Kentico and GDPR – How your CMS can protect you

Last week we spent two days with Kentico in London discussing how their two products are adapting to challenges posed by GDPR.


It’s an interesting time to be a CMS partner. On the one hand, we’re seeing a trend towards the ‘headless’ model where the content platform is a much smaller piece of the overall digital infrastructure and on the other, there are still companies using traditional CMS to manage lots of their digital services through one system.

From a GDPR perspective, these different product applications require different solutions.

For this blog, we are looking solely at Kentico and how it plans to support its customers moving forward. That said there are some pieces of general advice in here which could be useful.

Kentico 11 EMS comes with GDPR controls
Perhaps not overly surprising given the focus on GDPR recently but Kentico 11 (scheduled for release on December 11th) comes with a new GDPR module. This module collects the details of people who have:

  • Given their consent to be contacted
  • Revoked their consent and asked to be forgotten
  • Asked for all of their data to be provided

Interestingly with IP tracking included under the GDPR regulations any customers who ask to be forgotten will effectively stop any personalisation rules running on their session including GeoIP targeting.

Quite how much this functionality will be used remains to be seen. Most organisations using Kentico EMS have a central point of truth for data in a CRM system which interfaces with their CMS. In practice data processing for consent, revoke of consent and data access requests is likely to be done outside of the CMS. That said, the fact that Kentico has this module at least provides website functionality which could interface with more comprehensive CRM routines that support these three scenarios. It also means that anyone using Kentico EMS to send emails can automatically remove unsubscribed people from routines, thus avoiding fines.

What about users of Kentico CMS? What do we do?
The bad news is that for anyone not using the EMS there is no out of the box functionality to turn on and start collecting data.

Kentico and GDPR
Kentico Partners grill Chris Cairns on how we can support Kentico CMS with GDPR

According to the new regulations, there is now an onus on organisations to be specific about what consent is for (I.E. not general marketing). Even considering this most organisations website subscription models are relatively simple. Email sign-ups, website enquiry forms and gathering data from sales transactions come with relatively obvious forms of consent. That said, it’s sensible to get legal advice on whether you’ve got your legalese in order (we know a good legal firm if you need one).

For Kentico CMS customers bespoke work is probably required to ensure that as consent is gathered there is a written record of what consent was for and how it was gathered. This could be as simple as timestamping consent form submissions and attaching the latest copy of consent agreements to the record stored in the CMS. For organisations with web-to-lead integrations, this is likely to require additional work as additional data will need to be transferred along with traditional form data fields like email address, phone number, etc.

And for users of Kentico Cloud?
Lots of Kentico Cloud clients do not collect any data but they might still need to facilitate GDPR requests.

Kentico and GDPR

The regulation states that it must be as easy for someone to revoke consent as it is for them to give it in the first place. So, if you’re thinking of creating a microsite for a campaign and sending your existing customers to it via email, social media or your other websites you’d be wise to have some sort of unsubscribe function available. This could be done pretty easily – just a form saying remove me from lists / send me my data, or it could be more complicated if you want to preserve consent to send messages from other websites and brands. Both scenarios are likely to require sending information on to the data controller(s) in your organisation which may require integration to streamline request handling.

Can Kentico EMS customers using versions 9-10 get GDPR tools?
Not without upgrading. There are no plans to release the GDPR module as a buyable feature in the Kentico marketplace.

For anyone who has lapsed with their upgrade plans, this should be a kick up the backside to get their ducks in a row. Anyone upgrading from v8 or v9 to v11 in one go is likely to be looking at quite a bit of work to get everything including the GDPR tools up and working. If you need help upgrading your EMS or want help in auditing your business for GDPR compliance feel free to get in touch with one of our offices below…

London +44 (0)203 874 3574 | Boston +1 (617) 340 7044
Belfast +44 (0)28 9044 7800 | Dublin +353 (0) 1839 6580 | Leeds + 44 (0)113 357 0056

Alternatively, check out our latest blog topics for more great digital marketing insights and trends.

Share This

Subscribe to our mailing list