(Third in a series of articles from Arke on the practical application of the GDPR to clients who use marketing technology platforms. You can read the introduction to the GDPR in part one. Part two is on Consent and Data Governance.)
The European Union’s new legal framework for data protection imposes new requirements on marketers who collect personal data. Known as the General Data Protection Regulation (GDPR), the legislation requires marketers to ensure adequate security to protect the privacy of data subjects.
The GDPR, which goes into effect May 25, 2018, defines “data subjects” as “identified or identifiable natural person[s].” More simply, data subjects are all of the people from whom or about whom you collect information in connection with your business and its operations.
While the GDPR was designed to protect European Union (EU) residents, it has global reach. It affects any company that handles the personal data of any EU residents — regardless of where the company is based.
GDPR Sets Security Standards
Under GDPR, marketers are required to encrypt all personally identifiable information (PII), when the data is at rest as well as when it’s in transit. PII is any data that can be used to identify a specific individual.
For practical purposes, this means all web browser connections must occur over HTTPS (HTTP Secure). HTTPS is the hypertext transfer protocol that creates a secure encrypted connection between the web server and the web browser.
HTTPS aims to prevent personal data from interception or compromise. To address GDPR security regulations, marketers should:
- Enforce HTTPS for their entire website
- Support Transport Layer Security (TLS) or Datagram Transport Layer Security (DTLS) with a key size of at least 2048 bits instead of SSL (Secure Sockets Layer) version 3
Marketers should also use the most secure cipher available. The list of cipher suites supported by TLS continues to expand so be sure to check https://www.owasp.org for the latest recommendation. The Open Web Application Security Project (OWASP) currently recommends using “Elliptic Curve Diffie-Hellman Exchange (ECDHE) and Galois/Counter Mode (GCM) ciphers instead of static RSA (Rivest–Shamir–Adleman) key exchange and Cipher block chaining (CBC) ciphers.”
All network connections between your web server and backend systems that contain PII must occur over secure connections as well. This includes web services, databases, content delivery networks (CDNs), Customer relationship management (CRM) systems, marketing automation systems, and, especially, third-party cloud systems.
Marketers Must Encrypt Data
Additionally, all PII stored in files or databases must be encrypted. This means marketers now need to enable file system encryption at every point possible.
Some systems such as SQL Server offer transparent data encryption. Others, however, do not. In that case, marketers will have to enable file system encryption within their operating systems.
The following table provides recommendations for meeting data security requirements in common marketing technology platforms. Platforms hosted by cloud providers, including Salesforce or Marketo, already require secure connections and encrypt their data at rest.
|System||Network Connection||Data at Rest|
|SQL Server||SSL||Transparent Data Encryption feature in SQL Server 2008 or newer|
Systems like Redis are designed for performance over security, so the question of the performance impact of encrypted file systems may arise. Patrick Perrone, a Sitecore MVP and Sitecore Practice Director at Arke, said, “On Redis, encrypted file system tax will be on the order of a few milliseconds … Redis is mostly memory bound.”
For MongoDB, we recommend using a cloud provider such as mLab or Object Rocket. These options greatly simplify your environment with a managed Platform-as-a-Service (PaaS). Both also offer data encryption at rest.
Test and Document Your Security
Before going live, test your system to make sure it complies with all data security requirements. You should maintain the testing results documentation for the duration of your system. It’s also a good practice to retest periodically.
Next, as you prepare for a data protection strategy — back to your data map and data flow from part two in this series — expand your documentation to track the data fields that are contained in each system, Note which of those contain PII.
It’s important to have governance over the location of PII in your systems. In part four of this series, we’ll discuss the importance of being able to delete the PII for a particular visitor.
Data Protection Guidelines
Be prepared to document and discuss the location of your servers with your legal team. That’s because the GDPR restricts the countries in which EU data is permitted to reside. The data is allowed to be stored in all EU countries. It is also permitted to reside in other countries offering an “adequate” level of data protection.
The European Commission has so far recognized Andorra, Argentina, Canada (commercial organizations), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay and the US (limited to the Privacy Shield framework). Adequacy talks are ongoing with Japan and South Korea.
If your website tracks visitor behavior and if your business has the intent to engage EU customers, build a GDPR compliant system.
By keeping your servers with PII in the allowed countries and applying GDPR to all website visitors regardless of their location, you’ll reduce your potential liabilities and increase trust with your site visitors.
(We’ll explore data retention, the right to be forgotten, data access requests, and preference management in the next part of this series.)
For More Information
- How to Cope With GDPR: New EU Data Law Promises Big Changes for Marketers
- Consent and Data Governance
- Data Security & International Transfers
- Data Retention, Erasure, Access Requests, Preference Management
- The GDPR Is Here: Is Your Site Still Accessible in the EU?
Arke is providing these articles for informational purposes only. They are not intended to provide, and should not be relied on, for legal advice. Do you want to learn more about GDPR compliance? Email Eric Stoll for more information.
Atlanta-based Arke develops strategies and implements digital technologies for better brand experience for your customers.