How KIT, Our CMS, Complies With GDPR Legal Requirements
We have been busy getting our CMS product, Kit, to become GDPR compliant. Over the last year or so we have remodeled much of our core code so that the privacy of users on the site has become central to the way that we design and code going forward.
Right to erasure
This module will allow you to easily delete a user whilst retaining important information such as orders. The following example shows the difference before and after the change.
Before the code change, it was not possible to delete a customer who had ordered a product from your site. Thus, your only possible action was to make their user account inactive. However, if the website suffered a data breach at a future date that user’s data would be exposed.
The Right to Forget module allows you to delete a user, along with their associated log and audit records whilst retaining the order (the order is essentially attributed to no one). Thus, if the site should suffer a data breach in the future that user will not be found.
Right to be informed (data breach)
In the event of a data breach, you will need to contact the people affected and the Information Commissioners Office within 72 hours. We would work with you closely to identify the scope of the breach and to prevent future access. As such we are asking all of our customers to appoint a Data Commissioner and to provide us with their details so that we could contact them in the event of an emergency.
Independent of our actions your Data Commissioner will be able to easily download a CSV file of all active users on the site and use this to easily contact all affected people.
As our KIT sites do not store card details, harmful data is somewhat minimised. Passwords are stored in an encrypted and salted format. Our help site will provide you with suggested wording to use in the event that you need to carry out this task.
This has been disabled by default so that all KIT-based sites using a mailing list can become compliant. We may need to still work with you to modify wording on your subscription forms or to unbundle consent into separate items if needed.
A graphical guide to GDPR