This is part two of our two-part Web Insight Blog series titled, GDPR’s Impact on Data Security. As an important complement to business processes, sound technical implementation practices will help you be compliant with GDPR or, at the very least, provide an extra layer of security to the data that you collect and maintain on websites and beyond.
1. Data encryption, at-rest vs. in-transit
GDPR does not make encryption imperative, but businesses still need to make sure there is an alternative method in play if they do not plan on using encryption. Although encryption is not required, it is widely used to protect in-transit (moving from one location to another) and at-rest data (located in an encrypted database). An example of a best practice would be to add network security measures, on top of existing measures, to help secure against hackers.
2. Data use/access consent
GDPR helps protect consumer data in the EU, but mainly through obtaining consent from users online to collect or store their data. GDPR is calling this consent “explicit consent” which means that a business cannot collect data unless the consent is voluntary and not passive. Many users are coming to expect this level of service, so even if you are not intending to be fully GDPR compliant, your users may not be willing to use your website without this consent.
Businesses should outline every detail on how the data will be collected, what information will be used, how it will be used, and how it will be stored. Again, this must be very clear and transparent to the user, as GDPR wants to ensure that everything is fair and users are aware of what’s being done with their personal data.
3. Data breach detection and notification implementation
It’s imperative to be prepared for breaches and to be able to recognize when they happen. Technology is very advanced, but sometimes a little human touch is necessary and key to finding solutions or recognizing warning signs before they occur. It would be good practice to make sure IT teams are educated in early signs of data breaches.
A way to help you catch a breach in its early or premature stages is by having data breach detection and notifications implemented on all your systems. To help, there are tools that can detect malware or attacks before they occur and could be very beneficial in combating potential attacks.
4. “Active” opt-in for website and other system use if/when data is provided
With the transition of GDPR, businesses must also think about other ways they are collecting data on their websites. Collecting emails for an email marketing campaign, for example, is a place where you want to make sure users are able to voluntarily provide their information by opting-in.
You want to provide your users with transparency by letting them know how their information will be used for marketing or other purposes. It’s important to check any subscription forms on your website and remove any unnecessary fields, as GDPR requires businesses to justify the reason they are collecting that data. Checkboxes that are automatically checked cannot be used anymore. Each user has to check the boxes themselves going forward.
If businesses are sending promotional items to users who have opted-in, users must have the right to be forgotten and should be able to easily unsubscribe to any email list they subscribed to. This could be accomplished by adding an unsubscribe link in your marketing emails as long as it’s easily accessible and users are aware they have that option at all times. Making it easy for users to understand that they can subscribe or unsubscribe at any time is key. It’s also important to note that if a user chooses to unsubscribe, you must also delete all historical data associated with that user or provide another way for them to request to be “forgotten.”
If you are unsure whether you need/want to be GDPR compliant, seek qualified legal counsel. The EU is still in the process of determining how to interpret some of the gray areas in the regulations, and each country may end up gauging compliance differently.