Configuring Concord for GDPR Compliance

In May 25th, 2018, the European Union’s General Data Protection Regulation (GDPR) came into effect, replacing the 1995 EU Data Protective Directive. Enforced by the Information Commissioner’s Office (ICO), the GDPR is built around seven basic principles:

• Data Minimization: Only data that is necessary for the intended purpose can be collected, stored, and/or processed.
• Purpose Limitation: Organizations can only use data for the declared purposes
• Accuracy: Business must have processes in place to ensure accurate data. Users have the right to correct data, and must be provided the means to do so.
• Storage Limitation: Justification for storage lengths must be provided and data retention limits must be set.
• Security: Business must take reasonable means to secure their users’ data, to include necessary security measures, policies, protocols, and training.
• Accountability: Business must have appropriate measures in place to demonstrate compliance, and are accountable and responsible for how they use and safeguard user data.
• Fairness & Transparency: Personal data must be handled in a fair and transparent manner. Communication should be in plain language, be clear, concise, and honest about data collection and handling, and business should not handle or process user data in a detrimental, unexpected, or misleading manner.

Configuring Concord for GDPR Compliance

There are a few, easy steps to take to ensure that Concord is properly configured for GDPR compliance, First, enable Express Consent Mode of Cookies and Scripts which requires user to interact with the consent banner or Privacy Center to set their preference.

1. Navigate to Consent → Consent Settings.

‍

2. Click the Edit button and, from the Consent Mode dropdown, select Express.

Note: Concord recommends you initially set Blocking Mode to Discovery mode, typically during an implementation period, to find the scripts and trackers in use on your website. Discovery mode can be used to capture the cookies and scripts on your site for categorization without blocking. See here for more detail on classifying Cookies and Scripts.

‍

3. Click to toggle Enable Do Not Sell to On or Off. Current GDPR requirements do not explicitly require Do Not Sell, but you can enable this feature if you choose to. This can be a good strategy if you want a single privacy-first configuration that you can use globally since regulations like CCPA/CPRA do require Do Not Sell.

4. Click to toggle Global Privacy Control to On or Off. Current GDPR requirements do not explicitly require GPC, but you can enable this feature if you choose to. This can be a good strategy if you want a single privacy-first configuration that you can use globally since regulations like CCPA/CPRA do require GPC.

5. Click the Save button in the upper right of the page to commit your changes.

‍

Additional Recommendations:

Concord highly recommends that you also take full advantage of our Data Mapping functionality in order to fully comply with GDPR, including their requirements around maintaining a Record of Processing Activities. This can be done by adding all of your organization's data systems via Data Mapping for centralized compliance documentation, while also enabling easier handling of privacy requests.

As part of that process, you will also make use of our Data System Attributes functionality, in order to properly classify and understand how the aforementioned Data Systems handle user data. This will help ensure that your data systems are fully documented.