As mentioned in the article Web Analytics: ethical and privacy implications, organizations use their websites to attract and retain website visitors. Furthermore, multinational organizations with globe footprints may collect and store visitors’ data (via website visitor registration) from regions and countries to help focus and optimize their strategic intent. In some industries, such as healthcare, finance or insurance, profitability highly depends on users data. However, collected users’ data (aka, PII) that’s stored in an enterprise web content management system has different implications for organizations depending on the location of the enterprise web content management system.
In this article, I will look at different enterprise cloud-based web content management solutions that support public websites and explain how the different solutions store users’ data. The objective is to recommend a cloud-based enterprise web content management system architecture design that takes PII into consideration, particularly for organizations that are starting a new (greenfield) implementation.
Enterprise Web Content Management Systems – Data Centers
Cloud solution providers offer the possibility for enterprise web content management systems deployment to select data centers across many corners of the globe. This gives organizations the possibility to select suitable data centers based on their business strategy. Data centers deployment options could range from hosting on a single cloud data center to using multiple or siloed data centers. The distribution and selection of data centers have been further complicated for organizations that collect, store, and manage personal identifiable Information (PII).
PII is any collected and stored information that points to an individual: email, telephone number, names, credit card details and even web profiling to determine buying habits, location, etc.
While content distribution and network speed (performance) across the globe remain key organizational concerns and hence the need for a cloud-based solution, PII is a regulatory constraint that should be factored into an architectural design for cloud-based web content management solutions.
“Regulation is an essential step to strengthen citizens’ fundamental rights in the digital age and facilitate business by simplifying rules for companies in the Digital Single Market.” (EU data protection rules, 2016)
From a research conducted by AIIM (2016) on data protection and how it affects organizations’ choice for cloud-based solutions, organizational executives admit storing PII data but struggle on the best approach to remain compliant.
Personal Identifiable Information – Data Centers – Compliance
A major concern in the allocation of cloud data centers for enterprise web content management deployment is that of transfer/movement of stored PII data from one country or region to the next.
Although the rules are quite open, for most countries it suffices if the new holder (company or cloud provider) of the PII data can assure appropriate level of security and protection as in subject’s home country.
The European commission has established guidelines on PII handing in the EU zone; however, to store PII data on data centers located outside the EU zone a commitment to ensure similar security and data protection majors must exist with the outside countries and organizations (see EU data protection agreement with some outside countries).
In some cases, where there is no data protection agreement, it’s best practice for enterprise web content management solution owners to ensure a data protection and security clause exist in their service contract with cloud service providers and the associated data center controllers (as in some cases data center management can be offshored to a third party).
To ease the flow of PII data between EU and US, a Safe Harbor agreement was established as a framework for sharing personal information following the European Commission’s Decision 2000/520/EC of 26 July 2000. However, EU declined from Safe Harbor, October 2015 leading the US to establish a new agreement in July 2016 named EU-US privacy shield framework which took effect in August 2016. It’s important to note that the new Trump administration in the US is reviewing this agreement, and might likely make some changes.
“The (current) rules within Europe state that personal data can only be transferred to a country or territory outside the EEA [European Economic Area] if it can be established that an adequate level of protection exists.” (AIIM, 2016, p. 12)
For multinational organizations that want to maintain a consistent brand and style across the globe, a cloud-based solution is the most cost-effective for the organization and offers a predictable performance for its users across the globe.
Before discussing the different architectural options, let’s have an understanding of the components of an enterprise web content management systems (WCMS). An instance of a WCMS includes a content management server, a content delivery server, and a database server each of which are represented below.
There are three possible options to consider when designing an enterprise web content management system (CMS) architecture:
Option 1 – CMS/WCMS in a single Region
Have the enterprise CMS solution hosted in a cloud data center within a specific region. This implies users across the globe would have to access the solution only in one location. This solution ensures users’ data is stored and managed only within a single location. This solution is PII compliant assuming the cloud service provider complies with the regional data protection regulations, however, the implementation would have to use other services, such as a Content Delivery Network (CDN) to improve website performance.
Option 2 – CMS/WCMS Frontend websites in different regions
Here content editing (content management) is performed centrally, however, websites content deliveries are hosted in different regions. This enables the storage of users’ data within each region. This option is PII compliant only if the stored data doesn’t move across one region to another region where there isn’t an agreement between both regions.
Option 3- CMS / WCMS regional silos
Here each region manages and publishes its websites. This is fully PII compliant, but defeats any form of standardization, such as branding and content strategy for multinational organizations.
Summarily, although security and particularly PII is never at the heart of most business decisions, it’s an issue that can highly impact the credibility of an organization. IT / Business executives should strive to design content management solutions that will not only provide a better user experience but also compliant storage and transfer of PII.
Never miss an update by following us and subscribing to our monthly newsletter!
- Privacy Shield Framework: https://www.export.gov/article?id=Benefits-of-Participation
- Safe Habor: https://www.export.gov/article?id=Benefits-of-Participation
- Data Privacy- living by new rules, AIIM Industry Watch, July. 2016. www.aiim.org/research
- Making sense of European Data Protection Regulations as they relate to the storage and management of content in the Cloud, AIIM Industry Watch, July. 2014. www.aiim.org/research
- Protection of Personal Data: European Commission http://ec.europa.eu/justice/data-protection/reform/index_en.htm