In May last year GDPR laws came into effect giving people more up to date rights surrounding their data and businesses a universal data protection law over the EU.
One of the rules within this law was the right to erasure or right be forgotten as it’s more commonly known. Put simply, it is the right of an individual to request that a company removes personal identifiable information on them.
However, one of Sitecore’s features and selling points is that it tracks and stores data, this data then feeds into reports like path analyser, profile screens, personalisation and other analytics. For a marketer that’s not overly technical, but may be responsible for the site it is not particularly clear how they deal with a right to be forgotten request.
What data Sitecore tracks
First let’s break down what data Sitecore is actually storing on visitors/users. It’s worth remembering that in your Sitecore build you may have stored additional data outside of Sitecore’s functionality. e.g. through an integration to a CRM, or custom database.
Personal Contact Data
The simplest ways to think of personal contact data is the information you see when you go into the Experience Profile section form the dashboard. From here you can see when people visited the site, what goals and events they triggered, personas, profiles and personal details like their name or email address.
A user does not need to register on the site to start appearing in here and have data on them tracked. A form submission using Sitecore Forms or the older Web Forms for Marketers module can be used to populate names and email addresses. Bespoke code could also have been used to identify a user and store additional facets of information on the user.
Personal contact data is also referred to as xDB.
Personal User Data
Unlike personal contact data, personal user data is information about users who have registered on the website. This data is not stored in xDB, to view it in Sitecore you would go to the user manager. Out the box this Sitecore will only be storing names, emails, passwords but this user profile could have been expanded to contain additional fields.
Other than the way it is stored, the best way to understand the difference between contact data and user data is that users get authenticated with a password login whereas contacts are identified by a cookie or self-identify by providing an email address.
Quite simply any data submitted by using Sitecore Forms or Web Forms for Marketers. Any 3rd party forms or bespoke forms will save their data outside of Sitecore.
Any information being tracked within the users session on the site.
How do you remove the data
The first thing to say is that if you on anything earlier than Sitecore 8.2 Update 7, then it’s time to upgrade. You could potentially build a solution that removed the data, but as the support lifecycle is quickly running out on anything pre-Sitecore 9 it’s a better option to upgrade.
Sitecore 8.2 Update 7 introduced the removeContactPiiSensitiveData pipeline. The first thing to note about this pipeline is it does not delete the contact, it removes the sensitive data on the contact. This way your analytics will still contain data to power things like path analyser and general reports, but it will be anonymous so you will no longer be able to find out who it was for.
This pipeline will also only facilitate the removal of personal identifiable information (PII) on contact data. It will not update users or form submissions.
If you have expanded the contact data that has been set by adding extra facets, these can also be anonymised by configuring the facet list in the pipeline config.
There is also no admin interface to trigger the pipeline to run. A code solution will be required to be developed to fit in with the process for the rest of the business that calls the pipeline to remove the contact.
For personal user data this situation is better. The User manager screen can be used to delete a user from the system, a programatic approach can do a similar thing using the Security API.
In Sitecore 9, Sitecore added more tools for removing personal data by building it into Xconnect and providing admin interfaces. Contact data still follows the same technique of anonymising the data rather than removing it, but custom facets now get marked directly as [PIISensitive] to have them anonymized.
Use the table below to understand what method can be used to remove data either through an interface or code.
|Data Type||API Method||User Interface Method|
Personal Contact Data
Xconnect Client API using
Experience Profile Screen
Personal User Data
User Manager Screen
Custom SQL Script to Forms DB
Call Session.Abandon(), Session.Clear()
With this information at hand your next steps should be:
- If you’re not on Sitecore 8.2 Update 7 then upgrade
- Check what personal identifiable information is stored and do facets have the PIISensitve tag attached to them?
- Decide on a process to remove PII data. Sitecore is just one part of this and it should fit into a bigger business process.