How does Liferay DXP support GDPR Compliance?

Liferay’s robust development features allow you to maintain full control over your users’ data and gives you the option to pursue the right strategy for your company, whether that’s anonymization, building extra encryption or anything else.

See More of Liferay DXP’s Developer Tools

Data is the lifeblood that powers modern businesses. The more people use a product, the more data they contribute, which drives smarter products, which draws more users, which ultimately creates even more data. This concept is known as data network effects: the more user data companies have, the greater their ability to offer smart, valuable products that trounce the competition.

As such, businesses now face a powerful incentive to maximize data collection. In an ideal world, this effect would be a win-win scenario for both companies and individuals. However, recent events show that the relentless pursuit of data without regard for users’ right to privacy can result in great damage to users’ well-being. Data protection and privacy regulations such as GDPR seek to disincentivize data collection practices that are carried out at the user’s expense.

Personal data is any information that is tied to an identifiable individual. For example, if you can tie a unique identifier (such as an email address) to any information (such as an uploaded photo), that information becomes personal data. (Read Article 4.1 of the GDPR to get the full definition).

The reach of personal data is extremely broad. If your company is storing any user data, it is very likely that it qualifies as personal data and GDPR applies.

Aside from its data protection and privacy goals, GDPR specifically aims to harmonize data protection laws across Europe. In the past, there have been differing levels and different implementations of data laws in the EU. GDPR is intended to make sure that all of the EU falls under the same set of regulations.

GDPR applies to all organizations that are providing goods and services in Europe. Even if your organization isn’t incorporated in the EU, GDPR still applies to you as long as you have an active business presence in the EU.

Article 83 states that the fine for non-compliance is up to 4% of a company’s global revenue or €20 million, whichever is greater. In addition, Article 82 states that companies may be responsible for compensation for damages to their users.

More than that, companies that fail to comply with GDPR run the risk of losing customer trust. When there is a violation and a company is hit with fees, that information will be made public for all potential customers to see.

It’s important to remember that the goal of GDPR is not to slap companies with fines at every opportunity. Regulators are hoping to instill the right mindset of data privacy and protection; thus, the fines are designed to be proportionate for each company, while still being both effective and dissuasive.

The question your company should ask is not, “Are we compliant?” Instead, it’s more effective to ask, “How compliant are we?”

GDPR is not a black-and-white regulation. One of the most effective ways your company can get started is to adopt a risk-based approach. By evaluating the risks in your existing data policies and internal data processing methods, you can address the highest risks first and increase your overall compliance. There are three key questions that will help you evaluate risks:

• What harm might come to this individual if his or her data gets into the wrong hands?
• What negative impact will insecure data processing have on this individual?
• How likely is it that this will occur?

The highest data risks in your company will be with sensitive data being used in unsecured systems. For example, if your company has a data breach and reveals all of your customers’ favorite ice cream flavors, the potential harm to each user is minimal. The stakes change, however, when you are revealing something like health information or religious views.