Data Protection Day is a global event that takes place annually on January 28th. The day aims at raising awareness of the right to data protection.
Globally, 30,000 websites are hacked daily and 64% of companies worldwide have experienced at least one cyber attack. Read more terrifying statistics in this blog post from Techjury.
Hacking attempts have affected members of the team here at Studio 24 – from school dinner accounts to water bills to moving house.
Data protection is important to us personally and professionally. We are a Cyber Essentials Plus accredited agency and we take data privacy seriously. We advise clients on how best to process data online and we implement best practice methods to ensure data security.
In this post, we want to share with you some of the ways we work, plus tips and advice for improving data protection.
Working practices to improve data protection
There are many things you can introduce to your organisation that will improve data protection. This is not an exhaustive list, but these are good foundations on which to build data security:
- Write a policy – data protection is such an important area it is crucial that everyone in your organisation understands how and what personal data is gathered, stored, and most importantly how it’s processed.
- Use antivirus and firewall software – make sure that you have a firewall in place when online. Most operating systems have one built in, with various other commercial offerings available. We use ESET due to its reliability and support. There are also many hardware firewall devices available that can also add an extra layer of protection.
- Secure your organisation passwords with a password manager – this is a helpful guide to sourcing a password manager. While we’re talking about passwords, the National Cyber Security Centre has some really good guidance on managing passwords and on generating strong and easy-to-remember passwords.
- Use 2 factor authentication (2FA) – it adds another level of security making it much harder for your website to be hacked.
- Use secure private storage – ensure private documents and data are stored in a secure location where only the users who need access to it have access. Major cloud platforms like Microsoft and Google both offer good options to help enforce data security. If you need to share the data ensure it’s only available to the relevant people. We use private folders for sharing documents with our team and have separate folders when sharing information with external people.
- Encrypt drives – many modern day operating systems allow the encrypting of the hard drive contents by default. This helps to ensure that if the device is stolen the data is unreadable.
- Get a pen test for your website – a penetration test will identify potential cyber security vulnerabilities, showing where hackers might attempt to gain access to confidential data. We use Zoonou for pen testing.
- Keep up to date – make sure that security updates, patches, and operating system (OS) updates are installed. Not just on your servers but on the device(s) you use to connect to them.
Data protection for your website users
GDPR sets out regulations for dealing with personal data and there are significant penalties for breaching these regulations. We can’t go into precise detail on everything, especially as we are not qualified to give legal advice, but essentially it boils down to:
- Having good legal reasons to store and manage user data
- Being clear to users about which data you are storing on them, why you are storing it, and how it will be used
- Having mechanisms in place to identify and announce any data breaches to both users and the relevant authorities
- Having the ability to provide users with the personal data you store about them at their request
- Having the ability to delete a users personal data at their request (although you can keep certain data if there are good legal reasons for doing so, e.g. financial audits or such like)
- Users must have the ability to opt out of tracking, or other mechanisms for tracking and storing personal data, unless it is legally justified
- Personal data should not be retained for longer than is necessary
It is possible that GDPR will be replaced by a UK specific data protection regulation post Brexit, but you will still need to comply with GDPR in the meantime, and you will still need to comply with GDPR if any of your users are accessing your website from within the EU.
Reviewing data privacy
The first steps you should think about when it comes to storing any user data:
- Do we really need this data?
- If so, why?
- If not, we should remove it from our system to reduce the associated risks and simplify compliance with GDPR
We review data privacy requirements for clients in every project since each project has individual requirements. Areas we explore include:
- What personal data is collected (any data that directly or indirectly identifies a person)?
- Is any data considered sensitive (e.g. protected characteristics, health data)
- Why do we need this data, can we limit data collection?
- How long do we need to retain personal data for?
- Can we support data portability (allowing users to export their data)?
- Is there any automated decision-making in this project and how can we ensure this is fair?
Common techniques we use to protect personal data include:
- Use positive opt-in for any consent to data collection, don’t use conditional consent for data collection. Use clear language to ensure data collection is understood.
- Storing personal data encrypted at rest.
- Using application encryption to store sensitive personal data.
- Automate data deletion if we have fixed data retention times.
- Where 3rd party cookies are used, implement a cookie manager tool, ideally not setting 3rd party cookies without consent. Inform users how cookies are used on the website, including 3rd party cookies.
- Ensure there is a data privacy web page detailing how personal data is processed and detailing how users can request data or request data deletion. We can assist with managing these requests via our support service.
- We recommend Matomo analytics as an alternative to Google Analytics, since it has better data privacy.
High standards of data protection in our projects
We’ve worked on various projects where data protection and cyber security have been key elements. You can read more in these case studies:
- Working with the UK Health Security Agency to help beat COVID-19
- An online consultation for the Heathrow Airport Expansion Plan
Data protection is a really big subject and even in this short post it probably feels like we’ve bombarded you with information! If data protection on your website is something you’d like to know more about please get in touch.