Skip to content

Compliance with GDPR

Your options if you’re on a previous version of Sitecore

What you need to know whether you’re on Sitecore 6, 7, or XP 8

Whether it’s remediating your existing Sitecore implementation or upgrading to the current version of Sitecore, we’ll help you determine the best route to becoming GDPR-compliant.

GDPR requirement
Sitecore 6 series
Sitecore 7 series
Sitecore XP 8 series
Sitecore XP 9
The right to be informed, or being transparent about what you collect and how you use it (Article 12, 13, and Article 14 number 11)
As a developer you can inform end-users about data you collect through a privacy policy, cookie banner, and/ or preferences page on a Sitecore 6.x website, but you have no way of auditing a history of interactions.
As a developer you can inform end-users about data you collect through a privacy policy, cookie banner, and/or preferences page on a Sitecore 7.x website, but you have no way of auditing a history of interactions.
As a developer you can inform end-users about data you collect through a privacy policy, cookie banner, and/ or preferences page on a Sitecore XP 8.x website, but you have no way of auditing a history of interactions.
Yes, you or your developer can inform end-users about data you collect through a privacy policy, cookie banner, and/ or preferences page on a Sitecore XP 9.0 website, and can audit a history of interactions via the Sitecore xConnect™ API.
The right of access, or allowing individuals to see what personal data you’re processing and storing (Article 15)
Because Sitecore 6 did not include Sitecore xDB, you’ll need to address this in your own database configuration.
Because Sitecore 7 did not include Sitecore xDB, you’ll need to address this in your own database configuration. Users on version 7.5 (with xDB) should be aware there is no product feature support out of the box for the right of access; you will need to customize and extend your 7.5 xDB solution to fulfill those requirements.
No product feature support out of the box for XP versions prior to 8.2 Update 7. Users on prior versions will need to customize and extend their solution to fulfill the right of access requirements. Users of XP 8.2 Update 7 release can customize their solution and xDB to retrieve the interaction history of a contact through a dedicated API. You will need to extend your solution to use the API and retrieve the data in a programmatic fashion.
Sitecore XP 9 has dedicated features to retrieve the full interaction history of an individual through the Sitecore xConnect API. As a developer, you will need to extend your solution to use the API and retrieve the data in a programmatic fashion.
The right to rectification, or allowing individuals to have their personal data corrected (Article 16)
Because Sitecore 6 did not include Sitecore xDB, you’ll need to address this in your own database configuration.
Because Sitecore 7 did not include Sitecore xDB, you’ll need to address this in your own database configuration. Users on version 7.5 (with xDB) should be aware there is no product feature support out of the box for the right to rectification; you will need to customize and extend your 7.5 xDB solution to fulfill those requirements.
You’ll need to make changes to Sitecore (and any other systems) to edit / change / delete personal data on request.

Personal information can be managed in User Security, List Management, and customized directly in MongoDB.
You need to make changes to Sitecore (and any other systems) to edit / change / delete personal data on request.

Personal information can be managed in User Security, List Management, and customized directly through the Sitecore xConnect API (e.g., through a web form).
The right to erasure, also known as the right to be forgotten (Article 17)
Because Sitecore 6 did not include Sitecore xDB, you’ll need to address this in your own database configuration.
Because Sitecore 7 did not include Sitecore xDB, you’ll need to address this in your own database configuration. Users on version 7.5 (with xDB) should be aware there is no product feature support out of the box for the right to erasure or portability; you will need to customize and extend your 7.5 xDB solution to fulfill those requirements.
No product feature support out of the box for XP versions prior to 8.2 Update 7. Users on prior versions will need to customize and extend their solution to fulfill the right of erasure requirements. Users of XP 8.2 Update 7 release can customize their solution and xDB to delete all personal data of a contact through a dedicated API. We recommend a review of the custom contact facets that have been extended in the xDB before using the API to ensure all personal data is removed.
Sitecore XP 9 has dedicated features for the right of erasure (or right to be forgotten). A contact’s personal data can be deleted through a Sitecore API call, “Execute Right To Be Forgotten.” This feature irreversibly removes the contact’s personal data.
The right to restrict processing, or allowing individuals to stop you from performing operations (collecting, processing, storing, etc.) on personal data (Article 18)
Because Sitecore 6 did not include Sitecore xDB, you’ll need to address this in your own database configuration.
Because Sitecore 7 did not include Sitecore xDB, you’ll need to address this in your own database configuration. Users on version 7.5 (with xDB) should be aware there is no product feature support out of the box for the right to restrict processing; you will need to customize and extend your 7.5 xDB solution to fulfill those requirements.
Sitecore XP 8 allows you to customize how much personal data you wish to process. Opt-in and opt-out is a customization.
Sitecore XP 9 allows you to customize how much personal data you wish to process. Opt-in and opt-out is a customization.
The right to data portability, or giving individuals the personal data you have about them (Article 20)
Because Sitecore 6 did not include Sitecore xDB, you’ll need to address this in your own database configuration.
Because Sitecore 7 did not include Sitecore xDB, you’ll need to address this in your own database configuration. Users on version 7.5 (with xDB) should be aware there is no product feature support out of the box for the right to data portability; you will need to customize and extend your 7.5 xDB solution to fulfill those requirements.
No product feature support out of the box for XP versions prior to 8.2 Update 7. Users on prior versions will need to customize and extend their solution to fulfill the right to data portability requirements. Users of XP 8.2 Update 7 release can customize their solution and xDB to retrieve the interaction history of a contact through a dedicated API. The information retrieved can be exported for an end user in your chosen format.
Sitecore XP 9 ensures full interaction history is available and can be exported from the Sitecore xConnect API and provided to your end user in your chosen format.
The right to object, or prevent you from processing their personal data (Article 21)
Because Sitecore 6 did not include Sitecore xDB, you’ll need to address this in your own database configuration.
Because Sitecore 7 did not include Sitecore xDB, you’ll need to address this in your own database configuration. Users on version 7.5 (with xDB) should be aware there is no product feature support out of the box for the right to object; you will need to customize and extend your 7.5 xDB solution to fulfill those requirements.
No product feature support out of the box. Customization is required, dependent on your implementation.
No product feature support out of the box. Customization is required, dependent on your implementation.
GDPR requirement

The right to be informed, or being transparent about what you collect and how you use it (Article 12, 13, and Article 14 number 11)

Yes, you or your developer can inform end-users about data you collect through a privacy policy, cookie banner, and/ or preferences page on a Sitecore XP 9.0 website, and can audit a history of interactions via the Sitecore xConnect™ API.

The right of access, or allowing individuals to see what personal data you’re processing and storing (Article 15)

Sitecore XP 9 has dedicated features to retrieve the full interaction history of an individual through the Sitecore xConnect API. As a developer, you will need to extend your solution to use the API and retrieve the data in a programmatic fashion.

The right to rectification, or allowing individuals to have their personal data corrected (Article 16)

You need to make changes to Sitecore (and any other systems) to edit / change / delete personal data on request.

Personal information can be managed in User Security, List Management, and customized directly through the Sitecore xConnect API (e.g., through a web form).

The right to erasure, also known as the right to be forgotten (Article 17)

Sitecore XP 9 has dedicated features for the right of erasure (or right to be forgotten). A contact’s personal data can be deleted through a Sitecore API call, “Execute Right To Be Forgotten.” This feature irreversibly removes the contact’s personal data.

The right to restrict processing, or allowing individuals to stop you from performing operations (collecting, processing, storing, etc.) on personal data (Article 18)

Sitecore XP 9 allows you to customize how much personal data you wish to process. Opt-in and opt-out is a customization.

The right to data portability, or giving individuals the personal data you have about them (Article 20)

Sitecore XP 9 ensures full interaction history is available and can be exported from the Sitecore xConnect API and provided to your end user in your chosen format.

The right to object, or prevent you from processing their personal data (Article 21)

No product feature support out of the box. Customization is required, dependent on your implementation.

Why upgrade to Sitecore XP 9?

Becoming GDPR compliant becomes far simpler if your content management or digital marketing platform is architected and built on a singular database that tracks all historical customer information. Customers on older versions of Sitecore would best prepare for GDPR by upgrading their platform and migrating their data to version 9.

Sitecore Experience Platform (XP) 9 facilitates GDPR compliance by incorporating a number of privacy-by-design and privacy-by-default principles and new features. These include support for anonymizing data, the ability to annotate data, and support for treating data as sensitive, depending on your needs and your configuration choices.

Version 9 offers capabilities that significantly expedite Sitecore users achieving GDPR compliance with their Sitecore deployment, including:

  • Extended database support: The ability to deploy xDB on Microsoft SQL Server or Microsoft SQL Azure (in addition to MongoDB), which makes managing databases more efficient for teams already familiar with SQL Server or Azure Services, and can improve infrastructure where datasets have had to interact between different technologies.
  • Sitecore xConnect™: A new service layer and set of APIs designed to securely interact with Sitecore xDB and allow for the collection and interchange of customer data across channels— even third-party apps—and at scale. Much of how Sitecore XP 9 facilitates a customer configuration that supports GDPR compliance is attributable to Sitecore xConnect because it helps you more easily and effectively manage personally identifiable information.
  • Encryption: Advanced security, with data encryption support for data that is both in motion, where data is encrypted with HTTPS and Transport Layer Security/Secure Sockets Layer (TLS/SSL), and at rest, where data in xDB can use SQL features such as Always Encrypted.

For more information on how Sitecore XP 9 supports GDPR compliance, download our white paper “Sitecore and GDPR.”

How does it affect you?

Know the considerations for your implementation of Sitecore, whether you’re on Sitecore version 6, 7, or XP 8; or XC 7 or 8.

Get the white paper
GDPR compliance with Sitecore XP 6, 7, and 8