Website GDPR audit

First version 13th Jan 2018, Last revised 15th May 2023.

Disclaimer: This information is provided for your convenience and does not constitute legal advice.

Your website may be subject to the General Data Protection Regulation (GDPR). We have compiled a few pointers to help you, regardless of the technology you use.

Introduction

To keep this post short, GDPR is mainly the enforcement (accountability - Art 5.2) of 6 data protection principles (Art 5.1):

  • Lawfulness, fairness and transparency
  • Purpose limitation
  • Data minimisation 
  • Accuracy
  • Storage limitations
  • Integrity and confidentiality

GDPR is a data protection law (art 1.2) and while privacy is briefly mentioned in a recital, one should focus on data protection.

Is there personal data collected / processed?

It's the first basic question to ask, because the GDPR is only concerned about Personal Data. Personal data is almost anything relating to an individual (referred to as a "data subject") when it is processed (Art 4.2).

If you are not sure, you can start checking if there are enquiry forms, blog comment forms or forms to prompt for a customer billing and shipping address. IP addresses, combined with a timestamp are also considered Personal Data (Recital 30: Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as Internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.).

If there are forms, you need to find out if these forms are part of the website itself (eg data is stored within the website database), or part of a third party application (eg MailChimp for newsletters). If the information is collected by other cloud applications, you need to ensure you have a data-processor agreement with each service supplier.

If your website does not collect personal data such as name and address, you mainly need to focus on the personal data collected by the administrators of the website. There may be IP addresses  etc.

It's worth remembering that some data collected for security purposes cannot normally be used to monitor staff.

If personal data is collected by the website...

You need to find the country where the website is hosted.

  • If the website is hosted in the EU or EEA, you need to ensure you have a data-processing agreement (Art 28) with the hosting company. It may be difficult to obtain. Large hosting organisations tend to impose their rules and sometimes such rules are not compatible with the GDPR. It may seem unfair, but it has more to do with competition law than the GDPR. If you struggle, find a supplier that hosts data lawfully.
  • If the website is not hosted in the EU or EEA, you need to ensure that, for the transfer of data, there is a data transfer mechanism that complies with the requirements of the GDPR. If it seems too difficult, you may consider finding a hosting company that has EU or EEA data-centres (Recital101-116; Art.44, 45). It is often cheaper to host in the EU than conducting a transfer impace assessment      

Note: The hosting company may be 27001 certified (a security management standard), it does not guarantee GDPR compliance. ISO 27001 is about security management, GDPR is about data protection (and ultimately privacy - 2 separate rights under the EU Charter of Fundamental Rights). Security constitutes only a fraction of GDPR and part of one of the six data protection principles (integrity and confidentiality). A simple way to assess, is to ask them. If you receive no answer, be wary. Also, adhering to the standard is about having a management sytem (procedures etc) and following them, not about being secure. ISO 27001 has a scope, and the scope can be limited. We have seen many ISO 27001 certified companies failing on basic security.

Form data

There is a GDPR principle of minimisation: it means you should not collect information for which there is no legitimate right to collect. eg some shopping carts by default prompt for a date of birth, but if you don't need it, remove it.

If you want people to join a mailing list, consent is required, with the checkbox unticked and you need to clearly tell the data-subject what they will get. Also, remember that a newsletter is not a marketing offer: so two boxes are required if you have both.

The data collected and how it is used needs to be included in a "Data Protection notice (statement)" (sometimes called "Privacy" notice, despite GDPR being a data protection law.

Software updates

Note: Principle 6 (integrity and confidentiality) of GDPR states that "personal data must be processed in a manner that ensures appropriate security of the data using appropriate technical or organisational measures".

This means that the software you use to run your website needs to be kept up to date with the various security related bug fixes that the software vendor could have released. If you are not technically savvy, it's worth having a maintenance contract and more importantly: someone doing it. 

Our own web platform has a commercial model that include the provision of regular updates as they are available and tested.

Assess security

Note: Principle of integrity and confidentiality.

You need to find out if your website is hosted on a shared, virtual or dedicated server,

If the website is hosted on a shared server, the security may be weakened if there are multiple clients with FTP access for instance. Remember that a cheap hosting plan usually means there are thousands of websites hosted and little maintenance carried out.

In such case, you need to ensure the personal data on your website is really locked. If someone was able to access your files, could they access the data?

In a virtual server or dedicated server environment, the server security is your responsibility. It needs to be tightened. Don't use ftp as data transfer is not encrypted. Use SFTP, and as much as possible, avoid the installation of an inbound SFTP access on the server. Avoid the use of Remote Desktop unless you have extreme firewall restrictions or VPN access.

In addition, you need to audit the server:

  • logical access to the server
  • procedures in place to grant access rights
  • firewall
  • application access rights (needless to say you need to change the default password supplied by the application)

Managing a firewall can be complicated. Mis-management can lead to data-breached. We suggest to seek assistance from experts in IT networks to ensure the firewall is protected properly. For most websites, port 443 (TLS) should be enough for people accessing the site.

Note: You may have heard of "SSL". "TLS" is the protocol that supersedes the obsolete "SSL". Minimum requirmeent is TLS 1.2.

Plug-ins

Note: Principles of "integrity and confidentiality" and "minimisation".

Some website frameworks rely on third-party plug-ins to add functionality. They allow non-technology savvy website owners adding functionality with no need to learn how to code.

Sadly, not all plug-ins are of equal quality standard. You need to review/audit the plug-ins in use as they may not be safe. You may need to ask a reputable programmer for help. They may also be collecting personal data, so you need to ensure you only collect what is legitimate.

Hint: You need to be very careful with plug-ins that claim to make your website GDPR compliant. I hope that by the time you have finished reading this post you reach the conclusion that a plugin cannot solve all GDPR issues.

Databases

Note: Principle of integrity and confidentiality.

The databases must be stored on a separate secure server to the web/application server. The database server must not have Internet access and access should be restricted to the web/application server.

The main reason for this is that if there is no public Internet access to the database, it is safer. The website has to publicly shown, so it is at risk. The isolation of the website and the database brings higher security.

Backups

Note: Principle of integrity and confidentiality.

With GDPR, you are responsible for the security of personal data. It includes loss of personal data. You need to have backups. Backups are as good as they are tested. You need a restore procedure and you need to test regularly. In anything relating to contingency, always plan for the worst.

You need to find the country where the backups are stored.

  • If the backups are stored in the EU or EEA, you need to ensure you have a data processor agreement with the backup company. It may be difficult to obtain.
  • If the backups are not stored in the EU or EEA, you need to ensure that, for the transfer of data, there is a data transfer mechanism that complies with the requirements of the GDPR. If it seems too difficult, you may consider finding a backup company that has EU or EEA data-centres (Rec.101-116; Art.44, 45).

Use a backup mechanism that allows restoration at various levels: application, data etc. Avoid complication, and do what you can to handle data-subject requesting right to be forgotten (personal data held in backups).

Safe browsing

Note: Principle of integrity and confidentiality.

You need to install a secure certificate (often referred to as SSL, but should be TLS 1.2 as a minimum since SSL is an older protocol that shouldn't be used anymore) to provide encryption between the browser and your web application. It's referred to as "https" and the website should show a small padlock . A certificate costs between nothing and €300 per annum.

Hint: The secure certificate is a good way to choose your IT, hosting or web development partner. There are at present many security vendors promising you miracles to make you GDPR compliant. Some are giving a bad name to those of us who care as they cannot even protect the transfer of data between your browser and the transfer of forms on their websites. My advice: avoid them.

Cloudflare / DDoS mitigation

If DDoS (Denial of Service) mitigation is in use, the data is temporarily transferred and maybe stored outside the EU. Cloudflare for instance encrypts and decrypts your data with its own protocol before it is transferred to your website.

You have to balance the protection of the site under attack vs the implication on the rights and freedom of people visiting your website. You are unlikely to get a transparent statement from the DDoS mitigation service telling you what they do with the data in transit through their service. Beware that as they sit in the middle, they can see it all, so, think encryption.

The data shared / data in transit and the lawful basis need to be explained in the Data Protection Statement.

eCommerce

In addition, there are considerations around payment gateways as they need to send credit cards data to a large number of organisations. You probably haven't much say about where the information goes, but you should inform the data subject, and maybe offer bank transfer as an alternative.

I invite you to look at paypal as an example to see where data may be sent for an on0line payment: they share data with over 600 organisations around the world.

Password protected areas

Further security audits should be performed. Also check what data is kept and inform the data subject. Obviously, the passwords must be encrypted, and using password "salting" is imperative to improve the safety of the encrypted patterns.

In cryptography, a salt is random data that is used as an additional input to a one-way function that "hashes" data, a password or passphrase. The primary function of salts is to defend against dictionary attacks or against its hashed equivalent, a pre-computed rainbow table attack (source wikipedia).

The use of social media logins provided by Facebook, Google etc are usually used by the social media platforms to gather more personal data, so I advise you not to use them.

Sharing of data

Depending on how your website is coded, you may be passing (a lot of) personal data to third parties without realising it. Some web developers are using external libraries supplied by content delivery networks (CDN), google etc. Doing it in such a way will send data such as the visitors' IP address, browser data, cookies to the third parties supplying these libraries. The third parties can/will then cross-reference the data collected through your site with additional personal data collected somewhere else in complete opacity (the opposite of the GDPR requirements).

For instance it will be the case when:

  • the website uses "google fonts" (and anything that google provides),
  • CSS (such as Bootstrap, Font Awesome etc.), Javascript (JQuery etc.), fonts etc when hosted through a content delivery network (CDN)

It is worth noting that using CDNs as briefly explained above are in scope of another law that comes before GDPR. It's the e-Privacy Directive. You need to seek consent prior to sending non-essential files to the browser. The majority of CDN files are not necessary since you can serve the page by hosting all on your server.

The data and lawful basis (Article 6) for sharing data need to explained in the Data Protection Statement. Since this can be difficult to obtain, I suggest you review the code and host the core files on your server.

Note: Some programmers will argue this will slow down the site. If the site is coded properly, it will not. Hire a proper web development company (contact me).

Data Protection Statement (aka Privacy Notice)

Data-protection statements are the conclusion of the analysis done reviewing what you do with personal data when people reach your website, submit forms and what happens to the data once submitted.

The data-protection statement will also tell the visitors what their rights are with regards to personal data (Art 15 to 22).

Check Article 12, 13 and 14 in the GDPR to see what needs to be included.

You also need to include the list of organisations the data is shared with, and the lawful reason you need it.

Conclusion

GDPR is a great opportunity to review your web processes. Many website owners may have chosen to choose a cheap and cheerful solution for their web presence. They may not have paid much attention to good practice in data protection.

Going the GDPR compliance way will -in the medium to long run- give your business an extra competitive advantage: caring about the protection of your clients' data. To me, it's priceless.

In May 2023, Bizoneo launched bizoscore.eu, designed to automate most of what is described in this blog post.

Claude Saulnier
CDPO - CIPP/E

Bizoneo

Post Scriptum (PS):

  • This post does not discuss cookies nor the use of external monitoring services such as google analytics.
  • This post does not discuss consent for email marketing purposes either (but we are happy to recommend Bizoneo CRM to assist);
  • This post does not fully discuss the lawful basis for gathering the data. It's important, but if you read the legislation (Article 6), it should become clearer;
  • We can provide assistance to your business in the completion of the above: audit, mapping and mitigation;
  • We have a LinkedIn page that we use to share some update. Feel free to visit and help us share a positive GDPR vibe.