Achieving GDPR with Digital Security for Websites
The General Data Protection Regulation, commonly known as GDPR, is a legal framework that defines the guidelines for collecting, processing, and storing Personal Identifiable Information (PII) in the European Union (EU). It helps in enforcing transparency when it comes to controlling and processing PII, while also clearly addressing the accountability aspect for data breaches and leaks. Let’s take a deeper look at GDPR and understand the crucial role digital security for websites plays in achieving it.
GDPR recently turned three years old in its latest avatar. These European data privacy laws were activated on May 25, 2018, to align with the rapid digitalization of retailing, banking, aviation, healthcare, and other sectors. These guidelines have now become the regulatory centerpiece of a global shift in how personal information and payment data is handled by online businesses and services.
As per Privacy Affairs, the European Commision has already issued over 650 fines, worth almost €300 million. Nobody is immune, even Google or Ticketmaster. The latter was fined £1.25 million by the Information Commissioner’s Office (ICO) in late 2020 for a data breach that took place due to Ibenta, the faulty third-party chatbot solution, which was exploited to gain illegal access to millions of personal records.
It’s important to understand that Ticketmaster (data controller) and not Ibenta (data processor) was held responsible. Accountability is one of the biggest changes that GDPR has brought to the world of data privacy. Your third-party vendors and partners may be handling sensitive customer information, but only you will be held accountable for any kind of data leak or breach that may occur on your website.
Read more: The ICO Fines Ticketmaster £1.25 Million
What is GDPR?
GDPR was inevitable and very much required since the last European data privacy regulation was passed back in the 1990s. In the last three decades, our online presence has drastically increased and became more open. The necessity of new privacy standards to regulate data collection and exchange started becoming obvious. On May 25, 2018, the EU-based GDPR regulations became official.
Consisting of 99 articles, GDPR is the strongest set of privacy regulations that serve as a benchmark for data protection laws across the globe. GDPR is also known for issuing devastating fines for non-compliance: for even a small offense a company will be fined €10 million or 2% of the turnover, whereas a big offense will cost a business at least €20 million or 4% of the global turnover.
In itself, the EU data protection rules have been disruptive for the entire digital space and inspired a big change for many countries across multiple continents.
GDPR puts extra pressure on controllers and makes them (more on these in the next section) liable for their own decisions. Controllers being responsible for non-compliance is not new, but fining them (and not processors) for violations is a novel addition. Even if processors ignore the predetermined processes and make bad security decisions, the controllers are still responsible.
Besides the updated responsibilities and aforementioned changes in legal liabilities, GDPR sets the fines significantly higher than before. GDPR is no longer an option.
Data Subject vs Data Controller vs Data Processor
The GDPR regulations make a clear distinction between “data subjects”, “data controllers”, and “data processors”. Understanding the difference between these parties is highly important because it helps to adequately assess the level of responsibility of people and businesses involved. Furthermore, the European Commision has become very strict when it comes to accountability.
- A Data Subject is a person or business (identified or identifiable identities) whose personal information has been collected, processed or stored
- A Data Controller is a person, public authority, agency, or company that defines the purpose for data collection and processing
- A Data Processor is a person, public authority, agency, or company that does the data processing itself on behalf of the data controller
When it comes to consent, the purposes of Personal Identifiable Information (PII) collection shown to the Data Subjects should address the following questions:
- What data is being collected?
- How will the data be stored?
- How will the data be used?
- With whom will the data be shared?
- When and how will the data be removed/deleted?
Data Controllers are the ones that have to answer the aforementioned questions and can be companies or individuals like self-employed or sole traders. Sometimes, two or more companies make decisions about determining the purposes for data processing which makes them joint controllers. Simply put, controllers determine why and how the data is being collected, stored, and processed.
On the other hand, contrary to popular belief, Data Processors share limited GDPR responsibilities and only process data on behalf of a controller.
To avoid complications, there should be a clear contractual relationship between a controller and a processor. The contract, also known as a Data Processing Agreements (DPA), should entail the terms of termination, the consequences for violating the determined purposes, and what these purposes are. Furthermore, this crucial document should be updated and revised as frequently as possible.
Top 5 GDPR Best Practices
GDPR is a very extensive document with multiple requirements. But here are some important best practices to get significantly closer to achieving GDPR compliance.
#1 Understand How Data Moves
You must map out the data movement within your organization from its source to eventual disposal. The lifecycle of data should be traceable and understandable to everyone, including the means of collecting the information, what the information entails, the reason for data capture, and data storage/removal. The same applies to data that is being used by data processors and other external vendors.
Operational and technical safeguards are also crucial as security measures are one of the cornerstones of the General Data Protection Regulation.
# 2 GDPR Accountability Life Cycle
After establishing a deep understanding of the data flow, companies should move on to establishing and implementing the accountability lifecycle. This cannot be achieved overnight. Accountability at the organizational level requires a pivotal shift in how the company handles PII protection and develops a systemic approach. Think onboarding, CISO involvement in feedback loops, and ongoing training.
The accountability lifecycle consists of three phases:
- Involving all relevant stakeholders to provide operational and organizational preparedness for the upcoming GDPR implementation
- Establishing measures and procedures that ensure compliance with GDPR
- Making sure the compliance is continuous and will be carried out at all times. This needs to be an ongoing operation with no loopholes
# 3 – Set Up Your Infrastructure Correctly
Even though data processing ground may remain the same under the General Data Protection Regulation like it has been before – “legitimate business interest”, you might need to consider more obligations and responsibilities. To make sure you are following all the rules associated with the ground you are relying on, read the specific GDPR clauses that address the different grounds.
One of the new additions to the GDPR is affirmative consent. It means that silent consent is no longer viable, and users need to be informed and asked to tick the boxes themselves. Companies can no longer assume that their business goals are more important than user data privacy. This point can be found in all modern privacy laws, like the relatively new California Consumers Protection Act (CCPA).
# 4 – Staff Awareness and Policy Management
One of the core requirements of GDPR revolves around organizational data security awareness. This can be achieved through various training programs and managed via a policy management system. A centralized solution that enables easy storing and distributing of security policies simplifies the process of educating employees about GDPR regulations, internal company policies as well as any updates.
An effective policy management system acts as proof that workers have been informed about GDPR rules and understand the consequences of non-compliance.
# 5 – Get Your Data Logging Right
GDPR requires businesses to correctly handle log data. First of all, centralization is the key as it simplifies the data storage, clears up log retention time, and ensures adherence to the GDPR policies. Secondly, periodic yet systematic log removal is an important task as duplicate data often complicates the enforcement of policies. Finally, make sure to always encrypt the logs when moving them to storage.
Last but not the least, you have third-party web apps and tags running on websites. Despite being highly beneficial, these are a huge GDPR risk. Read on to learn more.
Website GDPR Compliance Starts with Digital Application Security
Besides implementing the aforementioned best practices, learning from the latest data breaches, and getting familiar with the latest GDPR guidelines, you need to elevate digital security standards on your website on an ongoing basis. Amongst other things, this involves the smooth governance and management of all digital (external) applications and third-party tags that you are currently using.
These digital applications are helping organizations scale up faster and achieve faster time to market (TTM), which is why over 95% of websites today are using them.
But unfortunately, these digital applications and external tags are also introducing new security challenges and privacy risks. Organizations can overcome this expanded attack surface only by taking full control of their websites. This means creating an up to date inventory of all digital apps and understanding their behaviour. Only ongoing governance can help you get closer to GDPR compliance.
Once you have this transparency, you can mitigate GDPR risks by steering clear of Web Skimming (Magecart), Ex-Domain Exploits, and Supply Chain Attacks.