Digital-based companies – here’s your cybersecurity and GDPR checklist  

Avatar photo

SEO manager, Equator, on behalf of, PwC

Author Bio ▼

SEO manager at Equator, a full-service creative agency in Econsultancy's top 10 list that connects the worlds of brand, marketing and technology to deliver integrated experiences.
May 22, 2018

Download

Whitepaper: Enhancing security, resilience and efficiency across a range of industries

Are you taking the right steps for your businesses online safety and compliance?

GDPR, or General Data Protection Regulation, is a term that you will likely have heard in recent times. But, not without reason.

The GDPR comes into effect on 25 of May, which isn’t too far away now. And that should raise the question: ‘Are you and your business GDRP safe?’

I’ll back up a little bit. The GDPR is in place to make sure that all EU internet users’ data and personal information is safe and not misused. That’s it in a nutshell. And, it might sound simple enough, but there’s really a lot more to it than that.

Is the data secure? Is it safe from external attacks? Is it safe from internal breaches?

Is the data secure? Is it safe from external attacks? Is it safe from internal breaches? How did you get this data? Does the person know you have it? What do you plan on doing with it? The list goes on.

However, there are a few more fundamental factors that, if adhered to, will ensure that you are on the straight and narrow.

By following the checklist below, you should safeguard yourself from any potential GDPR mishaps and any latent cybersecurity issues.

How did you get the data?

Let’s start with the basics – how did you come to be in possession of this data or personal information? If it came from a form on your site, or an email sign up, or an app download – great. This is above board as it was the users’ choice to give you the data.

However, if you got it through other means where the user didn’t fill out a form etc. then you probably shouldn’t have it, and you should really report where you got it from.

Does the user know you have their data?

Okay, they filled in a form, or downloaded an app etc. and filled in their personal information, but did they know that you were panning on keeping it? Was it clearly labelled on the site or the form or the app that you would be keeping this information?

If it was, again, great. If not, then, you will have to let these people know that you kept their data, and confirm with them that it’s okay to continue to do so.

What do you plan on doing with it? And do they know?

This data and information that you’ve legitimately gathered – what’s your goal for it? Are you going to be using it to populate an email list? Use it for retargeting purposes on social media? Are you going to be cold calling them during tea-time?

While I really, really hope it’s not the last one, whatever your intentions are for the data, the user, again, needs to have agreed that it’s okay for you to do so. If not, you’re not GDPR friendly.

How is it being stored and processed?

All this data and information – where is being stored? Is it just sitting in an Excel spreadsheet on your company server? Or, is it in sectioned and separated, encrypted files that only privileged users that can access it?

I think it’s obvious which one it should be.

If you’re making physical copies, for internal use, obviously, what’s happening to these afterwards? Are they just getting thrown in the trash? Or are they being shredded or removed by a registered secure data company?

How long are you planning on storing it?

One thing that many companies have been bringing up since the announcement of the GDPR changes, is that they don’t really tell users how long their data is going to be stored for.

On the face of it, it doesn’t seem like a big deal. But – you guessed it – it is!

If you’re keeping data for a limited campaign, you must let the person know while they are submitting their information. If you’re just planning on keeping it indefinitely, they must also agree to this, too.

Does site policy messaging clearly inform of your intent?

Now, all the above just relates to the information you already have from users you already know. But, with the changes coming up, you need to make sure that everything is above board from the get-go.

So, if any of your messaging on policy, or your forms, or downloads already didn’t inform the user of all of the above, you need to make sure it does before the 25th of May.

Do you have external safeguards in place?

While safety and GDPR compliance starts with you and your business, you cannot forget to have proper, external security measures in place.

Ransomware, malware, phishing scams, trojans, spyware, worms -even fake news! These are just some of the ways in which your site, and, in turn, your data can be attacked and breached.

There are many ways in which cybersecurity can help prevent these. Do your research and make sure you are protected.

Do you have internal safeguards in place?

As much as external threats can cause issues, internal threats are also a problem. Most likely to not be malicious like external attacks, often it is just human error. But, they still crop up.

Make sure your user access control is up to date, so, only people who are allowed to access and process certain data can access and process it. Make sure everyone’s email efficiency is also up to speed to decrease the chances of the wrong information being sent to the wrong person.

Little things, but, can have big consequences.

Have you/your staff undertaken cybersecurity training?

As part of your internal safeguarding, conducting cybersecurity training with your organisation to make sure you’re taking the right steps certainly won’t do any harm. While you can read up on GDPR until your eyes hurt, and check off as many checklists as you can get your hands on, it won’t guarantee that you’re 100% safe.

Every business is different, and, these regulations will affect each one differently. Play it safe, if possible, and make sure that your workforce, and yourself, are as up to speed as possible. Even if this does involve large-scale training.

Have all third parties been vetted?

If you work with third parties, whether they be a supplier or a contractor – you need to make sure that they are adhering to all the of the above, just like you.

It’s no use to anyone if you and yours are 100% GDPR-compliant and have great cybersecurity knowledge, only for your freelance copywriter to mess things up.

If they are not educated, make it your personal goal to do so. Make sure they know what they are liable for, and what the consequences would be if they were not to stick to your stipulations.

Related Topics

Subscribe
Notify of
guest
2 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
Filipe Martins
Filipe Martins
May 23, 2018 1:35 pm

A proper SSL/TLS config and correct website security headers should be also part of the GDPR preparations!
Here is how to do it:

How to Activate HTTP/2 with TLS 1.3 Encryption in NGINX for Secure Connections without a Performance Penalty
https://www.cloudinsidr.com/content/how-to-activate-http2-with-ssltls-encryption-in-nginx-for-secure-connections/

and

Fixing your Web Server’s Security Headers: From Hall of Shame to Hall of Fame
https://www.cloudinsidr.com/content/fixing-your-web-servers-security-headers-from-hall-of-shame-to-hall-of-fame/

Luck favors the prepared ones! 🙂

Andy Baran
Andy Baran
July 13, 2018 10:33 am

Hi Chris,

this is a very nice overview of the necessary steps digital companies need to take in order to comply with the GDPR. I would love to know your expert opinion regarding the business tactic many turn to which implies cutting off EU users completely in order to comply with the new data privacy regulation. I have discussed this problem in my article published on SEOptimer’s blog: https://www.seoptimer.com/blog/how-gdpr-impacts-seo-and-digital-marketing/

Let me know your thoughts.

All best,
Andy

Topics: