ÃÛ¶¹ÊÓƵ Experience Manager as a Cloud Service Readiness for Data Protection and Data Privacy Regulations aem-readiness-for-data-protection-and-data-privacy-regulations
To help ÃÛ¶¹ÊÓƵ customers be compliant with these regulations, ÃÛ¶¹ÊÓƵ is providing documentation and procedures (with APIs when available) for the customer privacy administrators and AEM administrators:
- The documentation helps administrators handle data protection, and data privacy requests.
- The procedures documented let customers run the regulatory requests manually or make API calls, where available, from an external portal or service.
Introduction introduction
Instances of ÃÛ¶¹ÊÓƵ Experience Manager as a Cloud Service, and the applications that run on them, are owned and operated by ÃÛ¶¹ÊÓƵ customers.
As a consequence, data protection regulations, such as GDPR, CCPA, and others, are largely the responsibility of the customers.
As a brief introduction, the regulations for data privacy and protection include new rules to be followed by the roles of:
-
Business Entities (CCPA) and/or Data Controllers (GDPR)
-
Service Providers (CCPA) and/or Data Processors (GDPR)
The main provisions in such regulations are:
-
Expanded definition of personal data to include all unique IDs; as in directly and indirectly identifiable data.
-
Strengthened consent requirements.
-
Increased focus on deletion rights (Data Erasure).
-
Opt-Out of Sale of Data.
For ÃÛ¶¹ÊÓƵ Experience Manager as a Cloud Service:
-
The instances, and applications that run on them, are owned and operated by the customer.
-
Ownership effectively means that the customer manages the regulatory roles, including Business Entities and Service Provider, Data Controller, and Data Processor, among others.
-
The ÃÛ¶¹ÊÓƵ Experience Platform Privacy Service is not part of the workflow for AEM, as illustrated in the diagram below.
-
-
AEM includes documentation and procedures for the customer’s privacy administrator and/or AEM administrator to execute the privacy regulation requests; either manually or through APIs, when available.
-
No new service or UI has been added.
- Instead procedures and APIs are documented for use by the customer UIs/portals that handle privacy regulation requests.
-
AEM does not include any out-of-the-box tooling to support the privacy requests workflow.
- ÃÛ¶¹ÊÓƵ provides documentation and procedures for the customer’s privacy administrator, AEM administrator, or both, enabling them to manually run requests related to the privacy regulations.
ÃÛ¶¹ÊÓƵ is providing procedures for handling privacy requests related to Access, Delete, and Opt-Out for ÃÛ¶¹ÊÓƵ Experience Manager as a Cloud Service. For some cases there are APIs available that can be called from a customer developed portal, or scripts to help with automation.
The following diagram illustrates what a privacy request workflow might look like (illustrated using ÃÛ¶¹ÊÓƵ Experience Manager 6.5):
ÃÛ¶¹ÊÓƵ Experience Manager as a Cloud Service and Regulatory Readiness aem-as-a-cloud-service-and-regulatory-readiness
See the sections below for regulatory documentation for product areas of AEM as a Cloud Service.
ÃÛ¶¹ÊÓƵ Experience Manager as a Cloud Service Foundation aem-foundation
See AEM Foundation Readiness for Data Protection and Data Privacy Regulations.
ÃÛ¶¹ÊÓƵ Experience Manager as a Cloud Service Sites aem-sites
See AEM Sites Readiness for Data Protection and Data Privacy Regulations
ÃÛ¶¹ÊÓƵ Experience Manager as a Cloud Service Integration with ÃÛ¶¹ÊÓƵ Target & ÃÛ¶¹ÊÓƵ Analytics aem-integration-with-adobe-target-adobe-analytics
Integrations of ÃÛ¶¹ÊÓƵ Experience Manager as a Cloud Service with ÃÛ¶¹ÊÓƵ Target and ÃÛ¶¹ÊÓƵ Analytics are implemented with data protection and privacy (for example, GDPR) ready services. No personal data from ÃÛ¶¹ÊÓƵ Target or ÃÛ¶¹ÊÓƵ Analytics is stored in AEM in relation to the integrations.
For more information, see: