Security Measures

Completely securing the data collected and stored by a website, as well as the database necessary to the operations of the website, is easier to do on a private, in-house web server, or server infrastructure. However, if a website is co-located or hosted by a web hosting service, whether in the cloud or not, the security surrounding a website is not directly under the control of the site’s owners or operators. In either of these situations, where the website is hosted does not matter if a data breach involves the theft of a user’s PII; the guilty party is the site owner.

Data protection and privacy laws, for the most part, require website owners to have appropriate physical, technical, and organizational security measures in place. The level of security implemented must be, at minimum, at or above the risk to the individuals whose data are included in that kept by the site. Weaknesses in this area can include failures to encrypt sensitive or private data, not implementing risk or vulnerability assessment policies and practices, or not conducting security training for operations personnel.

“Lawful Basis”

The GDPR defines six reasons or “lawful basis” for collecting, processing, or storing a user’s personal information: consent, contract, legal obligation, legitimate interests, public task, and vital interests. A website needs to apply only one of these reasons to comply, but like with most things, more is better.

• Consent—Only a user can give consent, which must meet the following conditions:

  • Informed—The user must understand to what or for what he or she is giving consent.

  • Active—The user has opted-in and has not revoked his or her consent.

  • Unambiguous—The user personally makes the selection that indicates consent is given. Consent indicators, such as checkbox, cannot be preselected.

  • Specific—The user must understand specifically for what consent is given.

  • Retractable—The user has the right and the access to revoke consent whenever he or she wishes.

• Contract—The personal data retained are to fulfill the terms of a contract.

• Legal obligation—The personal data are needed to meet the requirements of a law or requirement outside of a contract, such as tax information.

• Legitimate interest—There must be a legal and defendable reason for processing personal data that outweighs the interests and rights of the person who is the data subject.

• Public task—The personal data are needed to fulfill a public obligation or as an exercise of legal authority.

• Vital interests—The personal data are required to serve the vital interests of the person, such as in the case of a medical emergency.

Data Handling

Securing stored data is a requirement in virtually all data protection and privacy laws, but many extend data protection requirements for the security of personal data:

• Data transfers between countries, states, and business entities

• Black letter (written) requirements for the processing of personal data that includes when, what, and why the process took place

• Performance of impact assessments for processing that places personal information in a high-risk situation

• Formal plans for the response to a data breach should be in place that spell out the timing and methods to be used to contact the appropriate authorities and the data owner

• A clear statement of the rights of an individual to revoke or amend their consent to the capture, storage, and use of his or her personal information

• A policy statement that defines the data retention parameters of personal information that details when, why, and how the data will be retired