GDPR: Most in – depth Compliance Guide
The introduction of the European Privacy Act on Online Data will have a major impact on how organizations handle and manage user personal data. The law, passed in January, will be fully enacted in 2018. For organizations that regularly handle customer or personal data serving European citizens, questions arise about the technical implications for their online web applications and operations.
This law’s main directive empowers individuals to control their data. It means that, from the moment it is submitted, entities that ask people for online personal information must inform them exactly what will happen to that data.
The most important aspects of the law are these four:
- “Easier access to your own data: more information will be available to individuals about how their data is processed and this information should be available in a clear and understandable way.”
- “Data portability right: transferring your personal data between service providers will be easier.”
- “A clarified ‘ right to be forgotten ‘: the data will be deleted if you no longer want your data to be processed and if there is no legitimate reason to retain it.”
- “The right to know when your data has been hacked: for instance, companies and organizations need to notify the national supervisory authority as soon as possible of serious data breaches so that users can take appropriate action.”
So how do you implement a directive – compliant application that provides users with full control of personal data? Fifteen guidelines, based on the following OWASP Top Ten Privacy guidelines:
1.Determine if the app really needs all the personal data requested
The ideal implementation of privacy saves as few personal data as possible, such as date of birth, name, country of residence, etc. In all cases, this is not possible; more information will be needed by some entities. However, developers and management should define exactly what data is absolutely necessary in all cases.
2. Encrypt and inform users of all personal data
The data should be encrypted with proper and strong encryption algorithms, including hashing, if an application needs to save personal information. In the Ashley Madison data breach, All personal data were in clear text, with enormous implications for its users. Users should be explicitly advised that all their personal data, including telephone numbers, country of residence and address, will be encrypted and hashed in order to avoid any form of data extraction and possible exposure in the event of data breach.
3. Think OAUTH about portability of data
Single sign – on protocols such as OAUTH enable users to create accounts simply by providing another account, but also ensure that no other personal data than the other service’s authentication ID is stored.
4. Ensure secure communication via HTTPS
For their websites, many entities do not use HTTPS as they do not consider it necessary. For example, if no form of authentication is required by the application, then HTTPS may not seem necessary. But some things are easy to overlook. Some applications, for example, collect personal information through their forms of “contact us.” It will be exposed via the Internet if this information is sent in clear text. You should also ensure that the SSL certificate has been deployed properly and is not exposed to SSL protocol vulnerabilities.
5.Inform users about personal data and encrypt them from the form ‘ contact us ‘
Applications do not only collect information by authentication or subscription, but also by contact forms. Most of this information is personal, including email address, telephone number, and residence country. Users need to be informed how and for how long these data will be stored. It is highly recommended to use strong encryption to store this information.
6.Make sure sessions and cookies expire and after logout are destroyed
7. Do not monitor business intelligence user activity
Many e-commerce applications on the web track users to determine their tastes through their searches or products bought. Often, companies such as Amazon and Netflix use this sort of information for their recommender systems. Because users’ personal taste and choices are being monitored and stored for commercial purposes, the users should be able to accept or reject this as an option. If users decide to accept such tracking, they should then be told how the data is saved in the system and for how long. And, of course, anything related to personal information should be encrypted.
8. Tell users about logs that save location or IP addresses
Many applications use IP addresses or locations as a parameter to control authentication and authorizations, and they log this information in case someone attempts to bypass authentication controls. Users should be told about this, as well as how long the logs will be saved in the system. Never include more sensitive information such as passwords in the logs.
9. Store logs in a safe place, preferably encrypted
Keep any logs that contain user information in a safe place and inform users about what happens to these logs: how they are stored and how long are they retained. The logs themselves should be encrypted.
10. Security questions should not turn on users’ personal data
In many applications, security questions are used as a form to confirm the identity of a user. These questions should not include personal components such as mother’s maiden name or even the user’s favorite color. If possible, replace these questions with two-factor authentication. If that isn’t possible, let users create their own questions and warn them against creating questions that contain personal data. Any information provided should be encrypted.
11. Create clear terms and conditions and make sure users read them
Don’t hide away your terms and conditions. Under the new EU privacy laws, terms and conditions should be on the landing page of any web application and be highly visible at all times while the user navigates the application. An enforcement mechanism is necessary so that users have to agree to terms and conditions before being allowed to access to the app, especially when terms have been changed. The terms and conditions should also be in language that is easily understood.
12. Inform users about any data sharing with third parties
If your organization shares personal data with third parties, whether they are external plugins, affiliates, or government organizations, that fact should be included in the terms and conditions.
13. Create clear policies for data breaches
One of the most important aspects of the EU law is the right of users to be informed if a data breach occurs. Organizations must implement clear policies that establish roles and steps to follow so that, for example, users are promptly informed about any breach.
14. Delete data of users who cancel their service
Many web applications do not make it clear what happens with personal data after a user has canceled the service or deleted an account. With the right to be forgotten, companies should respect the right of users to delete all their account information and related data. It must be visible to users that they can leave a service and all their data will be deleted. Companies that treat deleted accounts as merely inactive could run afoul of the law.
15. Patch web vulnerabilities
As mentioned on the OWASP Top 10 list, one of the major data privacy risks involves web application vulnerabilities: “Vulnerability is a key problem in any system that guards or operates on sensitive user data. Failure to suitably design and implement an application, detect a problem or promptly apply a fix (patch) is likely to result in a privacy breach.” Make sure your organization has a program in place to assess cyber risks and do penetration tests and patches effectively.
Share your best practices for apps that are compliant with privacy law below.
The contents of this website reflects the views of the author(s) and are not necessarily those of Micro Focus, its subsidiaries, or other affiliated companies. The information contained in this website is provided for informational purposes only, and should not be construed as legal advice on any matter. The only warranties for Micro Focus products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Micro Focus shall not be liable for technical or editorial errors or omissions contained herein.