Privacy By Design
Data Compliance Consulting and Technical Audits
As more companies across the enterprise turn to a digital business model, consumer data is being generated, saved and shared at an unprecedented rate. While access to a broad range of data allows for such benefits as personalized service and increased connectivity, numerous privacy regulations – both existing and imminent – introduce a unique set of risks for businesses in the online space. Through data compliance consulting, companies can take the necessary steps to ensure the personal information they collect is being used legally and responsibly, and rest easy knowing their data is protected and secure.
For example, if your company has an online presence, it will likely be affected by GDPR. As a result of this new regulation, companies are required to be clear and concise about their collection and use of Personal and Sensitive Data, making the concept of designing data protection into a system a necessity from the outset.
GDPR requires controllers (generally, the people who administer the website) to hold and process only the data absolutely necessary for the completion of its duties, referred to as ‘data minimization,’ as well as limit access to Personal Data only to those needing to act out the processing. Companies will now have to assess where and how they collect data, what employees, plug-ins, vendors and third parties have access to specific user data, how securely data is stored and for how long, taking measures not to retain personal or sensitive data longer than is necessary, and so forth.
GDPR is a timely example of regulation surrounding data compliance, data transparency and protection, which is a global trend with far-reaching implications. Whether you need to conform with U.S. laws such as CalOPPA, COPPA, HIPAA or Gramm-Leach-Bliley, or EU regulations such as General Data Protection Regulation (GDPR), ePrivacy Directive (Cookie Law) or VAT, Crowd Favorite is fully equipped to offer strategic guidance and execution. As a leader in the enterprise space, we employ a full team of experts that specialize in implementing the necessary technical solutions to make your website data compliant. To expand our capabilities even further, we’re proud to have partnered with a data protection legal specialist, that is a fully qualified Data Privacy Officer, or DPO, to oversee our work and ensure the strongest possible finished product for our clients.
Our cross-functional team uses a comprehensive, fourfold approach to put your company’s data-use governance program in place:
- Data Protection Impact Assessment - Outline the work that must be completed for full data compliance
- Data compliance analysis – Perform a thorough website audit evaluating risk from technological and legal perspectives
- Data compliance implementation – Execute the technical changes necessary to meet data privacy and protection requirements, including forms and data code
- Data compliance management – Conduct quarterly maintenance for ongoing accountability
Data Protection Impact Assessment
Compliance begins with understanding which type of Personal Information (PI) is gathered, why it is needed, and how it is stored. Crowd Favorite can work with you to implement a systematic and extensive evaluation of data collection on your website to help identify how PI is gathered by your website. GDPR differentiates the types of information collected between Personal Data and Sensitive Data, and the different responsibilities and consent required for each.
Personal Data is any information related to an identified or identifiable natural person. Examples include:
- Phone number
- Date of birth
- IP address
- Location data
Examples of Sensitive Data include:
- Health and genetic data (height, weight, etc.)
- Biometrics or browser fingerprint
- Racial or ethnic data
- Political opinions or philosophical beliefs
- Trade union membership
- Sexual orientation
The differentiation between these two categories is important. Understanding what you are asking of your visitors is key. Do you know what your forms capture? Are you tracking people with cookies? What are you sending to third parties?
Mapping and classifying data usage is required. How is your CMS handling information? A review of the code and database is necessary to understand what information is being saved in your CMS’ database, as well as which cookies are being created and served that might be sending back bits of Personal Data. If your CMS is aligned with GDPR requirements, it should already have documentation in place that defines what information it collects “out of the box”; however, this is usually not enough. In all likelihood, your website has some customization. Taking WordPress as an example, customizations would include plugins, your theme, and other functionality introduced. These customizations should be included in a review of your site’s data usage.
An assessment of a site will take all of this into account, and will report on:
- What information is being collected on the site?
- Where is it being stored?
- How is it used? (For instance, is it used only within the site, or is it sent to a third party?)
A common example for how a website collects data is a contact form. What pieces of information do you collect in your contact form? Name? Email address? More? Once the form is submitted, where is the information stored? Is it in your database? Does it transmit directly to a third party? When your form entry is saved, are you also gathering a person’s IP address? Understanding what information is kept and why it is being collected is critical.
Additionally, it is important to know who has access to collected information. How many Admin users do you have? Are there other levels of users with access to things such as form entries or user accounts? How, and from where, can admins access collected information - encrypted, mobile, public Wi-Fi?
Data Compliance Analysis
With the Data Assessment report in-hand, technical recommendations can be created, putting in place mechanisms for obtaining affirmative consent.
- Prior to form submissions, ensuring consent to collection of the data is in place
- Prior to cookies being set, check for affirmative consent
- Anonymize analytics
GDPR requires that clear and unambiguous consent is obtained prior to collection. Someone affirmatively entering their name or e-mail address into a field will meet this standard.
As the name implies, sensitive data is a more sensitive matter - the information is simply of a more personal nature. Collection of this data requires explicit consent and the user must know why their information is being collected. When it comes to this type of data, nothing short of “opt in” is required. The user must not only enter the data into a field, but must also acknowledge consent by manually checking a box. To be clear, pre-checked boxes or silence do not meet the explicit consent required by GDPR. Records must be kept regarding when and how consent was given, and whether and when it was withdrawn.
Data Compliance Implementation
Technical steps can also be implemented, and these may vary depending on what is determined to be the best direction for your site to become compliant. These might include actions such as updating forms that ask for Sensitive Data with a checkbox (labeled with affirmative consent to the usage of the data) that is a required field. Without that box being checked, the data is not collected.
If your site sets cookies, for authentication or analytics tracking for example, an updated method of obtaining consent may be required. Rather than just setting the cookie if it’s absent, an updated method might be needed to display a consent mechanism and based on acceptance, set the cookie.
It’s always a good business practice to limit the number of administrative users that have access to personal, sensitive, confidential or proprietary information. Controlling access to personal information should warrant a review of who has access to such details as user accounts or form entries. Updating custom user capabilities or reducing the number of admin users might be a necessary undertaking.
Alongside limiting administrative access to data, it is a good idea to establish reporting of site activity that involves Personal Information. Your CMS might have a reliable, or customizable, reporting tool. If not, one can be developed to your specific needs and requirements.
Executing Technical Changes for Data Retrieval
(Access, Rectification, Erasure, Portability)
Under GDPR, an individual has a right to a copy of or access to their information, to make changes to their information, and to request that information be removed from a website as well as anywhere else it is stored. There are some tools and services that remove personal information when an account is deleted, for instance, but this is not an industry standard. Crowd Favorite’s team of engineers can build the kind of administrative interfaces necessary, including consulting with your website hosting provider, for the retrieval of a user’s information, including preparing it pursuant to GDPR guidelines. This can include making the information available in a standard electronic format such as CSV or JSON, creating a zip of personal files that can be sent to the User and ported to a third party, or the removal of a person’s data from your site. As CMS tools ship in newer releases, such as the privacy tools being built into WordPress, we can take advantage of these methods and make further enhancements.
Data Compliance Management
Responsible website management requires upkeep. Software updates are released periodically, and with these come the need to ensure the visualization of where data is stored is accurate. A major factor in websites being compromised is poor maintenance and upkeep of the site’s software.
“In most instances, the compromises which were analyzed had little, if anything, to do with the core of the CMS application itself but more with its improper deployment, configuration and overall maintenance by the webmasters.” - Sucuri
Open source software such as WordPress releases minor updates every few months, and major updates once or twice a year. In between these, security patches are released as needed. Factor in the scheduled plugin updates, and it is not uncommon to see some kind of software update on a monthly basis. Depending on the specifics of what software you run on your site, you will want to set up some kind of regular review that works for your needs and legal requirements.
Under GDPR requirements, if a website has suffered a data breach, notification is required within 72 hours. Having your data analysis current is critical in being able to timely respond and mitigate damage and impact to your company . Regular audits and keeping information up to date should not be overlooked, as the worst possible time to analyze and gather information on your website’s data usage is after a breach has occurred.
With a team of specialists covering a wide range of skill sets and backgrounds, Crowd Favorite combines industry-leading web application design expertise with proven business acumen to provide professional guidance on how to address data compliance requirements. From the initial analysis of how Personal Information is collected and managed, to developing technical solutions for compliance, we are ready to work with you on developing the right solution for your site.