The European Union's General Data Protection Regulation on data privacy rights takes effect as of May 2018:
"The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy."
Adobe recognizes that this presents a new opportunity for companies to strengthen their brand loyalty by focusing on consumer privacy while delivering amazing experiences. For further information see the GDPR page at the Adobe Privacy Center.
Adobe Experience Manager (AEM) must be considered for GDPR compliance. These considerations can be broken down by module.
AEM instances, and the custom applications that might process PII data, are owned and operated by AEM customers. This means that the Data Processor and Data Controller as defined in GDPR are both owned and managed by the AEM customer, so AEM 6.4 does not include any out-of-the-box service to handle GDPR requests.
The diagram above illustrates what a GDPR request workflow might look like.
Adobe is providing documentation and procedures (with APIs when available), for the customer privacy administrator or AEM administrator to handle GDPR requests and help our customers be compliant with this regulation. The procedure documented will allow them to execute the GDPR requests manually or by calling into APIs, where available, from an external portal or service. Please see the sections below for GDPR documentation for AEM product areas.
AEM Communities bestows upon the data subjects right to their data portability, right to access, and right to be forgotten by means of out-of-the-box APIs. These APIs enable bulk deletion and bulk export of user generated content, and disabling user accounts identified through their authorizable IDs. However, permanent deletion of user account is realizable through deletion of user node in CRXDE Lite, which addresses the need of easy Opt-out from the system.
Additionally, AEM Communities offers privacy by design owing to its Bulk Moderation console, which allows privileged members to find and delete the contributions and details of the users. The Members management console enables limiting to the point of banning a contributor. Moreover, it authorizes the data subjects to delete the contributions authored by them.
AEM Forms includes components and workflows that capture, process, and store data to orchestrate business processes and complete digital transactions. Different components use different data stores and allow integration with custom data stores as well. The following documentation explains procedures and guidelines for accessing and handling user data to support GDPR workflows for a component.