Enterprise Web Content Management Systems in the PII Era

Enterprise Web Content Management Systems
Enterprise Web Content Management Systems in the PII Era

 

As mentioned in the article Web Analytics: ethical and privacy implications, organizations use their websites to attract and retain website visitors. Furthermore, multinational organizations with globe footprints may collect and store visitors’ data (via website visitor registration) from regions and countries to help focus and optimize their strategic intent. In some industries, such as healthcare, finance or insurance, profitability highly depends on users data. However, collected users’ data (aka, PII) that’s stored in an enterprise web content management system has different implications for organizations depending on the location of the enterprise web content management system.

In this article, I will look at different enterprise cloud-based web content management solutions that support public websites and explain how the different solutions store users’ data. The objective is to recommend a cloud-based enterprise web content management system architecture design that takes PII into consideration, particularly for organizations that are starting a new (greenfield) implementation.

 

Enterprise Web Content Management Systems – Data Centers

Cloud solution providers offer the possibility for enterprise web content management systems deployment to select data centers across many corners of the globe. This gives organizations the possibility to select suitable data centers based on their business strategy.  Data centers deployment options could range from hosting on a single cloud data center to using multiple or siloed data centers. The distribution and selection of data centers have been further complicated for organizations that collect, store, and manage personal identifiable Information (PII). 

PII is any collected and stored information that points to an individual: email, telephone number, names, credit card details and even web profiling to determine buying habits, location, etc.

While content distribution and network speed (performance) across the globe remain key organizational concerns and hence the need for a cloud-based solution, PII is a regulatory constraint that should be factored into an architectural design for cloud-based web content management solutions.

“Regulation is an essential step to strengthen citizens’ fundamental rights in the digital age and facilitate business by simplifying rules for companies in the Digital Single Market.” (EU data protection rules, 2016)

From a research conducted by AIIM (2016) on data protection and how it affects organizations’ choice for cloud-based solutions, organizational executives admit storing PII data but struggle on the best approach to remain compliant. 

enterprise web content management systems
ENTERPRISE WEB CONTENT MANAGEMENT SYSTEMS – DATA CENTERS

 

Personal Identifiable Information – Data Centers – Compliance

A major concern in the allocation of cloud data centers for enterprise web content management deployment is that of transfer/movement of stored PII data from one country or region to the next.

Although the rules are quite open, for most countries it suffices if the new holder (company or cloud provider) of the PII data can assure appropriate level of security and protection as in subject’s home country.  

The European commission has established guidelines on PII handing in the EU zone; however, to store PII data on data centers located outside the EU zone a commitment to ensure similar security and data protection majors must exist with the outside countries and organizations (see EU data protection agreement with some outside countries).

In some cases, where there is no data protection agreement, it’s best practice for enterprise web content management solution owners to ensure a data protection  and security clause exist in their service contract with cloud service providers and the associated data center controllers (as in some cases data center management can be offshored to a third party).

To ease the flow of PII data between EU and US, a Safe Harbor agreement was established as a framework for sharing personal information following the European Commission’s Decision 2000/520/EC of 26 July 2000However, EU declined from Safe Harbor, October 2015 leading the US to establish a new agreement in July 2016 named EU-US privacy shield framework which took effect in August 2016. It’s important to note that the new Trump administration in the US is reviewing this agreement, and might likely make some changes.

“The (current) rules within Europe state that personal data can only be transferred to a country or territory outside the EEA [European Economic Area] if it can be established that an adequate level of protection exists.” (AIIM, 2016, p. 12)

For multinational organizations that want to maintain a consistent brand and style across the globe, a cloud-based solution is the most cost-effective for the organization and offers a predictable performance for its users across the globe.

 

Architectural Options

Before discussing the different architectural options, let’s have an understanding of the components of an enterprise web content management systems (WCMS).  An instance of a WCMS includes a content management server, a content delivery server, and a database server each of which are represented below.

enterprise web content management systems
ARCHITECTURAL OPTIONS

There are three possible options to consider when designing an enterprise web content management system (CMS) architecture:

 

Option 1 – CMS/WCMS in a single Region

Have the enterprise CMS solution hosted in a cloud data center within a specific region. This implies users across the globe would have to access the solution only in one location.  This solution ensures users’ data is stored and managed only within a single location. This solution is PII compliant assuming the cloud service provider complies with the regional data protection regulations, however, the implementation would have to use other services, such as a Content Delivery Network (CDN) to improve website performance.

enterprise web content management systems
OPTION 1 – CMS/WCMS IN A SINGLE REGION

 

Option 2 – CMS/WCMS Frontend websites in different regions

Here content editing (content management) is performed centrally, however, websites content deliveries are hosted in different regions. This enables the storage of users’ data within each region. This option is PII compliant only if the stored data doesn’t move across one region to another region where there isn’t an agreement between both regions.

enterprise web content management systems
OPTION 2 – CMS/WCMS FRONTEND WEBSITES IN DIFFERENT REGIONS

 

Option 3- CMS / WCMS regional silos

Here each region manages and publishes its websites. This is fully PII compliant, but defeats any form of standardization, such as branding and content strategy for multinational organizations.

enterprise web content management systems
OPTION 3 – PII compliant soloed WCMS architecture

 

Conclusion

Summarily, although security and particularly PII is never at the heart of most business decisions, it’s an issue that can highly impact the credibility of an organization.  IT / Business executives should strive to design content management solutions that will not only provide a better user experience but also compliant storage and transfer of PII.

Never miss an update by following us and subscribing to our monthly newsletter!

Useful references

Summary
Cloud based Enterprise Content Management Systems in the PII Era
Article Name
Cloud based Enterprise Content Management Systems in the PII Era
Description
Organizations use cloud-based enterprise web content management systems to collect and store users’ data aka Personal Identifiable Information (PII).
Author
Publisher Name
Atos Consulting CH
Publisher Logo

One thought on “Enterprise Web Content Management Systems in the PII Era

  1. Pingback: WCMS Migration - A how-to Guide (part 1 of 2) - Atos Consulting CH

Leave a Reply

Your email address will not be published. Required fields are marked *