GDPR Compliance

ACCO Brands My Data

A site to help deal with user privacy requests as a result of legislation like GDPR, CCPA and LGPD.

ACCO Brands My Data
The client

A multinational office products manufacturer with several well-known brands, such as Swingline and GBC.

The brief

Create a system that manages the gathering of user data from across multiple system and allows users to view, edit or delete this data.

The outcome

Built originally just for the European GDPR legislation, it has since been expanded to deal with California’s CCPA and Brazil’s LGPD.

What we did

This was a project with two main sides to it: allowing users to specify their marketing preferences across the client’s brands and to request to see what data is held within the client’s systems before either editing it or having it deleted.

Marketing options
Nearly all the marketing option data was available via APIs, which made this side of the project much easier to deal with. Primarily the CRM platform Acoustic (formerly Silverpop) was used, along with Pardot and some custom EpiMail installations. The real fly in the ointment was the double opt in requirement if the user is selecting to receive marketing information. In this case an extra email is sent to them to confirm their request, which is then fed back into their preferences on the relevant platform. Quite hard to write, even harder to code!

Lots and lots of data sources
The client has multiple locations where user data is stored across several systems, only some of which can be accessed either by a data connection or an API. All of these systems needed to check to see if specific user data was present. So the system was built to notify data owners to search for a user’s data and add it via a form. When the data gathering process was complete the user was informed it was available for viewing.

There were over 100 different data sources across the globe with multiple data owners responsible for these. So the data gathering process had built in reminders to ensure all the sources of data were checked before the deadline specified by the relevant legislation.

The admin screens managed all of this along with any subsequent data deleting/editing request, with different permissions for different types of users.

Different legislations
On top of the complications of the data gathering requests, the 3 different pieces of legislation the system was designed for worked in slightly different ways and had different personnel in charge of them. This led to a bit of head scratching for a while!

Tech stack
  • .NET Core 3.1
  • SQL Azure
  • Multiple API integrations
The asset management system that MB has built for Colart has been a huge success…

Nicky Shaw - Colart