There are, however, other signals that your website can provide to visitors to indicate your commitment to preserving their privacy rights. In this article we consider a number of those concerns, from tools that you can use to give visitors control over processing to technical measures that you should ensure your website provider is implementing where appropriate.
Cookie banners that do not give your visitors control of the cookies that are used on your website do not meet the principle of transparency and control required by data protection legislation. Our Trilateral data protection team has recently reflected on the updated guidance of data protection authorities as to what is considered valid cookie consent.
A key requirement for achieving valid cookie consent is providing your visitors with control over how their data is processed vis-a-vis non-essential cookies. If you do not have a mechanism to inform and provide control to your visitors on your website, this is an area which should be urgently reviewed.
SSL – Encryption in Transit
You may have heard about Secure Sockets Layer (SSL). Although it has been superseded by Transport Layer Security, it is still the term that is widely used to describe the encryption of communications between your web server (where your website is hosted) and your website visitor.
In recent years there has been a significant increase in the adoption of SSL, however, there are still many websites that do not implement it correctly, if at all. Websites that fail to implement it in a correct manner may not be enforcing HTTPS rewrites (ensuring that if a webpage is requested on your website that it the connection is made via SSL even if not first requested by the visitor’s browser).
Below are some queries to ask your website provider to ensure they are effectively securing communications:
- Is SSL configured for your website?
- Are HTTPS redirects enforced?
- Is an HSTS Header configured?
If you determine that you need to setup SSL for your website, ensure that your website provider has a strategy for migrating your current web page locations from the old scheme (HTTP) to the new (HTTPS). Often, if this is done without the right migration considerations (e.g., putting in place webpage redirects to ensure that the old URL’s direct the visitor to the new URL location), this can have an impact on your search engine rankings. Furthermore, informing the search engines that your URL’s have changed to the new secure scheme (HTTPS) is also something that your website provider should undertake on your behalf.
Websites that do not secure their communications and are processing personal data risk exposing their visitors to potential harm. SSL certificates are readily available and cost-effective. There is no excuse for not using them where personal data processing is concerned.
Does your website have a Content Management System (CMS)?
Often a website’s content is managed by a CMS. It may also provide a login functionality for your users where their personal data is managed. Below are some considerations to be taken into account when you have a CMS managing your website content:
- Is the CMS platform periodically updated? – As well as ensuring that new features are available to you, regularly updating your CMS platform also ensures that you have the latest security patches in place to protect your users;
- Are new vulnerabilities monitored? – In between platform updates, there may be security vulnerabilities discovered and fixed by the CMS vendor that necessitate an update outside of a normal update schedule, to ensure that your website is protected;
- Does your CMS use extensions/plugins? These are features developed and maintained by third parties and need to be updated periodically, separate to the CMS platform;
- Authentication – if there is user login functionality on your website, you should take efforts to ensure that there are adequate password policies in place as well as a password reset function which does not compromise your website. Where possible and considering the risk of the type of personal data processing you do, it may also be appropriate to enforce two-factor or multi-factor authentication;
- Forms – Does your website collect data through web forms? Often a form may submit the data to an external collection point (e.g., email address) but the form submission is nonetheless retained within the CMS. If this is the case, you should ensure that appropriate technical measures have been applied to secure it and that it comes within the scope of your retention policies. We have seen instances where web form collection has been happening for years and the CMSs collection of that data has been forgotten about and left to amass;
- A further consideration when using forms on your site is to ensure that you are informing your visitors at the point of collection as to the reason why you are asking for their personal data and how it will be processed by your organisation. Consider whether you need to collect and record a visitors’ consent to process their personal data, and how this consent is managed;
- Backup – CMSs are often powered by databases that are responsible for collecting personal data. Ensure that your provider has appropriate backup measures in place to respond to and restore your website should an incident occur.
Protecting your visitors as they leave your website
Websites may disclose the personal data of their users to third parties when a user clicks on a link that brings them to an external website. This is because the website that a user clicks through to is sent referring information about the website that delivered the user there. Depending on the context of your website, this can reveal personal (and sometimes sensitive) data about your users.
There are methods to limit the referrer information that is sent when a user clicks an external link from your website and it is recommended that you ensure that your website provider has implemented these mitigations if appropriate.
Define a Content Security Policy
A Content Security Policy (CSP) helps detect and mitigate certain attacks such as Cross-Site Scripting (XSS) and data injection attacks. The controls that can be put in place when defining a CSP include specifying the trusted sources that your website can execute code from (for example, if you have included code from third parties on your website). Any execution of code from sources that have not been declared as trusted, will be blocked. Your website provider can configure an appropriate Content Security Policy for your website.
Protecting your website from attack
Ensuring the continued integrity, availability (CIA) and resilience of your website and the personal data it processes can be met by adding additional layers of security. Features such as automatic HTTPS rewrites, Denial of Service (DoS) attack prevention and firewall protection can be added with services such as Cloudflare and Sucuri.
These are a few of the considerations for ensuring that appropriate technical measures are in place on your website to meet your data protection security obligations. Should you need additional help with your data protection compliance, please contact our team.