology stack of your choice, facilitated by market-leading capabilities for integration, extensibility and scalability. Companies should be free to choose the foundational technologies and adjacent solutions that best address their customers’ interests, without any fear of vendor lock-in.
Liferay also participates in and has certified its compliance with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework. Liferay is committed to subjecting all personal data received from European Union (EU) member countries and Switzerland, in reliance on the Privacy Shield Framework, to the Framework’s applicable Principles.
Right to Be Forgotten
Right to Data Portability
The right to data portability requires organizations to provide a machine-readable export of a user's personal data upon request. This right intends to prevent vendor lock-in by requiring organizations to export a user's personal data in a machine-readable format upon request. With Liferay DXP, administrators can export a user’s personal data per application before going through the erasure process.
Roles and Permissions
Search, Tags and Categories
Developer Tools, Services and APIs
Liferay’s robust development features allow you to maintain full control over your users’ data and gives you the option to pursue the right strategy for your company, whether that’s anonymization, building extra encryption or anything else.
Why is GDPR necessary?
Data is the lifeblood that powers modern businesses. The more people use a product, the more data they contribute, which drives smarter products, which draws more users, which ultimately creates even more data. This concept is known as data network effects: the more user data companies have, the greater their ability to offer smart, valuable products that trounce the competition.
As such, businesses now face a powerful incentive to maximize data collection. In an ideal world, this effect would be a win-win scenario for both companies and individuals. However, recent events show that the relentless pursuit of data without regard for users’ right to privacy can result in great damage to users’ well-being. Data protection and privacy regulations such as GDPR seek to disincentivize data collection practices that are carried out at the user’s expense.
What qualifies as personal data?
Personal data is any information that is tied to an identifiable individual. For example, if you can tie a unique identifier (such as an email address) to any information (such as an uploaded photo), that information becomes personal data. (Read Article 4.1 of the GDPR to get the full definition).
The reach of personal data is extremely broad. If your company is storing any user data, it is very likely that it qualifies as personal data and GDPR applies.
What is the goal of GDPR?
Aside from its data protection and privacy goals, GDPR specifically aims to harmonize data protection laws across Europe. In the past, there have been differing levels and different implementations of data laws in the EU. GDPR is intended to make sure that all of the EU falls under the same set of regulations.
Who does it apply to?
GDPR applies to all organizations that are providing goods and services in Europe. Even if your organization isn’t incorporated in the EU, GDPR still applies to you as long as you have an active business presence in the EU.
What is the cost of non-compliance?
Article 83 states that the fine for non-compliance is up to 4% of a company’s global revenue or €20 million, whichever is greater. In addition, Article 82 states that companies may be responsible for compensation for damages to their users.
More than that, companies that fail to comply with GDPR run the risk of losing customer trust. When there is a violation and a company is hit with fees, that information will be made public for all potential customers to see.
It’s important to remember that the goal of GDPR is not to slap companies with fines at every opportunity. Regulators are hoping to instill the right mindset of data privacy and protection; thus, the fines are designed to be proportionate for each company, while still being both effective and dissuasive.
How does my company achieve GDPR compliance?
The question your company should ask is not, “Are we compliant?” Instead, it’s more effective to ask, “How compliant are we?”
GDPR is not a black-and-white regulation. One of the most effective ways your company can get started is to adopt a risk-based approach. By evaluating the risks in your existing data policies and internal data processing methods, you can address the highest risks first and increase your overall compliance. There are three key questions that will help you evaluate risks:
- What harm might come to this individual if his or her data gets into the wrong hands?
- What negative impact will insecure data processing have on this individual?
- How likely is it that this will occur?
The highest data risks in your company will be with sensitive data being used in unsecured systems. For example, if your company has a data breach and reveals all of your customers’ favorite ice cream flavors, the potential harm to each user is minimal. The stakes change, however, when you are revealing something like health information or religious views.