Website GDPR audit

Revised 7th October 2019.

Disclaimer: This information is provided for your convenience and does not constitute legal advice.

Your website may be subject to GDPR. We have compiled a few pointers to help you, regardless of the technology you use.

Introduction

To keep this post short, GDPR is mainly the enforcement (accountability) of 6 data privacy principles:

  • Lawfulness, fairness and transparency
  • Purpose limitation
  • Data minimisation 
  • Accuracy
  • Storage limitations
  • Integrity and confidentiality

Is there personal data collected?

It's the first basic question to ask, because GDPR is only about Personal Data. Personal data is almost anything relating to an individual (referred to as a "data subject").

If you are not sure, you can start checking if there are enquiry forms, blog comment forms or forms to prompt for a customer billing and shipping address. IP addresses, combined with a timestamp are also considered Personal Data (Recital 30: Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as Internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.).

If there are forms, you need to find out if these forms are part of the website itself (eg data is stored within the website database), or part of a third party application (eg MailChimp for newsletters). If the information is collected by other cloud applications, you need to ensure you have a data-processor agreement with each service supplier.

If your website does not collect personal data such as name and address, you mainly need to focus on the personal data collected by the administrators of the website. There may be IP addresses  etc.

It's worth remembering that the information collected for security purposes cannot normally be used to monitor staff.

If personal data is collected by the website...

You need to find the country where the website is hosted.

  • If the website is hosted in the EU or EEA, you need to ensure you have a data-processing agreement with the hosting company. It may be difficult to obtain. Large hosting organisations tend to impose their rules and sometimes such rules are not compatible with the GDPR. It may seem unfair, but it has more to do with competition law than the GDPR. If you struggle, find a supplier that hosts data lawfully.
  • If the website is not hosted in the EU or EEA, you need to ensure that, for the transfer of data, there is a data transfer mechanism that complies with the requirements of the GDPR. If it seems too difficult, you may consider finding a hosting company that has EU or EEA data-centres (Recital101-116; Art.44, 45).     

Note: The hosting company may be 27001 certified (a security seal), it does not guarantee GDPR compliance. ISO 27001 is about security, GDPR is about data protection and privacy. Security constitutes only a fraction of GDPR and part of 1 of the 6 privacy principles (integrity and confidentiality). A simple way to assess, is to ask them. If you receive no answer, be warry. Also, adhering to the standard is about having procedures and following them, and we have experienced some ISO 27001 certified companies failing on some points.

Form data

There is a GDPR principle of minimisation: it means you should not collect information for which there is no legitimate right to collect. eg some shopping carts by default prompt for a date of birth, but if you don't need it, remove it.

If you want people to join a mailing list, consent is required, with the checkbox unticked and you need to clearly tell the data-subject what they will get. Also, remember that a newsletter is not a marketing offer: so two boxes are required if you have both.

The data collected and how it is used needs to be included in a privacy notice.

Software updates

Note: Principle 6 (integrity and confidentiality) of GDPR states that "personal data must be processed in a manner that ensures appropriate security of the data using appropriate technical or organisational measures".

This means that the software you use to run your website needs to be kept up to date with the various security related bug fixes that the software vendor could have released. If you are not technically savvy, it's worth having a maintenance contract and more importantly: someone doing it. 

Our favourite web platform Wandsoft has a commercial model that include the provision of regular updates as they are available and tested.

Assess security

Note: Principle of integrity and confidentiality.

You need to find out if your website is hosted on a shared, virtual or dedicated server,

If the website is hosted on a shared server, the security may be weakened if there are multiple clients with FTP access for instance. Remember that a cheap hosting plan usually means there are thousands of websites hosted and little maintenance carried out.

In such case, you need to ensure the personal data on your website is really locked. If someone was able to access your files, could they access the data?

In a virtual server or dedicated server environment, the server security is your responsibility. It needs to be tightened. Don't use ftp as data transfer is not encrypted. Use SFTP, and as much as possible, avoid the installation of an inbound SFTP access on the server. Avoid the use of Remote Desktop unless you have extreme firewall restrictions or VPN access.

In addition, you need to audit the server:

  • logical access to the server
  • procedures in place to grant access rights
  • firewall
  • application access rights (needless to say you need to change the default password supplied by the application)

Firewall can be complicated, and it may be a good idea to get experts in networks to ensure it is protected properly. For most websites, port 443 (SSL-TLS) should be enough for people accessing the site..

Plugins

Note: Principles of "integrity and confidentiality" and "data minimisation".

Some website frameworks rely on third-party plugins to add functionality. They allow non-technology savvy website owners adding functionality with no need to learn how to code.

Sadly, not all plugins are of equal quality standard. You need to review/audit the plugins in use as they may not be safe. You may need to ask a reputable programmer for help. They may also be collecting personal data, so you need to ensure you only collect what is legitimate.

Hint: You need to be very careful with plugins that claim to make your website GDPR compliant. I hope that by the time you have finished reading this post you reach the conclusion that a plugin cannot solve all GDPR issues.

Databases

Note: Principle of integrity and confidentiality.

The databases must be stored on a separate secure server to the web/application server. The database server must not have internet access and access should be restricted to the web/application server.

Backups

Note: Principle of integrity and confidentiality.

With GDPR, you are responsible for the security of personal data. It includes loss of personal data. You need to have backups. Backups are as good as they are tested. You need a restore procedure and you need to test regularly. In anything relating to contingency, always plan for the worst.

You need to find the country where the backups are stored.

  • If the backups are stored in the EU or EEA, you need to ensure you have a data-processor agreement with the backup company. It may be difficult to obtain.
  • If the backups are not stored in the EU or EEA, you need to ensure that, for the transfer of data, there is a data transfer mechanism that complies with the requirements of the GDPR. If it seems too difficult, you may consider finding a backup company that has EU or EEA data-centres (Rec.101-116; Art.44, 45).

Use a backup mechanism that allows restoration at various levels: application, data etc. Avoid complication, and do what you can to handle data-subject requesting right to be forgotten (personal data held in backups).

Safe browsing

Note: Principle of integrity and confidentiality.

You need to install a secure certificate (often referred to as SSL, but should be TLS 1.2 as a minimum since SSL is an older protocol that shouldn't be used anymore) to provide encryption between the browser and your web application. It's referred to as "https" and the website should show a small padlock . A certificate costs between nothing and €300 per annum.

Hint: The secure certificate is a good way to choose your IT, hosting or web development partner. There are at present many security vendors promising you miracles to make you GDPR compliant. Some are giving a bad name to those of us who care as they cannot even protect the transfer of data between your browser and the transfer of forms on their websites. My advice: avoid them.

Cloudflare / DDoS mitigation

If DDoS (Denial of Service) mitigation is in use, the data is temporarily transferred and maybe stored outside the EU. Cloudflare for instance encrypts and decrypts your data with its own protocol before it is transferred to your website, You have to balance the protection of the site under attack vs what the DDoS mitigation service tell you they do with the data.

The data shared/transit and lawful basis need to be explained in the Privacy Statement.

eCommerce

In addition, there are considerations around payment gateways as they need to send credit cards data to a large number of organisations. You probably haven't much say about where the information goes, but you should inform the data-subject, and maybe offer bank transfer as an alternative.

Look at paypal as an example to see where data is sent: they share data with over 600 organisations around the world.

Password protected areas

Further security audits should be performed. Also check what data is kept and inform the data-subject. Obviously, the passwords must be encrypted, and using password "salting" is imperative to improve the safety of the encrypted patterns.

In cryptography, a salt is random data that is used as an additional input to a one-way function that "hashes" data, a password or passphrase. The primary function of salts is to defend against dictionary attacks or against its hashed equivalent, a pre-computed rainbow table attack (source wikipedia).

Sharing of data

Depending on how your website is coded, you may be passing (a lot of) personal data to third parties without realising it. Some web developers are using external libraries supplied by content delivery networks (CDN), google etc. Doing it in such a way will send data such as the visitors' IP address, browser data, cookies to the third parties supplying these libraries. The third parties can/will then cross-reference the data collected through your site with additional personal data collected somewhere else in complete opacity (the opposite of the GDPR requirements).

For instance it will be the case when:

  • the website uses "google fonts" (and anything that google provides),
  • CSS (such as Bootstrap, Font Awesome etc.), Javascript (JQuery etc.), fonts etc when hosted through a content delivery network (CDN)

The data and lawful basis (Article 6) for sharing data need to explained in the Privacy Statement. Since this can be difficult o obtain, I suggest you review the code and host the core files on your server.

Note: Some programmers will argue this will slow down the site. If the site is coded properly, it will not. Hire a proper web development company (contact me).

Privacy statement

Privacy statements are the conclusion of the analysis done reviewing what you do with personal data when people reach your website, submit forms and what happens to the data once submitted.

You also need to include the list of businesses data is shared with, and the lawful reason you need it.

Conclusion

GDPR is a great opportunity to review your web processes. Many website owners may have chosen to choose a cheap and cheerful solution for their web presence. They may not have paid much attention to good practice in data protection.

Going the GDPR compliance way will -in the medium to long run- give your business an extra competitive advantage: caring about the privacy of your clients. To me, it's priceless.

 

- Claude Saulnier
Brand Ambassador - Bizoneo

Post Scriptum (PS):

  • This post does not discuss cookies nor the use of external monitoring services such as google analytics.
  • This post does not discuss consent for email marketing purposes either (but we are happy to recommend Bizoneo CRM to assist);
  • This post does not fully discuss the lawful basis for gathering the data. It's important, but if you read the legislation (Article 6), it should become clearer;
  • We can provide assistance to your business in the completion of the above: audit, mapping and mitigation;
  • We have a LinkedIn page that we use to share some update. Feel free to visit and help us share a positive GDPR vibe.